SUSE-IU-2025:1504-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:1504-1 Interim 1 1 2025-12-07T16:01:30Z current 2025-06-09T01:00:00Z 2025-06-09T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:1504-1 / google/sle-hpc-15-sp6-byos-v20250609-x86-64 This image update for google/sle-hpc-15-sp6-byos-v20250609-x86-64 contains the following changes: Package aaa_base was updated: - Add patch git-51-fbf7ee9dc9cd970532a54eed6472d7f3b0e7f431.patch * If a user switches the login shell respect the already set PATH environment (bsc#1235481) - add patch aaa_base-rc.status.patch (bsc#1236033) (no git, file is gone in factory/tumbleweed) update detection for systemd in rc.status, mountpoint for cgroup changed with cgroup2, so just check if pid 1 is systemd Package apparmor was updated: - Add dac_read_search capability for unix_chkpwd to allow it to read the shadow file even if it has 000 permissions. This is needed after the CVE-2024-10041 fix in PAM. * unix-chkpwd-add-read-capability.path, bsc#1241678 - Allow pam_unix to execute unix_chkpwd with abi/3.0 - remove dovecot-unix_chkpwd.diff - Add allow-pam_unix-to-execute-unix_chkpwd.patch - Add revert-abi-change-for-unix_chkpwd.patch (bsc#1234452, bsc#1232234) Package augeas was updated: - Add patch, fix for bsc#1239909 / CVE-2025-2588: * CVE-2025-2588.patch Package ca-certificates-mozilla was updated: - revert the distrusted certs for now. originally these only distrust &quot;new issued&quot; certs starting after a certain date, while old certs should still work. (bsc#1240343) - remove-distrusted.patch: removed Package cifs-utils was updated: - CVE-2025-2312: cifs-utils: cifs.upcall makes an upcall to the wrong namespace in containerized environments while trying to get Kerberos credentials (bsc#1239680) * add New-mount-option-for-cifs.upcall-namespace-reso.patch Package cloud-netconfig was updated: - Update to version 1.15 + Add support for creating IPv6 default route in GCE (bsc#1240869) + Minor fix when looking up IPv6 default route Package cloud-regionsrv-client was updated: - Update version to 10.4.0 + Remove repositories when the package is being removed We do not want to leave repositories behind refering to the plugin that is being removed when the package gets removed (bsc#1240310, bsc#1240311) + Turn docker into an optional setup (jsc#PCT-560) Change the Requires into a Recommends and adapt the code accordingly + Support flexible licenses in GCE (jsc#PCT-531) + Drop the azure-addon package it is geting replaced by the license-watcher package which has a generic implementation of the same functionality. + Handle cache inconsistencies (bsc#1218345) + Properly handle the zypper root target argument (bsc#1240997) Package containerd was updated: - Update to containerd v1.7.27. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.27&gt; bsc#1239749 CVE-2024-40635 - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.26. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.26&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch - Update to containerd v1.7.25. Upstream release notes: &lt;https://github.com/containerd/containerd/releases/tag/v1.7.25&gt; &lt;https://github.com/containerd/containerd/releases/tag/v1.7.24&gt; - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch Package lvm2 was updated: - LVM filter behaves unexpectedly for MPIO devices in SLES15SP5 (bsc#1216938) * set lvm.conf devices.multipath_wwids_file=&quot;&quot; Package glib2 was updated: - Add glib2-CVE-2025-3360.patch: Backport 8d60d7dc from upstream, Fix integer overflow when parsing very long ISO8601 inputs. This will only happen with invalid (or maliciously invalid) potential ISO8601 strings, but `g_date_time_new_from_iso8601()` needs to be robust against that. (CVE-2025-3360, bsc#1240897) Package glibc was updated: - static-setuid-ld-library-path.patch: elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static (CVE-2025-4802, bsc#1243317) - Add support for userspace livepatching for ppc64le (jsc#PED-11850) - pthread-wakeup.patch: pthreads NPTL: lost wakeup fix 2 (bsc#1234128, BZ [#25847]) - Mark functions in libc_nonshared.a as hidden (bsc#1239883) - Bump minimal kernel version to 4.3 to enable use of direct socketcalls on x86-32 and s390x (bsc#1234713) Package google-guest-agent was updated: - Update to version 20250506.01 (bsc#1243254, bsc#1243505) * Make sure agent added connections are activated by NM (#534) - from version 20250506.00 * wrap NSS cache refresh in a goroutine (#533) - from version 20250502.01 * Wicked: Only reload interfaces for which configurations are written or changed. (#524) - from version 20250502.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) - from version 20250418.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250414.00 * Add AuthorizedKeysCompat to windows packaging (#530) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) Package grub2 was updated: - Fix CVE-2025-4382: TPM auto-decryption data exposure (bsc#1242971) * 0001-kern-rescue_reader-Block-the-rescue-mode-until-the-C.patch * 0002-commands-search-Introduce-the-cryptodisk-only-argume.patch * 0003-disk-diskfilter-Introduce-the-cryptocheck-command.patch * 0004-commands-search-Add-the-diskfilter-support.patch * 0005-docs-Document-available-crypto-disks-checks.patch * 0006-disk-cryptodisk-Add-the-erase-secrets-function.patch * 0007-disk-cryptodisk-Wipe-the-passphrase-from-memory.patch * 0008-cryptocheck-Add-quiet-option.patch - patch rebased * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch * 0004-Key-revocation-on-out-of-bound-file-access.patch - patch refrehed * 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch - Refresh PPC NVMEoF ofpath related patches to newer revision * 0002-ieee1275-ofpath-enable-NVMeoF-logical-device-transla.patch - Patch refreshed * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch - Patch obsoleted * 0004-ofpath-controller-name-update.patch * 0001-squash-ieee1275-ofpath-enable-NVMeoF-logical-device-.patch - Fix segmentation fault error in grub2-probe with target=hints_string (bsc#1235971) (bsc#1235958) (bsc#1239651) * 0001-ofpath-Add-error-check-in-NVMEoF-device-translation.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#156- fix network card detection on aarch64 (bsc#1240648) - 21.88 Package iproute2 was updated: - avoid spurious cgroup warning (bsc#1234383): - ss-Tone-down-cgroup-path-resolution.patch Package iputils was updated: - Security fix [bsc#1242300, CVE-2025-47268] * integer overflow in RTT calculation can lead to undefined behavior * Add iputils-CVE-2025-47268.patch Package kbd was updated: - Don't search for resources in the current directory. It can cause unwanted side effects or even infinite loop (bsc#1237230, kbd-ignore-working-directory-1.patch, kbd-ignore-working-directory-2.patch, kbd-ignore-working-directory-3.patch). Package kernel-default was updated: - dm: fix copying after src array boundaries (git-fixes).- commit 10c16a9 - dm: add missing unlock on in dm_keyslot_evict() (git-fixes). - commit a94a8c2 - codel: remove sch-&gt;q.qlen check before qdisc_tree_reduce_backlog() (CVE-2025-37798 bsc#1242414). - commit 8fb5816 - Update patches.suse/net-smc-initialize-close_work-early-to-avoid-warning.patch (CVE-2024-56641 bsc#1235526 bsc#1242985). - commit d393a0f - mptcp: fix NULL pointer in can_accept_new_subflow (CVE-2025-23145 bsc#1242596). - mptcp: relax check on MPC passive fallback (git-fixes). - mptcp: refine opt_mp_capable determination (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYN in subflow_check_req() (git-fixes). - mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (git-fixes CVE-2024-35840 bsc#1224597). - mptcp: strict validation before using mp_opt-&gt;hmac (git-fixes). - commit b0b581d - mptcp: mptcp_parse_option() fix for MPTCPOPT_MP_JOIN (git-fixes). - blacklist.conf: - remove the entry for commit be1d9d9d38da which was blacklisted as not needed because of absence of this backport - commit 07c39d4 - ax25: Remove broken autobind (CVE-2025-22109 bsc#1241573). - commit 9a9abc7 - udp: Fix memory accounting leak (CVE-2025-22058 bsc#1241332). - commit 6a0c03a - perf: arm_cspmu: nvidia: monitor all ports by default (bsc#1242172) - commit bf5ce56 - perf: arm_cspmu: nvidia: enable NVLINK-C2C port filtering (bsc#1242172) - commit d976f98 - perf: arm_cspmu: nvidia: fix sysfs path in the kernel doc (bsc#1242172) - commit bcf5e61 - perf: arm_cspmu: nvidia: remove unsupported SCF events (bsc#1242172) - commit 4647012 - x86/ibt: Keep IBT disabled during alternative patching (bsc#1242006 CVE-2024-28956). - commit fac02ba - x86/its: Align RETs in BHB clear sequence to avoid thunking (bsc#1242006 CVE-2024-28956). - commit 909407f - x86/its: Add support for RSB stuffing mitigation (bsc#1242006 CVE-2024-28956). - commit 42d05af - x86/its: Add &quot;vmexit&quot; option to skip mitigation on some CPUs (bsc#1242006 CVE-2024-28956). - commit cefce67 - x86/its: Enable Indirect Target Selection mitigation (bsc#1242006 CVE-2024-28956). - commit 6720dce - x86/its: Add support for ITS-safe return thunk (bsc#1242006 CVE-2024-28956). - commit b904ebb - watch_queue: fix pipe accounting mismatch (CVE-2025-23138 bsc#1241648). - commit 53d2fbb - x86/its: Add support for ITS-safe indirect thunk (bsc#1242006 CVE-2024-28956). - commit 73d0713 - x86/its: Enumerate Indirect Target Selection (ITS) bug (bsc#1242006 CVE-2024-28956). - commit 0ceddfb - Documentation: x86/bugs/its: Add ITS documentation (bsc#1242006 CVE-2024-28956). - commit 8fd974a - vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (CVE-2025-37799 bsc#1242283). - commit f53c65a - btrfs: always fallback to buffered write if the inode requires checksum (bsc#1242831 bsc#1242710). - commit fd92bec - x86/bhi: Do not set BHI_DIS_S in 32-bit mode (bsc#1242778). - x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778). - x86/bpf: Call branch history clearing sequence on exit (bsc#1242778). - commit 7613146 - jbd2: increase IO priority for writing revoke records (bsc#1242332). - commit a27757f - Bluetooth: btnxpuart: Fix kernel panic during FW release (bsc#1241456 CVE-2025-22102). - commit 9e6b312 - Bluetooth: btnxpuart: Remove check for CTS low after FW download (bsc#1241456 CVE-2025-22102). - commit 43b7feb - firmware: arm_ffa: Skip Rx buffer ownership release if not acquired (git-fixes). - firmware: arm_scmi: Balance device refcount when destroying devices (git-fixes). - commit e6126fe - ext4: goto right label 'out_mmap_sem' in ext4_setattr() (bsc#1242556). - commit f73dc04 - mm: fix filemap_get_folios_contig returning batches of identical folios (bsc#1242327). - commit ab60c72 - mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT (bsc#1242326). - commit eefd306 - mm/readahead: fix large folio support in async readahead (bsc#1242321). - commit ca8ae9b - mm: fix oops when filemap_map_pmd() without prealloc_pte (bsc#1242546). - commit d84ed9f - udf: Fix inode_getblk() return value (bsc#1242313). - commit 083cf55 - udf: Verify inode link counts before performing rename (bsc#1242314). - commit 8e7cda1 - udf: Skip parent dir link count update if corrupted (bsc#1242315). - commit 94318f0 - ext4: fix FS_IOC_GETFSMAP handling (bsc#1240557). - commit 531b964 - ext4: make block validity check resistent to sb bh corruption (bsc#1242348). - commit 12e4947 - ext4: don't treat fhandle lookup of ea_inode as FS corruption (bsc#1242347). - commit 3337bde - jbd2: add a missing data flush during file and fs synchronization (bsc#1242346). - commit 0ebdf6c - ext4: don't over-report free space or inodes in statvfs (bsc#1242345). - commit c197ee4 - jbd2: fix off-by-one while erasing journal (bsc#1242344). - commit 362ca97 - jbd2: remove wrong sb-&gt;s_sequence check (bsc#1242343). - commit b288b9a - ext4: add missing brelse() for bh2 in ext4_dx_add_entry() (bsc#1242342). - commit 8643d9f - ext4: protect ext4_release_dquot against freezing (bsc#1242335). - commit 532c985 - jbd2: flush filesystem device before updating tail sequence (bsc#1242333). - commit 79495ff - ext4: partial zero eof block on unaligned inode size extension (bsc#1242336). - commit 992adfb - ext4: correct encrypted dentry name hash when not casefolded (bsc#1242540). - commit 71bfc00 - ext4: treat end of range as exclusive in ext4_zero_range() (bsc#1242539). - commit 8950964 - ext4: unify the type of flexbg_size to unsigned int (bsc#1242538). Refresh: patches.suse/ext4-avoid-online-resizing-failures-due-to-oversized.patch - commit 9b599f9 - jbd2: increase the journal IO's priority (bsc#1242537). - commit 65fd6c7 - ext4: replace the traditional ternary conditional operator with with max()/min() (bsc#1242536). Refresh patches.suse/ext4-move-setting-of-trimmed-bit-into-ext4_try_to_tr.patch Refresh patches.suse/ext4-fix-inconsistent-between-segment-fstrim-and-ful.patch - commit 9de0d03 - splice: remove duplicate noinline from pipe_clear_nowait (bsc#1242328). - commit 8a9c110 - fs: consistently deref the files table with rcu_dereference_raw() (bsc#1242535). - commit 0f7e4fb - fs: support relative paths with FSCONFIG_SET_STRING (git-fixes). - commit 51930da - vfs: don't mod negative dentry count when on shrinker list (bsc#1242534). - commit 25c9c4a - fs: better handle deep ancestor chains in is_subdir() (bsc#1242528). Refresh patches.suse/dcache-keep-dentry_hashtable-or-d_hash_shift-even-when-not.patch - commit 42bc37f - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT (bsc#1242526). - commit 08659e8 - isofs: fix KMSAN uninit-value bug in do_isofs_readdir() (bsc#1242307). - commit 08eabe6 - Update patches.suse/OPP-add-index-check-to-assert-to-avoid-buffer-overfl.patch (bsc#1238961 CVE-2024-57998 bsc#1238527). - Update patches.suse/PCI-ASPM-Fix-link-state-exit-during-switch-upstream-.patch (git-fixes CVE-2024-58093 bsc#1241347). - Update patches.suse/RDMA-erdma-Prevent-use-after-free-in-erdma_accept_ne.patch (git-fixes CVE-2025-22088 bsc#1241528). - Update patches.suse/RDMA-mlx5-Fix-mlx5_poll_one-cur_qp-update-flow.patch (git-fixes CVE-2025-22086 bsc#1241458). - Update patches.suse/acpi-nfit-fix-narrowing-conversion-in-acpi_nfit_ctl.patch (git-fixes CVE-2025-22044 bsc#1241424). - Update patches.suse/arm64-Don-t-call-NULL-in-do_compat_alignment_fixup.patch (git-fixes CVE-2025-22033 bsc#1241436). - Update patches.suse/bnxt_en-Mask-the-bd_cnt-field-in-the-TX-BD-properly.patch (git-fixes CVE-2025-22108 bsc#1241574). - Update patches.suse/bpf-avoid-holding-freeze_mutex-during-mmap-operation.patch (git-fixes CVE-2025-21853 bsc#1239476). - Update patches.suse/dlm-prevent-NPD-when-writing-a-positive-value-to-event_done.patch (git-fixes CVE-2025-23131 bsc#1241601). - Update patches.suse/drm-amd-display-avoid-NPD-when-ASIC-does-not-support.patch (git-fixes CVE-2025-22093 bsc#1241545). - Update patches.suse/drm-vkms-Fix-use-after-free-and-double-free-on-init-.patch (git-fixes CVE-2025-22097 bsc#1241541). - Update patches.suse/fou-fix-initialization-of-grc.patch (CVE-2024-46763 bsc#1230764 CVE-2024-46865 bsc#1231103). - Update patches.suse/idpf-check-error-for-register_netdev-on-init.patch (git-fixes CVE-2025-22116 bsc#1241459). - Update patches.suse/idpf-fix-adapter-NULL-pointer-dereference-on-reboot.patch (git-fixes CVE-2025-22065 bsc#1241333). - Update patches.suse/jfs-add-check-read-only-before-truncation-in-jfs_truncate_nolock.patch (git-fixes CVE-2024-58094 bsc#1241443). - Update patches.suse/jfs-add-check-read-only-before-txBeginAnon-call.patch (git-fixes CVE-2024-58095 bsc#1241442). - Update patches.suse/media-streamzap-fix-race-between-device-disconnectio.patch (git-fixes CVE-2025-22027 bsc#1241369). - Update patches.suse/net-Add-rx_skb-of-kfree_skb-to-raw_tp_null_args.patch (bsc#1235501 CVE-2024-56702 CVE-2025-21852 bsc#1239487). - Update patches.suse/netfilter-br_netfilter-skip-conntrack-input-hook-for.patch (CVE-2024-27415 bsc#1224757 CVE-2024-27018 bsc#1223809). - Update patches.suse/nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch (git-fixes CVE-2025-22025 bsc#1241361). - Update patches.suse/ntb_hw_switchtec-Fix-shift-out-of-bounds-in-switchte.patch (git-fixes CVE-2023-53034 bsc#1241341). - Update patches.suse/ocfs2-handle-a-symlink-read-error-correctly.patch (git-fixes CVE-2024-58001 bsc#1239079). - Update patches.suse/rtnetlink-Allocate-vfinfo-size-for-VF-GUIDs-when-sup.patch (bsc#1224013 CVE-2025-22075 bsc#1241402). - Update patches.suse/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch (git-fixes CVE-2025-22062 bsc#1241412). - Update patches.suse/tcp-fix-mptcp-DSS-corruption-due-to-large-pmtu-xmit.patch (git-fixes CVE-2024-50083 bsc#1232493). - Update patches.suse/thermal-int340x-Add-NULL-check-for-adev.patch (git-fixes CVE-2025-23136 bsc#1241357). - Update patches.suse/usbnet-fix-NPE-during-rx_complete.patch (git-fixes CVE-2025-22050 bsc#1241441). - Update patches.suse/wifi-ath11k-Clear-affinity-hint-before-calling-ath11.patch (git-fixes CVE-2025-23129 bsc#1241599). - Update patches.suse/wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-mo.patch (git-fixes CVE-2024-58096 bsc#1241344). - Update patches.suse/wifi-ath11k-fix-RCU-stall-while-reaping-monitor-dest.patch (git-fixes CVE-2024-58097 bsc#1241343). - Update patches.suse/wifi-ath12k-Clear-affinity-hint-before-calling-ath12.patch (git-fixes CVE-2025-22128 bsc#1241598). - commit a961a1a - cifs: Fix integer overflow while processing actimeo mount option (git-fixes). - commit 747d942 - iommu: Fix two issues in iommu_copy_struct_from_user() (git-fixes). - commit 7b79fa9 - cifs: Fix integer overflow while processing acdirmax mount option (CVE-2025-21963 bsc#1240717). - commit 5907e46 - cifs: Fix integer overflow while processing acregmax mount option (CVE-2025-21964 bsc#1240740). - commit a723b7b - cifs: Fix integer overflow while processing closetimeo mount option (CVE-2025-21962 bsc#1240655). - commit 03a43b4 - mptcp: consolidate suboption status (CVE-2025-21707 bsc#1238862). - commit 18d9efe - powerpc: Don't use --- in kernel logs (git-fixes). - commit df3b280 - tools/hv: update route parsing in kvp daemon (git-fixes). - commit 2e81126 - bpf: Fix bpf_sk_select_reuseport() memory leak (bsc#1236704 CVE-2025-21683). - commit e163503 - i2c: imx-lpi2c: Fix clock count when probe defers (git-fixes). - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence (git-fixes). - ALSA: hda/realtek: Fix built-mic regression on other ASUS models (git-fixes). - ALSA: hda/realtek - Enable speaker for HP platform (git-fixes). - commit 5b6152a - spi: tegra114: Don't fail set_cs_timing when delays are zero (git-fixes). - drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' (git-fixes). - drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS (git-fixes). - drm/fdinfo: Protect against driver unbind (git-fixes). - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (git-fixes). - drm/amd/display: Force full update in gpu reset (stable-fixes). - ata: libata-scsi: Improve CDL control (git-fixes). - ata: libata-scsi: Fix ata_msense_control_ata_feature() (git-fixes). - ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type (git-fixes). - USB: serial: simple: add OWON HDS200 series oscilloscope support (stable-fixes). - USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (stable-fixes). - USB: serial: option: add Sierra Wireless EM9291 (stable-fixes). - usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (stable-fixes). - USB: VLI disk crashes if LPM is used (stable-fixes). - USB: storage: quirk for ADATA Portable HDD CH94 (stable-fixes). - usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (stable-fixes). - USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (stable-fixes). - mei: me: add panther lake H DID (stable-fixes). - spi: tegra210-quad: add rate limiting and simplify timeout error message (stable-fixes). - spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts (stable-fixes). - ACPI: EC: Set ec_no_wakeup for Lenovo Go S (stable-fixes). - ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (stable-fixes). - ntb_hw_amd: Add NTB PCI ID for new gen CPU (stable-fixes). - ntb: reduce stack usage in idt_scan_mws (stable-fixes). - rtc: pcf85063: do a SW reset if POR failed (stable-fixes). - thunderbolt: Scan retimers after device router has been enumerated (stable-fixes). - usb: host: xhci-plat: mvebu: use -&gt;quirks instead of - &gt;init_quirk() func (stable-fixes). - usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (stable-fixes). - usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (stable-fixes). - usb: dwc3: gadget: Refactor loop to avoid NULL endpoints (stable-fixes). - usb: host: max3421-hcd: Add missing spi_device_id table (stable-fixes). - sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (stable-fixes). - dmaengine: dmatest: Fix dmatest waiting less when interrupted (stable-fixes). - iio: adc: ad7768-1: Fix conversion result sign (git-fixes). - iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (stable-fixes). - pinctrl: renesas: rza2: Fix potential NULL pointer dereference (stable-fixes). - crypto: ccp - Add support for PCI device 0x1134 (stable-fixes). - auxdisplay: hd44780: Fix an API misuse in hd44780.c (git-fixes). - auxdisplay: hd44780: Convert to platform remove callback returning void (stable-fixes). - commit fe3cf03 - net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (CVE-2025-22107 bsc#1241575) - commit 673084b - ibmvnic: Use kernel helpers for hex dumps (CVE-2025-22104 bsc#1241550) - commit 44ef4eb - dm: always update the array size in realloc_argv on success (git-fixes). - commit 80e573b - dm-bufio: don't schedule in atomic context (git-fixes). - commit 59b9988 - dm-ebs: fix prefetch-vs-suspend race (git-fixes). - commit 89effad - dm-verity: fix prefetch-vs-suspend race (git-fixes). - commit 6899d31 - dm-integrity: set ti-&gt;error on memory allocation failure (git-fixes). - commit 3c1b2c7 - netfilter: nf_tables: don't unregister hook when table is dormant (CVE-2025-22064 bsc#1241413). - commit 3c82332 - net: ipv6: fix UDPv6 GSO segmentation with NAT (git-fixes). - commit a110462 - net_sched: qfq: Fix double list add in class with netem as child qdisc (git-fixes). - commit 8e1bbd0 - net_sched: ets: Fix double list add in class with netem as child qdisc (git-fixes). - commit 2e9fa99 - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (git-fixes). - commit 3f5a489 - net_sched: drr: Fix double list add in class with netem as child qdisc (git-fixes). - commit 4947830 - ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (CVE-2025-21792 bsc#1238745). - commit 2ffce83 - ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758 bsc#1238737). - commit 4b8b3e5 - Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() (git-fixes). - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (git-fixes). - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release (git-fixes). - commit 470cfc0 - net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (CVE-2025-21768 bsc#1238714). - commit ed713b9 - kABI workaround struct rcu_head and ax25_ptr (CVE-2025-21812 bsc#1238471). - commit 714a2d7 - btrfs: fix block group refcount race in btrfs_create_pending_block_groups() (bsc#1241578 CVE-2025-22115). - commit 1f7a10d - Refresh patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch. Piggyback kABI workaround for &quot;struct bpf_subprog_info&quot; for upstream commit 51081a3f25c7 &quot;bpf: track changes_pkt_data property for global functions&quot;. - commit bf7c4bc - Add missing bugzilla references (CVE-2025-22105 bsc#1241548 CVE-2025-37860 bsc#1241452) - commit 00ec2e2 - atm: Fix NULL pointer dereference (CVE-2025-22018 bsc#1241266) - commit 8ef48c7 - bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT (CVE-2024-58070 bsc#1238983) - commit 335e132 - iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (CVE-2025-21833, bsc#1239108). - commit 069abee - sfc: fix NULL dereferences in ef100_process_design_param() (CVE-2025-37860). - net: mvpp2: Prevent parser TCAM memory corruption (CVE-2025-22060 bsc#1241526). - bonding: check xdp prog when set bond mode (CVE-2025-22105). - bonding: return detailed error when loading native XDP fails (CVE-2025-22105). - commit 1110c2d - ALSA: ump: Fix buffer overflow at UMP SysEx message conversion (bsc#1242044). - commit 43160c9 - Correct the upsteram version numbers in the previous patches - commit 6f72baf - mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (git-fixes). - platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug (git-fixes). - commit f912ebf - Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82 - commit a3262dd - net: ibmveth: make veth_pool_store stop hanging (CVE-2025-22053 bsc#1241373). - commit 509c07e - powerpc/boot: Fix dash warning (bsc#1215199). - commit aeb4455 - exec: fix the racy usage of fs_struct-&gt;in_exec (CVE-2025-22029 bsc#1241378). - commit f780e88 - x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (CVE-2025-22045 bsc#1241433). - commit 1e24dab - powerpc/boot: Check for ld-option support (bsc#1215199). - commit 333e1e5 - selftests/bpf: extend changes_pkt_data with cases w/o subprograms (bsc#1241590). - bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs (bsc#1241590). - selftests/bpf: validate that tail call invalidates packet pointers (bsc#1241590). - bpf: consider that tail calls invalidate packet pointers (bsc#1241590). - selftests/bpf: freplace tests for tracking of changes_packet_data (bsc#1241590). - bpf: check changes_pkt_data property for extension programs (bsc#1241590). - Refresh patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch - selftests/bpf: test for changing packet data from global functions (bsc#1241590). - bpf: track changes_pkt_data property for global functions (bsc#1241590). - bpf: refactor bpf_helper_changes_pkt_data to use helper number (bsc#1241590). - bpf: add find_containing_subprog() utility function (bsc#1241590). - commit e531d2b - Update patches.suse/memstick-rtsx_usb_ms-Fix-slab-use-after-free-in-rtsx.patch (bsc#1241280 CVE-2025-22020). Added CVE reference - commit 80d99d3 - Fixup breakage in ext2 introduced by backporting in: patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch. - commit b7c808a - cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (git-fixes). - eth: bnxt: fix missing ring index trim on error path (git-fixes). - igc: add lock preventing multiple simultaneous PTM transactions (git-fixes). - igc: cleanup PTP module if probe fails (git-fixes). - igc: handle the IGC_PTP_ENABLED flag correctly (git-fixes). - igc: move ktime snapshot into PTM retry loop (git-fixes). - igc: increase wait time before retrying PTM (git-fixes). - igc: fix PTM cycle trigger logic (git-fixes). - idpf: fix adapter NULL pointer dereference on reboot (git-fixes). - e1000e: change k1 configuration on MTP and later platforms (git-fixes). - gve: handle overflow when reporting TX consumed descriptors (git-fixes). - net/mlx5e: SHAMPO, Make reserved size independent of page size (git-fixes). - vdpa/mlx5: Fix oversized null mkey longer than 32bit (git-fixes). - idpf: check error for register_netdev() on init (git-fixes). - ice: stop truncating queue ids when checking (git-fixes). - virtchnl: make proto and filter action count unsigned (git-fixes). - ice: fix reservation of resources for RDMA when disabled (git-fixes). - net/mlx5: Start health poll after enable hca (git-fixes). - bnxt_en: Linearize TX SKB if the fragments exceed the max (git-fixes). - bnxt_en: Mask the bd_cnt field in the TX BD properly (git-fixes). - net/mlx5e: Fix ethtool -N flow-type ip4 to RSS context (git-fixes). - igb: reject invalid external timestamp requests for 82580-based HW (git-fixes). - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices (git-fixes). - net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch (git-fixes). - net/mlx5: Fill out devlink dev info only for PFs (git-fixes). - net/mlx5: IRQ, Fix null string in debug print (git-fixes). - gve: set xdp redirect target only when it is available (git-fixes). - ice: Add check for devm_kzalloc() (git-fixes). - commit 8b3f5c6 - ext4: fix OOB read when checking dotdot dir (bsc#1241640 CVE-2025-37785). - ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (bsc#1241593 CVE-2025-22121). - proc: fix UAF in proc_get_inode() (bsc#1240802 CVE-2025-21999). - fs: relax assertions on failure to encode file handles (bsc#1236086 CVE-2024-57924). - commit 0e972d0 - net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926 bsc#1240712). - commit a0db76b - jfs: add sanity check for agwidth in dbMount (git-fixes). - commit 8faa28a - jfs: Prevent copying of nlink with value 0 from disk inode (git-fixes). - commit eea1d40 - fs/jfs: Prevent integer overflow in AG size calculation (git-fixes). - commit fce66a4 - fs/jfs: cast inactags to s64 to prevent potential overflow (git-fixes). - commit 8b1cc16 - jfs: Fix uninit-value access of imap allocated in the diMount() function (git-fixes). - commit 5b527ae - irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (git-fixes). - drm/amd/display: Fix gpu reset in multidisplay config (git-fixes). - Revert &quot;drm/meson: vclk: fix calculation of 59.94 fractional rates&quot; (git-fixes). - commit 9f8b470 - block: integrity: Do not call set_page_dirty_lock() (git-fixes). - loop: stop using vfs_iter_{read,write} for buffered I/O (git-fixes). - loop: LOOP_SET_FD: send uevents for partitions (git-fixes). - loop: properly send KOBJ_CHANGED uevent for disk device (git-fixes). - block: fix resource leak in blk_register_queue() error path (git-fixes). - block: make sure -&gt;nr_integrity_segments is cloned in blk_rq_prep_clone (git-fixes). - badblocks: fix missing bad blocks on retry in _badblocks_check() (git-fixes). - badblocks: fix merge issue when new badblocks align with pre+1 (git-fixes). - badblocks: fix the using of MAX_BADBLOCKS (git-fixes). - badblocks: return error if any badblock set fails (git-fixes). - badblocks: return error directly when setting badblocks exceeds 512 (git-fixes). - badblocks: Fix error shitf ops (git-fixes). - blk-throttle: fix lower bps rate by throtl_trim_slice() (git-fixes). - block: change blk_mq_add_to_batch() third argument type to bool (git-fixes). - block: fix conversion of GPT partition name to 7-bit (git-fixes). - ublk: set_params: properly check if parameters can be applied (git-fixes). - block: fix 'kmem_cache of name 'bio-108' already exists' (git-fixes). - commit 607aa83 - drm/tests: Build KMS helpers when DRM_KUNIT_TEST_HELPERS is enabled (git-fixes). - commit 03063eb - USB: wdm: add annotation (git-fixes). - USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (git-fixes). - USB: wdm: close race between wdm_open and wdm_wwan_port_stop (git-fixes). - USB: wdm: handle IO errors in wdm_wwan_port_start (git-fixes). - usb: dwc3: gadget: check that event count does not exceed event buffer length (git-fixes). - usb: dwc3: xilinx: Prevent spike in reset signal (git-fixes). - usb: cdns3: Fix deadlock when using NCM gadget (git-fixes). - usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (git-fixes). - usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (git-fixes). - serial: sifive: lock port in startup()/shutdown() callbacks (git-fixes). - serial: msm: Configure correct working mode before starting earlycon (git-fixes). - misc: microchip: pci1xxxx: Fix incorrect IRQ status handling during ack (git-fixes). - misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration (git-fixes). - string: Add load_unaligned_zeropad() code path to sized_strscpy() (git-fixes). - kunit: qemu_configs: SH: Respect kunit cmdline (git-fixes). - Revert &quot;wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()&quot; (git-fixes). - wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (git-fixes). - selftests/mm: generate a temporary mountpoint for cgroup filesystem (git-fixes). - selftests/futex: futex_waitv wouldblock test should fail (git-fixes). - phy: freescale: imx8m-pcie: assert phy reset and perst in power off (git-fixes). - PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (stable-fixes). - ktest: Fix Test Failures Due to Missing LOG_FILE Directories (stable-fixes). - wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (stable-fixes). - wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi (stable-fixes). - wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process (stable-fixes). - net: usb: asix_devices: add FiberGecko DeviceID (stable-fixes). - media: uvcvideo: Add quirk for Actions UVC05 (stable-fixes). - mmc: dw_mmc: add a quirk for accessing 64-bit FIFOs in two halves (stable-fixes). - pm: cpupower: bench: Prevent NULL dereference on malloc failure (stable-fixes). - commit b154b2c - drm/tests: probe-helper: Fix drm_display_mode memory leak (git-fixes). - drm/tests: modes: Fix drm_display_mode memory leak (git-fixes). - drm/tests: cmdline: Fix drm_display_mode memory leak (git-fixes). - drm/tests: helpers: Create kunit helper to destroy a drm_display_mode (stable-fixes). - drm/i915/gvt: fix unterminated-string-initialization warning (stable-fixes). - drm/i915: Disable RPG during live selftest (git-fixes). - gpio: zynq: Fix wakeup source leaks on device unbind (stable-fixes). - drm/amd: Handle being compiled without SI or CIK support better (stable-fixes). - drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (stable-fixes). - drm/mediatek: mtk_dpi: Move the input_2p_en bit to platform data (stable-fixes). - drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() (stable-fixes). - drm/amdkfd: debugfs hang_hws skip GPU with MES (stable-fixes). - drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (stable-fixes). - drm/amdkfd: Fix mode1 reset crash issue (stable-fixes). - drm/amdkfd: clamp queue size to minimum (stable-fixes). - drm/amd/display: add workaround flag to link to force FFE preset (stable-fixes). - drm/bridge: panel: forbid initializing a panel with unknown connector type (stable-fixes). - drm: panel-orientation-quirks: Add quirk for OneXPlayer Mini (Intel) (stable-fixes). - drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (stable-fixes). - drm: panel-orientation-quirks: Add quirk for AYA NEO Slide (stable-fixes). - drm: panel-orientation-quirks: Add quirks for AYA NEO Flip DS and KB (stable-fixes). - drm: panel-orientation-quirks: Add support for AYANEO 2S (stable-fixes). - drm: allow encoder mode_set even when connectors change for crtc (stable-fixes). - fbdev: omapfb: Add 'plane' value check (stable-fixes). - drm/tests: helpers: Fix compiler warning (git-fixes). - drm/tests: helpers: Add helper for drm_display_mode_from_cea_vic() (stable-fixes). - drm/i915/dg2: wait for HuC load completion before running selftests (stable-fixes). - drm/tests: Add helper to create mock crtc (stable-fixes). - commit a0a41da - char: misc: register chrdev region with all possible minors (git-fixes). - Revert &quot;drivers: core: synchronize really_probe() and dev_uevent()&quot; (stable-fixes). - Bluetooth: l2cap: Process valid commands in too long frame (stable-fixes). - drivers: base: devres: Allow to release group on device release (stable-fixes). - Bluetooth: hci_uart: Fix another race during initialization (git-fixes). - Bluetooth: hci_uart: fix race during initialization (stable-fixes). - cdc_ether|r8152: ThinkPad Hybrid USB-C/A Dock quirk (stable-fixes). - ahci: add PCI ID for Marvell 88SE9215 SATA Controller (stable-fixes). - ASoC: amd: yc: update quirk data for new Lenovo model (stable-fixes). - ASoC: fsl_audmix: register card device depends on 'dais' property (stable-fixes). - ASoC: SOF: topology: Use krealloc_array() to replace krealloc() (stable-fixes). - ASoC: amd: Add DMI quirk for ACP6X mic support (stable-fixes). - ALSA: usb-audio: Fix CME quirk for UF series keyboards (stable-fixes). - ALSA: hda: intel: Add Lenovo IdeaPad Z570 to probe denylist (stable-fixes). - ALSA: hda: intel: Fix Optimus when GPU has no sound (stable-fixes). - drm/tests: Add helper to create mock plane (stable-fixes). - drm/tests: helpers: Add atomic helpers (stable-fixes). - drm/i915/xelpg: Extend driver code of Xe_LPG to Xe_LPG+ (stable-fixes). - commit 58c19a1 - Update patches.suse/vmxnet3-unregister-xdp-rxq-info-in-the-reset-path.patch (bsc#1241394 CVE-2025-22106 bsc#1241547). - commit a998629 - mm: (un)track_pfn_copy() fix + doc improvements (CVE-2025-22090 bsc#1241537). - commit 1ccdfdd - x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() (CVE-2025-22090 bsc#1241537). - commit f0ac623 - exfat: fix random stack corruption after get_block (bsc#1241426 CVE-2025-22036). - commit 1f685c3 - exfat: do not fallback to buffered write (git-fixes). - commit f7d2bc8 - exfat: drop -&gt;i_size_ondisk (git-fixes). - commit 9420be9 - fs/ntfs3: Prevent integer overflow in hdr_first_de() (bsc#1241416 CVE-2025-22080). - commit 401237e - clk: samsung: Fix UBSAN panic in samsung_clk_init() (CVE-2025-39728 bsc#1241626). - commit 146debe - net: phy: leds: fix memory leak (git-fixes). - net: phy: microchip: force IRQ polling mode for lan88xx (git-fixes). - crypto: atmel-sha204a - Set hwrng quality to lowest possible (git-fixes). - commit 007e98d - net: ethtool: Don't call .cleanup_data when prepare_data fails (git-fixes). - ethtool: Fix set RXNFC command with symmetric RSS hash (git-fixes). - ethtool: Fix wrong mod state in case of verbose and no_mask bitset (git-fixes). - ethtool: Fix context creation with no parameters (git-fixes). - ethtool: fix setting key and resetting indir at once (git-fixes). - ethtool: rss: echo the context number back (git-fixes). - net: ethtool: Fix RSS setting (git-fixes). - ethtool: netlink: do not return SQI value if link is down (git-fixes). - ethtool: netlink: Add missing ethnl_ops_begin/complete (git-fixes). - ethtool: don't propagate EOPNOTSUPP from dumps (git-fixes). - ethtool: plca: fix plca enable data type while parsing the value (git-fixes). - commit 6a09a48 - OPP: add index check to assert to avoid buffer overflow in _read_freq() (bsc#1238961) - commit 2e43a01 - Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 (&quot;kernel-binary: Support livepatch_rt with merged RT branch&quot;) - commit 50e863e - mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111 CVE-2025-21696). Refreshed: patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch - commit e18d57e - bpf: Make sure internal and UAPI bpf_redirect flags don't overlap (bsc#1233098 CVE-2024-50163). - commit f73adfb - bpf: selftests: send packet to devmap redirect XDP (bsc#1233075 CVE-2024-50162). - bpf: devmap: provide rxq after redirect (bsc#1233075 CVE-2024-50162). - commit efb272f - mm: clear uffd-wp PTE/PMD state on mremap() (bsc#1237111 CVE-2025-21696). Refreshed: patches.suse/mm-hugetlb-Add-huge-page-size-param-to-huge_ptep_get_and_clear.patch - commit 559ab65 - mm/migrate: fix shmem xarray update during migration (CVE-2025-22015 bsc#1240944). - commit 18f748b - fou: fix initialization of grc (CVE-2024-46763 bsc#1230764). - commit c144530 - kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 (&quot;kernel-source: Also replace bin/env&quot; - commit bae6b69 - rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN - commit 816118c - fou: Fix null-ptr-deref in GRO (CVE-2024-46763 bsc#1230764). - commit 759f2a9 - hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (CVE-2025-21931 bsc#1240709). - commit 1ece281 - net: fix geneve_opt length integer overflow (CVE-2025-22055 bsc#1241371). - commit 45017c8 - PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads (git-fixes). - irqchip/davinci: Remove leftover header (git-fixes). - tty: n_tty: use uint for space returned by tty_write_room() (git-fixes). - commit 2e047cb - kABI fix for sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - commit ce43999 - wifi: ath11k: update channel list in reg notifier instead reg worker (CVE-2025-23133 bsc#1241451). - commit dfc599a - exfat: short-circuit zero-byte writes in exfat_file_write_iter (git-fixes). - commit c31ee51 - exfat: fix soft lockup in exfat_clear_bitmap (git-fixes). - commit 527ed08 - nfsd: decrease sc_count directly if fail to queue dl_recall (git-fixes). - commit 91b68ee - nfs: add missing selections of CONFIG_CRC32 (git-fixes). - commit f409d6e - nvmet-fcloop: swap list_add_tail arguments (git-fixes). - nvme-pci: skip nvme_write_sq_db on empty rqlist (git-fixes). - nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer (git-fixes). - nvme-pci: fix stuck reset on concurrent DPC and HP (git-fixes). - nvme-pci: skip CMB blocks incompatible with PCI P2P DMA (git-fixes). - nvme-pci: clean up CMBMSC when registering CMB fails (git-fixes). - nvme-tcp: fix possible UAF in nvme_tcp_poll (git-fixes). - commit bf9d0e5 - Move upstreamed smb patch into sorted section Also move other out-of-tree patches into the proper section - commit ba77adc - rpm/kernel-binary.spec.in: revert the revert change with OrderWithRequires The recent change using OrderWithRequires addresses the known issues, but also caused regressions for the existing image or package builds. For SLE15-SPx, better to be conservative and stick with the older way. - commit bbe05e4 - Refresh patches.suse/kernel-add-product-identifying-information-to-kernel-build.patch. scripts/gen-suse_version_h.sh requires bash, yet in Makefile CONFIG_SHELL is defined to 'sh'. In openSUSE and SUSE products 'sh' is a symbolic link to 'bash', hence this isn't a problem. However distributions like Debian and Ubuntu 'sh' is symbolically linked to 'dash' instead, and gen-suse_version_h.sh will fail to run with ./scripts/gen-suse_version_h.sh: 3: Syntax error: &quot;(&quot; unexpected make[1]: *** [/home/runner/work/libbpf/libbpf/.kernel/Makefile:1135: include/generated/uapi/linux/suse_version.h] Error 2 make: *** [Makefile:224: __sub-make] Error 2 Explicitly use bash to run scripts/gen-suse_version_h.sh to make sure it will always work. - commit 2be3c0f - scsi: iscsi: Fix missing scsi_host_put() in error path (git-fixes). - scsi: hisi_sas: Enable force phy when SATA disk directly connected (git-fixes). - scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp-&gt;nlp_flag (git-fixes). - scsi: scsi_debug: Remove a reference to in_use_bm (git-fixes). - scsi: mpt3sas: Fix a locking bug in an error path (git-fixes). - scsi: mpi3mr: Fix locking in an error path (git-fixes). - scsi: mpt3sas: Reduce log level of ignore_delay_remove message to KERN_INFO (git-fixes). - scsi: core: Use GFP_NOIO to avoid circular locking dependency (git-fixes). - commit c9f2a96 - net: annotate data-races around sk-&gt;sk_tx_queue_mapping (git-fixes). - commit 39ebbf2 - sctp: detect and prevent references to a freed transport in sendmsg (git-fixes). - commit 1334236 - sctp: add mutual exclusion in proc_sctp_do_udp_port() (git-fixes). - commit 711cff2 - sctp: Fix undefined behavior in left shift operation (git-fixes). - commit a1edf61 - netpoll: Use rcu_access_pointer() in netpoll_poll_lock (git-fixes). - commit 4965a27 - tcp: fix mptcp DSS corruption due to large pmtu xmit (git-fixes). - commit ba5be47 - sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start (git-fixes). - commit a7b311d - sctp: fix association labeling in the duplicate COOKIE-ECHO case (git-fixes). - commit f2ab0aa - sctp: prefer struct_size over open coded arithmetic (git-fixes). - commit e26aab9 - net: blackhole_dev: fix build warning for ethh set but not used (git-fixes). - commit 9f9bf2f - net: sctp: fix skb leak in sctp_inq_free() (git-fixes). - commit ef140e3 - sctp: fix busy polling (git-fixes). - commit 533e122 - sctp: support MSG_ERRQUEUE flag in recvmsg() (git-fixes). - commit 1e9a8f7 - i2c: cros-ec-tunnel: defer probe if parent EC is not present (git-fixes). - commit 68f8146 - vmxnet3: unregister xdp rxq info in the reset path (bsc#1241394). - vmxnet3: Fix tx queue race condition with XDP (bsc#1241394). - commit d09ed0e - ALSA: hda/realtek - Fixed ASUS platform headset Mic issue (git-fixes). - commit 53f07fb - Refresh patches.suse/ALSA-hda-realtek-Workaround-for-resume-on-Dell-Venue.patch The patch was applied incorrectly to a wrong device - commit cf41ba6 - Bluetooth: vhci: Avoid needless snprintf() calls (git-fixes). - wifi: wl1251: fix memory leak in wl1251_tx_work (git-fixes). - wifi: mac80211: Purge vif txq in ieee80211_do_stop() (git-fixes). - wifi: at76c50x: fix use after free access in at76_disconnect (git-fixes). - Bluetooth: l2cap: Check encryption key size on incoming connection (git-fixes). - Bluetooth: btrtl: Prevent potential NULL dereference (git-fixes). - Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (git-fixes). - ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (git-fixes). - ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() (git-fixes). - ASoC: qcom: Fix sc7280 lpass potential buffer overflow (git-fixes). - asus-laptop: Fix an uninitialized variable (git-fixes). - ata: libata-sata: Save all fields from sense data descriptor (git-fixes). - commit b064ee6 - smb: client: fix folio leaks and perf improvements (bsc#1239997, bsc1241265). - commit 3640faf - net: mark racy access on sk-&gt;sk_rcvbuf (git-fixes). - commit c7df85a - net: set SOCK_RCU_FREE before inserting socket into hashtable (git-fixes). - commit 469342f - net: annotate data-races around sk-&gt;sk_dst_pending_confirm (git-fixes). - commit ddac370 - Refresh patches.suse/x86-paravirt-Move-halt-paravirt-calls-under-CONFIG_PARAVIR.patch. This fixes a build error - commit 885e121 - ipv4: fib: annotate races around nh-&gt;nh_saddr_genid and nh-&gt;nh_saddr (git-fixes). - commit 42e44b7 - rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038). - commit fe0a8c9 - crypto: caam/qi - Fix drv_ctx refcount bug (git-fixes). - commit 004010d - selftests/bpf: Add a few tests to cover (git-fixes). - bpf: Add missed var_off setting in coerce_subreg_to_size_sx() (git-fixes). - bpf: Add missed var_off setting in set_sext32_default_val() (git-fixes). - commit 07fae33 - Drop PCI patch that caused a regression (bsc#1241123) The patch patches.suse/PCI-Avoid-reset-when-disabled-via-sysfs.patch seems causing a regression about missing device passthrough on VM. Drop it to address the regression. - commit 5845d87 - bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (bsc#1240181 CVE-2025-21867). - commit 82a6d4f - Revert commit (bsc#1241051) Delete patches.suse/mm-various-give-up-if-pte_offset_map-_lock-fails.patch. - commit c63b737 - rpm/package-descriptions: Add rt and rt_debug descriptions - commit 09573c0 - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() (bsc#1241250). - commit a11e79b - x86/microcode/AMD: Split load_microcode_amd() (git-fixes). - Refresh patches.suse/x86-microcode-AMD-Fix-out-of-bounds-on-systems-with-.patch. - commit e4a11da - x86/microcode/AMD: Pay attention to the stepping dynamically (git-fixes). - commit 581b74c - x86/microcode/intel: Set new revision only after a successful update (git-fixes). - commit 7ef0614 - x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (git-fixes). - commit 0584d8b - btrfs: fix hole expansion when writing at an offset beyond EOF (bsc#1241151). - btrfs: fix swap file activation failure due to extents that used to be shared (bsc#1241204). - btrfs: fix race with memory mapped writes when activating swap file (bsc#1241204). - btrfs: fix missing snapshot drew unlock when root is dead during swap activation (bsc#1241204). - btrfs: add and use helper to verify the calling task has locked the inode (bsc#1241204). - commit d9b6443 - sched: address a potential NULL pointer dereference in the GRED scheduler (CVE-2025-21980 bsc#1240809). - commit ce44194 - net: atm: fix use after free in lec_send() (CVE-2025-22004 bsc#1240835). - commit 0623761 - llc: do not use skb_get() before dev_queue_xmit() (CVE-2025-21925 bsc#1240713). - commit 79eced9 - tools/power turbostat: report CoreThr per measurement interval (git-fixes). - commit d3776d1 - x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (git-fixes). - Refresh patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch. - commit 88521da - x86/microcode: Rework early revisions reporting (git-fixes). - Refresh patches.suse/x86-microcode-AMD-Flush-patch-buffer-mapping-after-applica.patch. - commit 4d17d9e - ax25: rcu protect dev-&gt;ax25_ptr (CVE-2025-21812 bsc#1238471). - commit 5fd1fff - x86/microcode: Remove the driver announcement and version (git-fixes). - commit 46995b1 - x86/tdx: Emit warning if IRQs are enabled during HLT #VE handling (git-fixes). - commit d56cfaf - x86/tdx: Fix arch_safe_halt() execution for TDX VMs (git-fixes). - commit d95d976 - Refresh patches.suse/ipv6-remove-hard-coded-limitation-on-ipv6_pinfo.patch. - commit 0200f55 - hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (git-fixes). - commit 6eab8d6 - x86/paravirt: Move halt paravirt calls under CONFIG_PARAVIRT (git-fixes). - commit df4a06f - x86/microcode/AMD: Flush patch buffer mapping after application (git-fixes). - commit 3abf82a - x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment (git-fixes). - commit 9a5f9b4 - x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 (git-fixes). - commit a987e8f - x86/uaccess: Improve performance by aligning writes to 8 bytes in copy_user_generic(), on non-FSRM/ERMS CPUs (git-fixes). - commit b668be3 - x86/bugs: Add RSB mitigation document (git-fixes). - commit b8dad0f - x86/bugs: Don't fill RSB on context switch with eIBRS (git-fixes). - commit 187dbce - x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (git-fixes). - commit 4f16d88 - x86/bugs: Fix RSB clearing in indirect_branch_prediction_barrier() (git-fixes). - commit fb3ed54 - x86/bugs: Use SBPB in write_ibpb() if applicable (git-fixes). - commit 4702713 - x86/bugs: Rename entry_ibpb() to write_ibpb() (git-fixes). - commit 05f7f50 - selftest/bpf: Add vsock test for sockmap rejecting unconnected (bsc#1239470 CVE-2025-21854). - selftest/bpf: Adapt vsock_delete_on_close to sockmap rejecting unconnected (bsc#1239470 CVE-2025-21854). - vsock/bpf: Warn on socket without transport (bsc#1239470 CVE-2025-21854). - commit 9aa107b - tools/power turbostat: Increase CPU_SUBSET_MAXCPUS to 8192 (bsc#1241175). - commit b06e876 - sockmap, vsock: For connectible sockets allow only connected (bsc#1239470 CVE-2025-21854). - bpf: sockmap, test for unconnected af_unix sock (bsc#1239470 CVE-2025-21854). - Refresh patches.suse/selftest-bpf-Add-test-for-af_vsock-poll.patch - bpf: syzkaller found null ptr deref in unix_bpf proto add (bsc#1239470 CVE-2025-21854). - Refresh patches.suse/udp-fix-busy-polling.patch - Refresh patches.suse/bpf-sockmap-SK_DROP-on-attempted-redirects-of-unsupported-.patch - commit 62e8475 - bpf, vsock: Invoke proto::close on close() (bsc#1239470 CVE-2025-21854). - Refresh patches.suse/vsock-Keep-the-binding-until-socket-destruction.patch. - Refresh patches.suse/vsock-Orphan-socket-after-transport-release.patch - commit a88600e - selftest/bpf: Add test for vsock removal from sockmap on close() (bsc#1239470 CVE-2025-21854). - selftest/bpf: Add test for af_vsock poll() (bsc#1239470 CVE-2025-21854). - bpf, vsock: Fix poll() missing a queue (bsc#1239470 CVE-2025-21854). - commit 43f792d - RDMA/core: Silence oversized kvmalloc() warning (git-fixes) - commit 0801938 - RDMA/cma: Fix workqueue crash in cma_netevent_work_handler (git-fixes) - commit 8be4a6f - RDMA/hns: Fix wrong maximum DMA segment size (git-fixes) - commit 9a0c549 - RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (git-fixes) - commit 7bf895d - net: xdp: Disallow attaching device-bound programs in generic mode (bsc#1238742 CVE-2025-21808). - commit c2feb9e - md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb (bsc#1238212) Also reenable patches.suse/md-md-bitmap-fix-writing-non-bitmap-pages-ab99.patch - commit 22ce219 - bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088 bsc#1239510) - commit a5b985f - dpll: fix xa_alloc_cyclic() error handling (CVE-2025-22016 bsc#1240934) - commit 2521b46 - devlink: fix xa_alloc_cyclic() error handling (CVE-2025-22017 bsc#1240936) - commit 6e391e8 - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING (bsc#1241167). - commit 2fe69fb - caif_virtio: fix wrong pointer check in cfv_probe() (CVE-2025-21904 bsc#1240576). - commit 9a83e3e - Refresh patches.kabi/kABI-fix-for-ipv6-remove-hard-coded-limitation-on-ip.patch. - commit 81847b0 - xfs: flush inodegc before swapon (git-fixes). - commit c599968 - net: mana: Switch to page pool for jumbo frames (git-fixes). - RDMA/mana_ib: Ensure variable err is initialized (git-fixes). - x86/hyperv: Fix check of return value from snp_set_vmsa() (git-fixes). - commit 2b709c0 - pwm: fsl-ftm: Handle clk_get_rate() returning 0 (git-fixes). - pwm: rcar: Improve register calculation (git-fixes). - pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (git-fixes). - commit 9d83cd0 - ata: sata_sx4: Add error handling in pdc20621_i2c_read() (git-fixes). - ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (git-fixes). - commit dcc1d06 - kABI workaround for powercap update (bsc#1241010). - commit 6da4ad4 - drm/amd/display: Fix out-of-bound accesses (bsc#1240811 CVE-2025-21985) - commit f9ae89c - Revert &quot;tcp: Fix bind() regression for v6-only wildcard and&quot; This reverts commit 10a8fd3005bd56ac305a4a4e9bf53cfc50aad28f. This patch is part of a bigger series [0] and AFAIU can't be applied individually. Applying the entire series would result in kABI breakage. [0] https://lore.kernel.org/all/20231213082029.35149-1-kuniyu@amazon.com/ - commit 9692530 - Update patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_devic.patch (git-fixes CVE-2025-21936 bsc#1240716). - Update patches.suse/Bluetooth-Add-check-for-mgmt_alloc_skb-in-mgmt_remot.patch (git-fixes CVE-2025-21937 bsc#1240643). - Update patches.suse/Bluetooth-Fix-error-code-in-chan_alloc_skb_cb.patch (git-fixes CVE-2025-22007 bsc#1240829). - Update patches.suse/HID-appleir-Fix-potential-NULL-dereference-at-raw-ev.patch (git-fixes CVE-2025-21948 bsc#1240703). - Update patches.suse/HID-hid-steam-Fix-use-after-free-when-detaching-devi.patch (git-fixes CVE-2025-21923 bsc#1240691). - Update patches.suse/HID-ignore-non-functional-sensor-in-HP-5MP-Camera.patch (stable-fixes CVE-2025-21992 bsc#1240796). - Update patches.suse/HID-intel-ish-hid-Fix-use-after-free-issue-in-ishtp_.patch (git-fixes CVE-2025-21928 bsc#1240722). - Update patches.suse/KVM-arm64-Unconditionally-save-flush-host-FPSIMD-SVE-SME-state.patch (git-fixes CVE-2025-22013 bsc#1240938). - Update patches.suse/RDMA-hns-Fix-soft-lockup-during-bt-pages-loop.patch (git-fixes CVE-2025-22010 bsc#1240943). - Update patches.suse/accel-qaic-Fix-integer-overflow-in-qaic_validate_req.patch (git-fixes CVE-2025-22001 bsc#1240873). - Update patches.suse/bus-mhi-host-pci_generic-Use-pci_try_reset_function-.patch (git-fixes CVE-2025-21951 bsc#1240718). - Update patches.suse/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch (git-fixes CVE-2025-22003 bsc#1240825). - Update patches.suse/cdx-Fix-possible-UAF-error-in-driver_override_show.patch (git-fixes CVE-2025-21915 bsc#1240594). - Update patches.suse/dm-flakey-Fix-memory-corruption-in-optional-corrupt_.patch (git-fixes CVE-2025-21966 bsc#1240779). - Update patches.suse/drivers-virt-acrn-hsm-Use-kzalloc-to-avoid-info-leak.patch (git-fixes CVE-2025-21950 bsc#1240719). - Update patches.suse/drm-amd-display-Assign-normalized_pix_clk-when-color.patch (stable-fixes CVE-2025-21956 bsc#1240739). - Update patches.suse/drm-amd-display-Fix-null-check-for-pipe_ctx-plane_st-374c9fa.patch (git-fixes CVE-2025-21941 bsc#1240701). - Update patches.suse/drm-amd-display-Fix-slab-use-after-free-on-hdcp_work.patch (git-fixes CVE-2025-21968 bsc#1240783). - Update patches.suse/drm-hyperv-Fix-address-space-leak-when-Hyper-V-DRM-d.patch (git-fixes CVE-2025-21978 bsc#1240806). - Update patches.suse/drm-radeon-fix-uninitialized-size-issue-in-radeon_vc.patch (git-fixes CVE-2025-21996 bsc#1240801). - Update patches.suse/drm-sched-Fix-fence-reference-count-leak.patch (git-fixes CVE-2025-21995 bsc#1240821). - Update patches.suse/gpio-aggregator-protect-driver-attr-handlers-against.patch (git-fixes CVE-2025-21943 bsc#1240647). - Update patches.suse/gpio-rcar-Use-raw_spinlock-to-protect-register-acces.patch (stable-fixes CVE-2025-21912 bsc#1240584). - Update patches.suse/msft-hv-3170-net-mana-cleanup-mana-struct-after-debugfs_remove.patch (git-fixes CVE-2025-21953 bsc#1240727). - Update patches.suse/net_sched-Prevent-creation-of-classes-with-TC_H_ROOT.patch (git-fixes CVE-2025-21971 bsc#1240799). - Update patches.suse/nvme-tcp-fix-potential-memory-corruption-in-nvme_tcp.patch (git-fixes CVE-2025-21927 bsc#1240714). - Update patches.suse/rapidio-add-check-for-rio_add_net-in-rio_scan_alloc_.patch (git-fixes CVE-2025-21935 bsc#1240700). - Update patches.suse/rapidio-fix-an-API-misues-when-rio_add_net-fails.patch (git-fixes CVE-2025-21934 bsc#1240708). - Update patches.suse/regulator-check-that-dummy-regulator-has-been-probed.patch (stable-fixes CVE-2025-22008 bsc#1240942). - Update patches.suse/regulator-dummy-force-synchronous-probing.patch (git-fixes CVE-2025-22009 bsc#1240940). - Update patches.suse/slimbus-messaging-Free-transaction-ID-in-delayed-int.patch (git-fixes CVE-2025-21914 bsc#1240595). - Update patches.suse/soc-qcom-pdr-Fix-the-potential-deadlock.patch (git-fixes CVE-2025-22014 bsc#1240937). - Update patches.suse/usb-atm-cxacru-fix-a-flaw-in-existing-endpoint-check.patch (git-fixes CVE-2025-21916 bsc#1240582). - Update patches.suse/usb-renesas_usbhs-Flush-the-notify_hotplug_work.patch (git-fixes CVE-2025-21917 bsc#1240596). - Update patches.suse/usb-typec-ucsi-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-21918 bsc#1240592). - Update patches.suse/wifi-cfg80211-cancel-wiphy_work-before-freeing-wiphy.patch (git-fixes CVE-2025-21979 bsc#1240808). - Update patches.suse/wifi-cfg80211-regulatory-improve-invalid-hints-check.patch (git-fixes CVE-2025-21910 bsc#1240583). - Update patches.suse/wifi-iwlwifi-limit-printed-string-from-FW-file.patch (git-fixes CVE-2025-21905 bsc#1240575). - Update patches.suse/wifi-iwlwifi-mvm-don-t-try-to-talk-to-a-dead-firmwar.patch (git-fixes CVE-2025-21930 bsc#1240715). - Update patches.suse/wifi-nl80211-reject-cooked-mode-if-it-is-set-along-w.patch (git-fixes CVE-2025-21909 bsc#1240590). - commit a467018 - affs: don't write overlarge OFS data block size fields (git-fixes). - commit 334bc15 - affs: generate OFS sequence numbers starting at 1 (git-fixes). - commit f93c833 - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - commit 4b6b673 - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - Refresh patches.suse/net-better-track-kernel-sockets-lifetime.patch. - commit bd8699b - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - commit c784a67 - powercap: intel_rapl_tpmi: Enable PMU support (bsc#1241010). - commit 2a705e9 - powercap: intel_rapl: Introduce APIs for PMU support (bsc#1241010). - commit b0e2847 - drm/amd: Keep display off while going into S4 (stable-fixes). - Refresh patches.suse/drm-amd-display-Restore-correct-backlight-brightness.patch. - commit e9996bf - drm/sti: remove duplicate object names (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb_perf: Fix printk format (git-fixes). - commit a733ec5 - netfilter: br_netfilter: skip conntrack input hook for promisc packets (CVE-2024-27415 bsc#1224757). - commit 01cefc0 - kabi: restore layout of struct nf_ct_hook after backport of commit 62e7151ae3eb (CVE-2024-27415 bsc#1224757). - netfilter: bridge: confirm multicast packets before passing them up the stack (CVE-2024-27415 bsc#1224757). - commit 69425e5 - netfilter: xtables: fix typo causing some targets not to load on IPv6 (CVE-2024-50038 bsc#1231910). - netfilter: xtables: avoid NFPROTO_UNSPEC where needed (CVE-2024-50038 bsc#1231910). - commit 9ec5161 - net: mctp: unshare packets when reassembling (CVE-2025-21972 bsc#1240813). - commit 5878b19 - Reapply &quot;Merge remote-tracking branch 'origin/users/sjaeckel/SLE15-SP6/for-next' into SLE15-SP6&quot; This reverts commit 9b78ca60e10c64a737b9db2b85fdd944daac6ae6. - commit 157dbaf - net/tcp: refactor tcp_inet6_sk() (git-fixes). - commit 459f538 - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - commit eeb7f74 - ntb: intel: Fix using link status DB's (git-fixes). - commit a988a90 - s390/cio: Fix CHPID &quot;configure&quot; attribute caching (git-fixes bsc#1240979). - commit a947a32 - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - commit 610fa90 - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - Refresh patches.suse/wifi-ath11k-choose-default-PM-policy-for-hibernation.patch. - Refresh patches.suse/wifi-ath11k-support-non-WoWLAN-mode-suspend-as-well.patch. - commit 5ef71a9 - Update upstream status for ath11k patches - commit 42fd2e8 - rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE We now have LD_CAN_USE_KEEP_IN_OVERLAY since commit: e7607f7d6d81 ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE - commit 7b55ff2 - perf tools: annotate asm_pure_loop.S (bsc#1239906). - commit a3afe13 - perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585 CVE-2025-21895). - commit c393384 - io_uring/kbuf: reallocate buf lists on upgrade (CVE-2025-21836 bsc#1239066). - commit 1c3b3b4 - rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev &amp; systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659) - commit 634be2c - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - commit 88d79df - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: fix potential error return (git-fixes). - commit 59fa8cd - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - commit dcc0903 - scsi: qla1280: Fix kernel oops when debug level &gt; 2 (CVE-2025-21957 bsc#1240742) - commit bd3922a - io_uring: prevent opcode speculation (CVE-2025-21863 bsc#1239475). - commit cf2b4a4 - wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (CVE-2025-21729 bsc#1237874) - commit dfb7d10 - OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (CVE-2024-58068 bsc#1238961) - commit b424f57 - net: let net.core.dev_weight always be non-zero (CVE-2025-21806 bsc#1238746) - commit c6ce075 - Refresh patches.suse/Bluetooth-L2CAP-Fix-corrupted-list-in-hci_chan_del.patch Drop redundant mutex lock that was forgotten - commit 8253168 - net/mlx5: Bridge, fix the crash caused by LAG state check (CVE-2025-21970 bsc#1240819). - eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (CVE-2025-21960 bsc#1240815). - eth: bnxt: fix truesize for mb-xdp-pass case (CVE-2025-21961 bsc#1240816). - net/mlx5: handle errors in mlx5_chains_create_table() (CVE-2025-21975 bsc#1240812). - commit 5bfb0f9 - x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (CVE-2025-21991 bsc#1240795). - x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (CVE-2025-21913 bsc#1240591). - commit 718ae0d - NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (CVE-2025-21908 bsc#1240600). - commit a2db92f - kABI workaround for l2cap_conn changes (CVE-2025-21969 bsc#1240784). - commit 0c8af58 - Bluetooth: L2CAP: Fix corrupted list in hci_chan_del (CVE-2025-21969 bsc#1240784). - commit 730e49a - Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd (CVE-2025-21969 bsc#1240784). - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (CVE-2025-21993 bsc#1240797). - commit 80da9db - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - commit d5f05d8 - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - commit 4482ca3 - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - commit 8f97ff8 - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - commit 5af8777 - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - commit cb855f9 - usbnet:fix NPE during rx_complete (git-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - commit e1c84cd - vsock: Orphan socket after transport release (CVE-2025-21755 bsc#1237882) - commit 6317d55 - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - commit 6e4dc96 - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - Refresh patches.suse/tpm_tis-Resend-command-to-recover-from-data-transfer.patch - commit 66fe063 - Delete patches.suse/tpm-send_data-Wait-longer-for-the-TPM-to-become-read.patch. To be replaced with upstream fix. - commit d0fcf25 - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - commit 34e3f46 - kernel-binary: Support livepatch_rt with merged RT branch - commit 470cd1a - arm64: Don't call NULL in do_compat_alignment_fixup() (git-fixes) - commit 249080a - arm64: mm: Correct the update of max_pfn (git-fixes) - commit b6d4b51 - tpm: tis: Double the timeout B to 4s (bsc#1235870). - commit 2ecc734 - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - commit cc21438 - ice: fix memory leak in aRFS after reset (CVE-2025-21981 bsc#1240612). - ppp: Fix KMSAN uninit-value warning with bpf (CVE-2025-21922 bsc#1240639). - net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (CVE-2025-21924 bsc#1240720). - net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (CVE-2025-21894 bsc#1240581). - net: enetc: Replace ifdef with IS_ENABLED (CVE-2025-21894 bsc#1240581). - commit e9dce38 - wifi: iwlwifi: mvm: clean up ROC on failure (CVE-2025-21906 bsc#1240587). - commit 887f91d - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - commit ea68f49 - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - commit 504723c - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - commit 8b30c73 - rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64. - commit 8fbe8b1 - net: fix data-races around sk-&gt;sk_forward_alloc (CVE-2024-53124 bsc#1234074). - commit ea48905 - sctp: fix possible UAF in sctp_v6_available() (CVE-2024-53139 bsc#1234157). - commit 779dfcf - usb: xhci: correct debug message page size calculation (git-fixes). - ucsi_ccg: Don't show failed to get FW build information error (git-fixes). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - counter: fix privdata alignment (git-fixes). - commit 8ea2563 - Move upstreamed ACPI patch into sorted section - commit 871d0d6 - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - commit 808a9df - net: better track kernel sockets lifetime (CVE-2025-21884 bsc#1240171). - net: Add net_passive_inc() and net_passive_dec() (CVE-2025-21884 bsc#1240171). - commit 741fa11 - Update patches.suse/RDMA-core-Don-t-expose-hw_counters-outside-of-init-n.patch (git-fixes bsc#1239925). - Update patches.suse/kABI-fix-for-RDMA-core-Don-t-expose-hw_counters-outs.patch (git-fixes bsc#1239925). Add bug reference. - commit 8eef29b Package krb5 was updated: - Remove references to the LMDB backend in the kdc.conf manpage; (bsc#1242060); Package libevent was updated: - Disable the select backend, this can be easily done by lying to configure. This is done due to: * using fd number &gt; 1024 on an fd_set results in a runtime fortify source assertion, preventing further doom. * select will not be changed to handle fd &gt; 1024. * this limit is unreasonable low for this century. - Drop insserv_prereq and fillup_prereq macros: there are no pre-scripts that would justify these dependencies. - Update to 2.1.12 stable * buffer: do not pass NULL to memcpy() from evbuffer_pullup() * http: fix undefined-shift in EVUTIL_IS*_ helpers * Check error code of evhttp_add_header_internal() in evhttp_parse_query_impl() * http: fix EVHTTP_CON_AUTOFREE in case of timeout * evdns: Add additional validation for values of dns options * Fix memory corruption in EV_CLOSURE_EVENT_FINALIZE with debug enabled * increase segment refcnt only if evbuffer_add_file_segment() succeeds * evdns: fix a crash when evdns_base with waiting requests is freed * event_base_once: fix potential null pointer threat * http: do not assume body for CONNECT * evbuffer_add_file: fix freeing of segment in the error path * Fix checking return value of the evdns_base_resolv_conf_parse() * Support EV_CLOSED on linux for poll(2) * Parse IPv6 scope IDs. * evutil_time: detect and use _gmtime64_s()/_gmtime64() * bufferevent: allow setting priority on socket and openssl type * Fix EV_CLOSED detection/reporting * Revert &quot;Warn if forked from the event loop during event_reinit()&quot; - Add upstream patches with the feature of &quot;prepare&quot; and &quot;check&quot; watchers. That feature is needed by envoy-proxy: * 0001-evwatch-Add-prepare-and-check-watchers.patch * 0002-evwatch-fix-race-condition.patch - Update to 2.1.11 stable * Fix ABI breakage that had been introduced in 2.1.10. Strictly speaking this release breaks ABI again to make it compatible with &lt;= 2.1.9. + See git commit 18104973 for more details * evdns: add new options -- so-rcvbuf/so-sndbuf * various autotools and cmake build changes * buffer: fix possible NULL dereference in evbuffer_setcb() on ENOMEM * Warn if forked from the event loop during event_reinit() * evutil: set the have_checked_interfaces in evutil_check_interfaces() * https-client: correction error checking - Use FAT LTO objects in order to provide proper static library. - Fix name of library package (bsc#1138369) - Update to 2.1.10 stable * evdns: add DNS_OPTION_NAMESERVERS_NO_DEFAULT / EVDNS_BASE_NAMESERVERS_NO_DEFAULT * Add support for EV_TIMEOUT to event_base_active_by_fd * kqueue: Avoid undefined behaviour. * Prevent integer overflow in kq_build_changes_list. * evdns: fix lock/unlock mismatch in evdns_close_server_port() * Protect min_heap_push_ against integer overflow. * le-proxy: initiate use of the Winsock DLL * Fix leaks in error path of the bufferevent_init_common_() * buffer: make evbuffer_prepend() of zero-length array no-op * Don't loose top error in SSL * Remove needless check for arc4_seeded_ok * Cleanup __func__ detection * Add convenience macros for user-triggered events * Notify event base if there are no more events, so it can exit without delay * Fix base unlocking in event_del() if event_base_set() runned in another thread * If precise_time is false, we should not set EVENT_BASE_FLAG_PRECISE_TIMER * Fix race in access to ev_res from event loop with event_active() * Return from event_del() after the last event callback termination * Preserve socket error from listen across closesocket cleanup * fix connection retries when there more then one request for connection * improve error path for bufferevent_{setfd,enable,disable}() * Fix conceivable UAF of the bufferevent in evhttp_connection_free() * Fix evhttp_connection_get_addr() fox incomming http connections * fix leaks in evhttp_uriencode() * CONNECT method only takes an authority * Allow bodies for GET/DELETE/OPTIONS/CONNECT * Do not crash when evhttp_send_reply_start() is called after a timeout. * Fix crashing http server when callback do not reply in place * fix handling of close_notify (ssl) in http with openssl bufferevents * use *_new_with_arg() to match function prototype * avoid NULL dereference on request is not EVHTTP_REQ_POST * bufferevent_socket_connect{,_hostname}() missing event callback and use ret code * don't fail be_null_filter if bytes are copied * Call underlying bev ctrl GET_FD on filtered bufferevents * be_openssl: avoid leaking of SSL structure * Add missing includes into openssl-compat.h * Explicitly call SSL_clear when reseting the fd. * sample/https-client: use host SSL certificate store by default * ipv6only socket bind support * evdns: handle NULL filename explicitly * Fix assert() condition in evbuffer_drain() for IOCP * fix incorrect unlock of the buffer mutex (for deferred callbacks) * Fix wrong assert in evbuffer_drain() * Port `event_rpcgen.py` and `test/check-dumpevents.py` to Python 3. - rename python2-shebang.patch -&gt; python3-shebang.patch following port - Make use of %license macro - Add devel-static package, which is needed for building Envoy (https://www.envoyproxy.io/) and Cilium with Envoy integration - Fix an error about /usr/bin/env shebang in event_rpcgen.py * python2-shebang.patch Package expat was updated: - version update to 2.7.1 Bug fixes: [#980] #989 Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount - XML_GetCurrentByteIndex - XML_GetCurrentColumnNumber - XML_GetCurrentLineNumber - XML_GetInputContext Other changes: [#976] #977 Autotools: Integrate files &quot;fuzz/xml_lpm_fuzzer.{cpp,proto}&quot; with Automake that were missing from 2.7.0 release tarballs [#983] #984 Fix printf format specifiers for 32bit Emscripten [#992] docs: Promote OpenSSF Best Practices self-certification [#978] tests/benchmark: Resolve mistaken double close [#986] Address compiler warnings [#990] #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do Infrastructure: [#982] CI: Start running Perl XML::Parser integration tests [#987] CI: Enforce Clang Static Analyzer clean code [#991] CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy [#981] CI: Cover compilation with musl [#983] #984 CI: Cover compilation with 32bit Emscripten [#976] #977 CI: Protect against fuzzer files missing from future release archives - version update to 2.7.0 for SLE-15-SP4 - deleted patches - expat-CVE-2022-25235.patch (upstreamed) - expat-CVE-2022-25236-relax-fix.patch (upstreamed) - expat-CVE-2022-25236.patch (upstreamed) - expat-CVE-2022-25313-fix-regression.patch (upstreamed) - expat-CVE-2022-25313.patch (upstreamed) - expat-CVE-2022-25314.patch (upstreamed) - expat-CVE-2022-25315.patch (upstreamed) - expat-CVE-2022-40674.patch (upstreamed) - expat-CVE-2022-43680.patch (upstreamed) - expat-CVE-2023-52425-1.patch (upstreamed) - expat-CVE-2023-52425-2.patch (upstreamed) - expat-CVE-2023-52425-backport-parser-changes.patch (upstreamed) - expat-CVE-2023-52425-fix-tests.patch (upstreamed) - expat-CVE-2024-28757.patch (upstreamed) - expat-CVE-2024-45490.patch (upstreamed) - expat-CVE-2024-45491.patch (upstreamed) - expat-CVE-2024-45492.patch (upstreamed) - expat-CVE-2024-50602.patch (upstreamed) - version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]) * Security fixes: [#893] #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data (&quot;&lt;e&gt;&amp;g1;&lt;/e&gt;&quot;) - general entities in attribute values (&quot;&lt;e k1='&amp;g1;'/&gt;&quot;) - parameter entities (&quot;%p1;&quot;) Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. * Other changes: [#935] #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS [#925] Autotools: Sync CMake templates with CMake 3.29 [#945] #962 #966 CMake: Drop support for CMake &lt;3.13 [#942] CMake: Small fuzzing related improvements [#921] docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4 [#941] docs: Document need for C++11 compiler for use from C++ [#959] tests/benchmark: Fix a (harmless) TOCTTOU [#944] Windows: Fix installer target location of file xmlwf.xml for CMake [#953] Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW [#971] Address Cppcheck warnings [#969] #970 Mass-migrate links from http:// to https:// [#947] #958 .. [#974] #975 Document changes since the previous release [#974] #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do - no source changes, just adding jira reference: jsc#SLE-21253 Package freetype2 was updated: Package libgcrypt was updated: - FIPS: Pad PKCS1.5 signatures with SHA3 correctly [bsc#1241605] * Add libgcrypt-FIPS-sha3-asn.patch Package ncurses was updated: - Modify patch ncurses-5.9-ibm327x.dif * Backport sclp terminfo description entry if for s390 sclp terminal lines * Add a further sclp entry for qemu s390 based systems * Make use of dumb Package openssl-3 was updated: - Security fix: [bsc#1240366] * Minerva side channel vulnerability in P-384 on PPC arch * Add openssl-3-p384-minerva-ppc.patch * Add openssl-3-p384-minerva-ppc-p9.patch - Security fix: [bsc#1240607] * Check ssl/ssl3_read_internal null pointer [from commit 38b051a] * Add openssl-check-ssl_read_internal-nullptr.patch - FIPS: Fix EMS in crypto-policies FIPS:NO-ENFORCE-EMS * [bsc#1230959, bsc#1232326, bsc#1231748] * Add patch openssl-FIPS-fix-EMS-support.patch Package librdkafka was updated: - 0001-Fix-timespec-conversion-to-avoid-infinite-loop-2108-.patch: avoid endless loops (bsc#1242842) Package ruby2.5 was updated: - update suse.patch to 736ea75f25d52fdebb88ed6583468bd7c21190f6 - fix ReDoS in CGI::Util#escapeElement bsc#1237806 CVE-2025-27220 - fix denial of service in CGI::Cookie.parse bsc#1237804 CVE-2025-27219 - update suse.patch to 6bf78da1fc4048a11a8612741216ebc47d9ebb41 - move the request smuggling patch to the correct place actually fixes bsc#1230930 CVE-2024-47220 and now boo#1235773 Package libsolv was updated: - build both static and dynamic libraries on new suse distros- support the apk package and repository format (both v2 and v3) - new dataiterator_final_{repo,solvable} functions - bump version to 0.7.32 - Provide a symbol specific for the ruby-version so yast does not break across updates (boo#1235598) Package sqlite3 was updated: - Sync version 3.49.1 from Factory (jsc#SLE-16032): * CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could lead to a memory error if the separator string is very large (hundreds of megabytes). * CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against misuse. * Obsoletes sqlite3-rtree-i686.patch Package systemd was updated: - Import commit a4100e9c74b0eafae18a13e9d1d988ebc8376c6a 806c21e22b umount: do not move busy network mounts (bsc#1236177) - Apply coredump sysctl settings on systemd-coredump updates/removals. - Add 1003-journal-again-create-user-journals-for-users-with-hi.patch (bsc#1242938) Don't write messages sent from users with UID falling into the container UID range to the system journal. Daemons in the container don't talk to the outside journald as they talk to the inner one directly, which does its journal splitting based on shifted uids. - Import commit 2f79a45369489b656be509a1517afcae4fe3ee20 ebdfa3e44e man/pstore.conf: pstore.conf template is not always installed in /etc 304ed20aab man: coredump.conf template is not always installed in /etc (bsc#1237496) Package libxml2 was updated: - security update- added patches CVE-2025-32414 [bsc#1241551], out-of-bounds read when parsing text via the Python API + libxml2-CVE-2025-32414.patch CVE-2025-32415 [bsc#1241453], a crafted XML document may lead to a heap-based buffer under-read + libxml2-CVE-2025-32415.patch Package libzypp was updated: - fixed build with boost 1.88.- XmlReader: Fix detection of bad input streams (fixes #635) libxml2 2.14 potentially reads the complete stream, so it may have the 'eof' bit set. Which is not 'good' but also not 'bad'. - rpm: Fix detection of %triggerscript starts (bsc#1222044) - RepoindexFileReader: add more &lt;repo&gt; related attributes a service may set. Add optional attributes gpgcheck, repo_gpgcheck, pkg_gpgcheck, keeppackages, gpgkey, mirrorlist, and metalink with the same semantic as in a .repo file. - version 17.36.7 (35) - Drop workaround for broken rpm-4.18 in Code16 (bsc#1237172) - BuildRequires: %{libsolv_devel_package} &gt;= 0.7.32. Code16 moved static libs to libsolv-devel-static. - Drop usage of SHA1 hash algorithm because it will become unavailable in FIPS mode (bsc#1240529) - Fix zypp.conf dupAllowVendorChange to reflect the correct default (false). The default was true in Code12 (libzypp-16.x) and changed to false with Code15 (libzypp-17.x). Unfortunately this was done by shipping a modified zypp.conf file rather than fixing the code. - zypp.conf: Add `lock_timeout` ($ZYPP_LOCK_TIMEOUT) (bsc#1239809) - version 17.36.6 (35) - Fix computation of RepStatus if Repo URLs change. - Fix lost double slash when appending to an absolute FTP url (bsc#1238315) Ftp actually differs between absolute and relative URL paths. Absolute path names begin with a double slash encoded as '/%2F'. This must be preserved when manipulating the path. - version 17.36.5 (35) - Add a transaction package preloader (fixes openSUSE/zypper#104) This patch adds a preloader that concurrently downloads files during a transaction commit. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. - RpmPkgSigCheck_test: Exchange the test package signingkey (fixes #622) - Exclude MediaCurl tests if DISABLE_MEDIABACKEND_TESTS (fixes #626) - Strip a mediahandler tag from baseUrl querystrings. - version 17.36.4 (35) Package nvme-cli was updated: - Update to version 2.8+88.g21612f53: * sed: perform a tper revert after lsp revert (bsc#1240656) Package openssh was updated: - Enable --with-logind to call the SetTTY dbus method in systemd. This allows &quot;wall&quot; to print messages in ssh ttys (bsc#1239671) - Small fixes to unref the dbus session when any error occurs: * logind_set_tty.patch - Added openssh-cve-2025-32728.patch (bsc#1241012, CVE-2025-32728). This fixes an upstream logic error handling the DisableForwarding option. Package pam was updated: - pam_unix/passverify: (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. [passverify-always-run-the-helper-to-obtain-shadow_pwd.patch, bsc#1232234, CVE-2024-10041] - Do not reject the user with a hash assuming it's non-empty. [pam_unix-allow-empty-passwords-with-non-empty-hashes.patch] Package patterns-base was updated: Package python-pyzmq was updated: - Prevent open files leak by closing sockets on timeout (bsc#1241624)- Added: * close-socket-on-timeout.patch Package salt was updated: - Fix aptpkg 'NoneType object has no attribute split' error- Detect openEuler as RedHat family OS - Ensure the correct crypt module is loaded - Implement multiple inventory for ansible.targets - Make x509 module compatible with M2Crypto 0.44.0 - Remove deprecated code from x509.certificate_managed test mode - Move logrotate config to /usr/etc/logrotate.d where possible - Add DEB822 apt repository format support - Make Salt-SSH work with all SSH passwords (bsc#1215484) - Fix issue of using update-alternatives with alts (#105) - Fix virt_query outputter and add support for block devices - Make _auth calls visible with master stats - Repair mount.fstab_present always returning pending changes - Set virtual grain in Podman systemd container - Fix crash due wrong client reference on `SaltMakoTemplateLookup` - Enhace batch async and fix some detected issues - Enhacement of Salt packaging * Use update-alternatives for all salt scripts * Use flexible dependencies for the subpackages * Make salt-minion to require flavored zypp-plugin * Make zyppnotify to use update-alternatives * Drop unused yumnotify plugin * Add dependency to python3-dnf-plugins-core for RHEL based - Fix tests failures after &quot;repo.saltproject.io&quot; deprecation - Fix error to stat '/root/.gitconfig' on gitfs (bsc#1230944) (bsc#1234881) (bsc#1220905) - Adapt to removal of hex attribute in pygit2 v1.15.0 (bsc#1230642) - Enhance smart JSON parsing when garbage is present (bsc#1231605) - Fix virtual grains for VMs running on Nutanix AHV (bsc#1234022) - Fix issues running on Python 3.12 and 3.13 - Added: * fix-deb822-nonetype-object-has-no-attribute-split-71.patch * detect-openeuler-as-redhat-family-os.patch * ensure-the-correct-crypt-module-is-loaded.patch * implement-multiple-inventory-for-ansible.targets.patch * make-x509-module-compatible-with-m2crypto-0.44.0.patch * remove-deprecated-code-from-x509.certificate_managed.patch * add-deb822-apt-source-format-support-692.patch * remove-password-from-shell-after-functional-text-mat.patch * repair-virt_query-outputter-655.patch * make-_auth-calls-visible-with-master-stats-696.patch * repair-fstab_present-test-mode-702.patch * set-virtual-grain-in-podman-systemd-container-703.patch * fixed-file-client-private-attribute-reference-on-sal.patch * backport-batch-async-fixes-and-improvements-701.patch * fix-tests-failures-after-repo.saltproject.io-depreca.patch * fix-failed-to-stat-root-.gitconfig-issue-on-gitfs-bs.patch * update-for-deprecation-of-hex-in-pygit2-1.15.0-and-a.patch * enhance-find_json-garbage-filtering-bsc-1231605-688.patch * fix-virtual-grains-for-vms-running-on-nutanix-ahv-bs.patch * fix-issues-that-break-salt-in-python-3.12-and-3.13-6.patch Package python3-setuptools was updated: - Add patch CVE-2025-47273.patch to fix A path traversal vulnerability. (bsc#1243313, CVE-2025-47273, gh#pypa/setuptools@250a6d17978f) Package samba was updated: - Fix Samba printers reporting invalid sid during print jobs; (bsc#1234210); (bso#15792). Package supportutils was updated: - Changes to version 3.2.10 + network.txt collect all firewalld zones (pr#233) + Collects gfs2 info (PED-11853, pr#235, pr#236) + Ignore tasks/threads to prevent collecting duplicate fd data in open_files (bsc#1230371, pr#237) + Added openldap2_5 support for SLES (pr#238) + Collects additional hawk details (pr#239) + Optimized filtering D/Z processes (pr#241) + Collect firewalld permanent configuration (pr#243) + ldap_info: support for multiple DBs and sanitize olcRootPW (bsc#1231838, pr#247) + Added dbus_info for dbus.txt (bsc#1222650, pr#248) - Changes to version 3.2.9 + Map running PIDs to RPM package owner aiding BPF program detection (bsc#1222896, bsc#1213291, PED-8221) + Supportconfig available in current distro (PED-7131) + Corrected display issues (bsc#1231396) + NFS takes too long, showmount times out (bsc#1231423) + Merged sle15 and master branches (bsc#1233726, PED-11669) Package timezone was updated: - Update to 2025b: * New zone for Aysén Region in Chile (America/Coyhaique) which moves from -04/-03 to -03 - Refresh patches * revert-philippines-historical-data.patch * tzdata-china.diff Package xen was updated: - Update to Xen 4.18.5 security bug fix release (bsc#1027519) xen-4.18.5-testing-src.tar.bz2 - Dropped patches contained in new tarball 658190ea-x86-non-BIGMEM-on-16Tb-systems.patch 66dedebf-x86-HVM-recursion-in-linear-rw.patch 67645902-libxg-increase-LZMA_BLOCK_SIZE.patch 6776dea1-x86-spec-ctrl-SRSO_U-S_NO-and-SRSO_MSR_FIX.patch 677bcb65-x86-traps-rework-LER-init-and.patch 677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch 67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch 67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch 67935a4c-x86-HVM-rw-split-at-page.patch 67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch 67977677-AMD-IOMMU-atomically-update-IRTE.patch 679796ff-x86-PV-further-harden-guest-mem-access.patch 67a5cb5f-radix-tree-purge-node-alloc-hooks.patch 67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch 67acb684-x86-offline-APs-with-IRQs-disabled.patch 67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch 67acb686-x86-PCI-disable-MSI-at-shutdown.patch 67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch 67b4961e-console-dont-truncate-panic-messages.patch 67b49d86-memory-resource_max_frames-retval.patch 67b5d27c-SVM-separate-STI-from-VMRUN.patch 67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch 67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch 67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch 67c86fc1-xl-fix-channel-configuration-setting.patch 67cb03e0-x86-vlapic-ESR-write-handling.patch 67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch 67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch 67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch 67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch 67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch 6800b54f-x86-HVM-update-repeat-count-upon.patch 68076044-x86emul-clip-rep-count-for-STOS.patch 6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch 68221f20-x86-alternative-when-feature-not-present.patch 68221f21-x86-guest-remove-Xen-hypercall_page.patch 68221f22-x86-misalign-__x86_indirect_thunk.patch 68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch 68221f24-x86-stubs-introduce-place_ret.patch 68221f25-x86-build-with-Return-Thunks.patch 68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch - Failed to boot with XEN kernel on DL580 Gen12 (bsc#1242490) 658190ea-x86-non-BIGMEM-on-16Tb-systems.patch - bsc#1243117 - VUL-0: CVE-2024-28956: xen: Intel CPU: Indirect Target Selection (ITS) (XSA-469) 68221f20-x86-alternative-when-feature-not-present.patch 68221f21-x86-guest-remove-Xen-hypercall_page.patch 68221f22-x86-misalign-__x86_indirect_thunk.patch 68221f23-x86-misalign-RETs-in-clear_bhb_loops.patch 68221f24-x86-stubs-introduce-place_ret.patch 68221f25-x86-build-with-Return-Thunks.patch 68221f26-x86-spec-ctrl-synthesise-ITS_NO.patch - Upstream bug fixes (bsc#1027519) 67c818d6-x86-PVH-dom0-correct-iomem_caps-bound.patch 67c818d8-x86-Dom0-relax-Interrupt-Address-Range.patch 67dada68-x86-mm-IS_ALIGNED-in-IS_LnE_ALIGNED.patch 67ea4268-x86-P2M-sync-fast-slow-p2m_get_page_from_gfn.patch 67f8ecda-rangeset-incorrect-subtraction.patch 6800b54f-x86-HVM-update-repeat-count-upon.patch 68076044-x86emul-clip-rep-count-for-STOS.patch 6808f549-x86-Intel-work-around-MONITOR-MWAIT-errata.patch Package zypper was updated: - Updated translations (bsc#1230267)- version 1.14.89 - Do not double encode URL strings passed on the commandline (bsc#1237587) URLs passed on the commandline must have their special chars encoded already. We just want to check and encode forgotten unsafe chars like a blank. A '%' however must not be encoded again. - version 1.14.88 - Package preloader that concurrently downloads files. It's not yet enabled per default. To enable the preview set ZYPP_CURL2=1 and ZYPP_PCK_PRELOAD=1 in the environment. (#104) - BuildRequires: libzypp-devel &gt;= 17.36.4. - version 1.14.87 - refresh: add --include-all-archs (fixes #598) Future multi-arch repos may allow to download only those metadata which refer to packages actually compatible with the systems architecture. Some tools however want zypp to provide the full metadata of a repository without filtering incompatible architectures. - info,search: add option to search and list Enhances (bsc#1237949) - version 1.14.86 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sle-hpc-15-sp6-byos-v20250609-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.28.2 apparmor-parser-3.1.7-150600.5.9.1 augeas-1.14.1-150600.3.3.1 augeas-lenses-1.14.1-150600.3.3.1 ca-certificates-mozilla-2.74-150200.41.1 cifs-utils-6.15-150400.3.12.1 cloud-netconfig-gce-1.15-150000.25.26.1 cloud-regionsrv-client-10.4.0-150300.13.22.2 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.22.2 containerd-1.7.27-150000.123.1 device-mapper-2.03.22_1.02.196-150600.3.6.1 glib2-tools-2.78.6-150600.4.11.1 glibc-2.38-150600.14.32.1 glibc-32bit-2.38-150600.14.32.1 glibc-devel-2.38-150600.14.32.1 glibc-i18ndata-2.38-150600.14.32.1 glibc-locale-2.38-150600.14.32.1 glibc-locale-base-2.38-150600.14.32.1 google-guest-agent-20250506.01-150000.1.63.1 google-guest-oslogin-20240311.00-150000.1.50.1 grub2-2.12-150600.8.27.1 grub2-i386-pc-2.12-150600.8.27.1 grub2-x86_64-efi-2.12-150600.8.27.1 hwinfo-21.88-150500.3.9.2 iproute2-6.4-150600.7.6.1 iputils-20221126-150500.3.11.1 kbd-2.4.0-150400.5.9.1 kbd-legacy-2.4.0-150400.5.9.1 kernel-default-6.4.0-150600.23.50.1 krb5-1.20.1-150600.11.11.2 krb5-client-1.20.1-150600.11.11.2 libapparmor1-3.1.7-150600.5.9.1 libaugeas0-1.14.1-150600.3.3.1 libdevmapper-event1_03-2.03.22_1.02.196-150600.3.6.1 libdevmapper1_03-2.03.22_1.02.196-150600.3.6.1 libexpat1-2.7.1-150400.3.28.1 libfa1-1.14.1-150600.3.3.1 libfreetype6-2.10.4-150000.4.22.1 libgcrypt20-1.10.3-150600.3.6.1 libgio-2_0-0-2.78.6-150600.4.11.1 libglib-2_0-0-2.78.6-150600.4.11.1 libgmodule-2_0-0-2.78.6-150600.4.11.1 libgobject-2_0-0-2.78.6-150600.4.11.1 liblvm2cmd2_03-2.03.22-150600.3.6.1 libncurses6-6.1-150000.5.30.1 libopenssl3-3.1.4-150600.5.27.1 librdkafka1-0.11.6-150600.16.3.1 libruby2_5-2_5-2.5.9-150000.4.41.1 libsolv-tools-base-0.7.32-150600.8.10.1 libsqlite3-0-3.49.1-150000.3.27.1 libsystemd0-254.24-150600.4.33.1 libudev1-254.24-150600.4.33.1 libxml2-2-2.10.3-150500.5.26.1 libzypp-17.36.7-150600.3.53.1 lvm2-2.03.22-150600.3.6.1 ncurses-utils-6.1-150000.5.30.1 nscd-2.38-150600.14.32.1 nvme-cli-2.8+88.g21612f53-150600.3.15.1 openssh-9.6p1-150600.6.26.1 openssh-clients-9.6p1-150600.6.26.1 openssh-common-9.6p1-150600.6.26.1 openssh-server-9.6p1-150600.6.26.1 openssl-3-3.1.4-150600.5.27.1 pam-1.3.0-150000.6.76.1 patterns-base-basesystem-20200124-150600.32.6.1 patterns-base-minimal_base-20200124-150600.32.6.1 pkg-config-0.29.2-150600.15.6.3 python3-pyzmq-17.1.2-150000.3.8.1 python3-salt-3006.0-150500.4.50.3 python3-setuptools-44.1.1-150400.9.12.1 python3-solv-0.7.32-150600.8.10.1 ruby-solv-0.7.32-150600.8.10.1 ruby2.5-2.5.9-150000.4.41.1 ruby2.5-stdlib-2.5.9-150000.4.41.1 salt-3006.0-150500.4.50.3 salt-minion-3006.0-150500.4.50.3 samba-client-libs-4.19.8+git.422.34307c5a3aa-150600.3.15.1 sqlite3-tcl-3.49.1-150000.3.27.1 supportutils-3.2.10-150600.3.6.5 systemd-254.24-150600.4.33.1 systemd-sysvcompat-254.24-150600.4.33.1 terminfo-6.1-150000.5.30.1 terminfo-base-6.1-150000.5.30.1 timezone-2025b-150600.91.6.2 udev-254.24-150600.4.33.1 xen-libs-4.18.5_02-150600.3.23.1 zypper-1.14.89-150600.10.31.1 aaa_base-84.87+git20180409.04c9dae-150300.10.28.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 aaa_base-extras-84.87+git20180409.04c9dae-150300.10.28.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 apparmor-parser-3.1.7-150600.5.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 augeas-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 augeas-lenses-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 ca-certificates-mozilla-2.74-150200.41.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 cifs-utils-6.15-150400.3.12.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 cloud-netconfig-gce-1.15-150000.25.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 cloud-regionsrv-client-10.4.0-150300.13.22.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.22.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 containerd-1.7.27-150000.123.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 device-mapper-2.03.22_1.02.196-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glib2-tools-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-32bit-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-devel-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-i18ndata-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-locale-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 glibc-locale-base-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 google-guest-agent-20250506.01-150000.1.63.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 google-guest-oslogin-20240311.00-150000.1.50.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 grub2-2.12-150600.8.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 grub2-i386-pc-2.12-150600.8.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 grub2-x86_64-efi-2.12-150600.8.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 hwinfo-21.88-150500.3.9.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 iproute2-6.4-150600.7.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 iputils-20221126-150500.3.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 kbd-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 kbd-legacy-2.4.0-150400.5.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 kernel-default-6.4.0-150600.23.50.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 krb5-1.20.1-150600.11.11.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 krb5-client-1.20.1-150600.11.11.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libapparmor1-3.1.7-150600.5.9.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libaugeas0-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libdevmapper-event1_03-2.03.22_1.02.196-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libdevmapper1_03-2.03.22_1.02.196-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libexpat1-2.7.1-150400.3.28.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libfa1-1.14.1-150600.3.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libfreetype6-2.10.4-150000.4.22.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libgcrypt20-1.10.3-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libgio-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libglib-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libgmodule-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libgobject-2_0-0-2.78.6-150600.4.11.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 liblvm2cmd2_03-2.03.22-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libncurses6-6.1-150000.5.30.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libopenssl3-3.1.4-150600.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 librdkafka1-0.11.6-150600.16.3.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libruby2_5-2_5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libsolv-tools-base-0.7.32-150600.8.10.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libsqlite3-0-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libsystemd0-254.24-150600.4.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libudev1-254.24-150600.4.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libxml2-2-2.10.3-150500.5.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 libzypp-17.36.7-150600.3.53.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 lvm2-2.03.22-150600.3.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 ncurses-utils-6.1-150000.5.30.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 nscd-2.38-150600.14.32.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 nvme-cli-2.8+88.g21612f53-150600.3.15.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 openssh-9.6p1-150600.6.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 openssh-clients-9.6p1-150600.6.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 openssh-common-9.6p1-150600.6.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 openssh-server-9.6p1-150600.6.26.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 openssl-3-3.1.4-150600.5.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 pam-1.3.0-150000.6.76.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 patterns-base-basesystem-20200124-150600.32.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 patterns-base-minimal_base-20200124-150600.32.6.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 pkg-config-0.29.2-150600.15.6.3 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 python3-pyzmq-17.1.2-150000.3.8.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 python3-salt-3006.0-150500.4.50.3 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 python3-setuptools-44.1.1-150400.9.12.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 python3-solv-0.7.32-150600.8.10.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 ruby-solv-0.7.32-150600.8.10.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 ruby2.5-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 ruby2.5-stdlib-2.5.9-150000.4.41.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 salt-3006.0-150500.4.50.3 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 salt-minion-3006.0-150500.4.50.3 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 samba-client-libs-4.19.8+git.422.34307c5a3aa-150600.3.15.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 sqlite3-tcl-3.49.1-150000.3.27.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 supportutils-3.2.10-150600.3.6.5 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 systemd-254.24-150600.4.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 systemd-sysvcompat-254.24-150600.4.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 terminfo-6.1-150000.5.30.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 terminfo-base-6.1-150000.5.30.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 timezone-2025b-150600.91.6.2 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 udev-254.24-150600.4.33.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 xen-libs-4.18.5_02-150600.3.23.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 zypper-1.14.89-150600.10.31.1 as a component of Public Cloud Image google/sle-hpc-15-sp6-byos-v20250609-x86-64 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVE-2022-25235 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVE-2022-25313 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVE-2022-25314 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVE-2022-25315 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. CVE-2022-40674 important In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVE-2022-43680 important libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 moderate In the Linux kernel, the following vulnerability has been resolved: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and size. This would make xlate_pos negative. [ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 [ 23.734158] ================================================================================ [ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 [ 23.734418] shift exponent -1 is negative Ensuring xlate_pos is a positive or zero before BIT. CVE-2023-53034 moderate A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. CVE-2024-10041 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). This works fine. But such confirmation won't happen when eb/ip/nftables rules dropped the packets before they reached the nf_confirm step in postrouting. Pablo points out that nf_conntrack_bridge doesn't allow use of stateful nat, so we can safely discard the nf_conn entry and let inet call conntrack again. This doesn't work for bridge netfilter: skb could have a nat transformation. Also bridge nf prevents re-invocation of inet prerouting via 'sabotage_in' hook. Work around this problem by explicit confirmation of the entry at LOCAL_IN time, before upper layer has a chance to clone the unconfirmed entry. The downside is that this disables NAT and conntrack helpers. Alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but even if that could be done in a sane way this opens up other problems, for example: -m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 -m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 For multicast case, only one of such conflicting mappings will be created, conntrack only handles 1:1 NAT mappings. Users should set create a setup that explicitly marks such traffic NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass them, ruleset might have accept rules for untracked traffic already, so user-visible behaviour would change. CVE-2024-27415 moderate libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVE-2024-28757 important Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2024-28956 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option() CVE-2024-35840 moderate containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVE-2024-40635 moderate An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVE-2024-45490 moderate An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45491 moderate An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVE-2024-45492 moderate In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) </IRQ> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated--- CVE-2024-46763 moderate An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." CVE-2024-47220 important In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that this is a general issue, direct users of the set/getsockopt interface can call into targets/matches that were only intended for use with ip(6)tables. Check all UNSPEC matches and targets for similar issues: - matches and targets are fine except if they assume skb_network_header() is valid -- this is only true when called from inet layer: ip(6) stack pulls the ip/ipv6 header into linear data area. - targets that return XT_CONTINUE or other xtables verdicts must be restricted too, they are incompatbile with the ebtables traverser, e.g. EBT_CONTINUE is a completely different value than XT_CONTINUE. Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as they are provided for use by ip(6)tables. The MARK target is also used by arptables, so register for NFPROTO_ARP too. While at it, bail out if connbytes fails to enable the corresponding conntrack family. This change passes the selftests in iptables.git. CVE-2024-50038 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: fix mptcp DSS corruption due to large pmtu xmit Syzkaller was able to trigger a DSS corruption: TCP: request_sock_subflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__mptcp_move_skbs_from_subflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> move_skbs_to_msk net/mptcp/protocol.c:811 [inline] mptcp_data_ready+0x29c/0xa90 net/mptcp/protocol.c:854 subflow_data_ready+0x34a/0x920 net/mptcp/subflow.c:1490 tcp_data_queue+0x20fd/0x76c0 net/ipv4/tcp_input.c:5283 tcp_rcv_established+0xfba/0x2020 net/ipv4/tcp_input.c:6237 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2350 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5662 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napi_poll+0xcb/0x490 net/core/dev.c:6771 napi_poll net/core/dev.c:6840 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6962 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 do_softirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x1764/0x3e80 net/core/dev.c:4451 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_hh_output include/net/neighbour.h:526 [inline] neigh_output include/net/neighbour.h:540 [inline] ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236 ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcp_transmit_skb+0x2544/0x3b30 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_mtu_probe net/ipv4/tcp_output.c:2547 [inline] tcp_write_xmit+0x641d/0x6bf0 net/ipv4/tcp_output.c:2752 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3015 tcp_push_pending_frames include/net/tcp.h:2107 [inline] tcp_data_snd_check net/ipv4/tcp_input.c:5714 [inline] tcp_rcv_established+0x1026/0x2020 net/ipv4/tcp_input.c:6239 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1915 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x214/0x350 net/core/sock.c:3072 release_sock+0x61/0x1f0 net/core/sock.c:3626 mptcp_push_ ---truncated--- CVE-2024-50083 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt->ingress_ifindex); return XDP_PASS; } depends on access to rxq, so a NULL pointer gets dereferenced: <1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: error_code(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mld_ifc_work <4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? __die+0x23/0x70 <4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 <4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 <4>[ 574.475346] ? kmem_cache_free+0x257/0x280 <4>[ 574.475357] ? exc_page_fault+0x67/0x150 <4>[ 574.475368] ? asm_exc_page_fault+0x26/0x30 <4>[ 574.475381] ? bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475386] bq_xmit_all+0x158/0x420 <4>[ 574.475397] __dev_flush+0x30/0x90 <4>[ 574.475407] veth_poll+0x216/0x250 [veth] <4>[ 574.475421] __napi_poll+0x28/0x1c0 <4>[ 574.475430] net_rx_action+0x32d/0x3a0 <4>[ 574.475441] handle_softirqs+0xcb/0x2c0 <4>[ 574.475451] do_softirq+0x40/0x60 <4>[ 574.475458] </IRQ> <4>[ 574.475461] <TASK> <4>[ 574.475464] __local_bh_enable_ip+0x66/0x70 <4>[ 574.475471] __dev_queue_xmit+0x268/0xe40 <4>[ 574.475480] ? selinux_ip_postroute+0x213/0x420 <4>[ 574.475491] ? alloc_skb_with_frags+0x4a/0x1d0 <4>[ 574.475502] ip6_finish_output2+0x2be/0x640 <4>[ 574.475512] ? nf_hook_slow+0x42/0xf0 <4>[ 574.475521] ip6_finish_output+0x194/0x300 <4>[ 574.475529] ? __pfx_ip6_finish_output+0x10/0x10 <4>[ 574.475538] mld_sendpack+0x17c/0x240 <4>[ 574.475548] mld_ifc_work+0x192/0x410 <4>[ 574.475557] process_one_work+0x15d/0x380 <4>[ 574.475566] worker_thread+0x29d/0x3a0 <4>[ 574.475573] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475580] ? __pfx_worker_thread+0x10/0x10 <4>[ 574.475587] kthread+0xcd/0x100 <4>[ 574.475597] ? __pfx_kthread+0x10/0x10 <4>[ 574.475606] ret_from_fork+0x31/0x50 <4>[ 574.475615] ? __pfx_kthread+0x10/0x10 <4>[ 574.475623] ret_from_fork_asm+0x1a/0x ---truncated--- CVE-2024-50162 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap The bpf_redirect_info is shared between the SKB and XDP redirect paths, and the two paths use the same numeric flag values in the ri->flags field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that if skb bpf_redirect_neigh() is used with a non-NULL params argument and, subsequently, an XDP redirect is performed using the same bpf_redirect_info struct, the XDP path will get confused and end up crashing, which syzbot managed to trigger. With the stack-allocated bpf_redirect_info, the structure is no longer shared between the SKB and XDP paths, so the crash doesn't happen anymore. However, different code paths using identically-numbered flag values in the same struct field still seems like a bit of a mess, so this patch cleans that up by moving the flag definitions together and redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make sure the overlap is not re-introduced by mistake. CVE-2024-50163 moderate An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVE-2024-50602 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv(). CVE-2024-53124 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f59b934a1e7 Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 a: f7 d8 neg %eax c: 64 89 02 mov %eax,%fs:(%rdx) f: b8 ff ff ff ff mov $0xffffffff,%eax 14: eb bd jmp 0xffffffffffffffd3 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1d: 00 00 00 20: 0f 1f 00 nopl (%rax) 23: b8 31 00 00 00 mov $0x31,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 R10: 00007f59b9253298 R11: 000000000000 ---truncated--- CVE-2024-53139 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: initialize close_work early to avoid warning We encountered a warning that close_work was canceled before initialization. WARNING: CPU: 7 PID: 111103 at kernel/workqueue.c:3047 __flush_work+0x19e/0x1b0 Workqueue: events smc_lgr_terminate_work [smc] RIP: 0010:__flush_work+0x19e/0x1b0 Call Trace: ? __wake_up_common+0x7a/0x190 ? work_busy+0x80/0x80 __cancel_work_timer+0xe3/0x160 smc_close_cancel_work+0x1a/0x70 [smc] smc_close_active_abort+0x207/0x360 [smc] __smc_lgr_terminate.part.38+0xc8/0x180 [smc] process_one_work+0x19e/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x117/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x22/0x30 This is because when smc_close_cancel_work is triggered, e.g. the RDMA driver is rmmod and the LGR is terminated, the conn->close_work is flushed before initialization, resulting in WARN_ON(!work->func). __smc_lgr_terminate | smc_connect_{rdma|ism} ------------------------------------------------------------- | smc_conn_create | \- smc_lgr_register_conn for conn in lgr->conns_all | \- smc_conn_kill | \- smc_close_active_abort | \- smc_close_cancel_work | \- cancel_work_sync | \- __flush_work | (close_work) | | smc_close_init | \- INIT_WORK(&close_work) So fix this by initializing close_work before establishing the connection. CVE-2024-56641 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Mark raw_tp arguments with PTR_MAYBE_NULL Arguments to a raw tracepoint are tagged as trusted, which carries the semantics that the pointer will be non-NULL. However, in certain cases, a raw tracepoint argument may end up being NULL. More context about this issue is available in [0]. Thus, there is a discrepancy between the reality, that raw_tp arguments can actually be NULL, and the verifier's knowledge, that they are never NULL, causing explicit NULL checks to be deleted, and accesses to such pointers potentially crashing the kernel. To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special case the dereference and pointer arithmetic to permit it, and allow passing them into helpers/kfuncs; these exceptions are made for raw_tp programs only. Ensure that we don't do this when ref_obj_id > 0, as in that case this is an acquired object and doesn't need such adjustment. The reason we do mask_raw_tp_trusted_reg logic is because other will recheck in places whether the register is a trusted_reg, and then consider our register as untrusted when detecting the presence of the PTR_MAYBE_NULL flag. To allow safe dereference, we enable PROBE_MEM marking when we see loads into trusted pointers with PTR_MAYBE_NULL. While trusted raw_tp arguments can also be passed into helpers or kfuncs where such broken assumption may cause issues, a future patch set will tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can already be passed into helpers and causes similar problems. Thus, they are left alone for now. It is possible that these checks also permit passing non-raw_tp args that are trusted PTR_TO_BTF_ID with null marking. In such a case, allowing dereference when pointer is NULL expands allowed behavior, so won't regress existing programs, and the case of passing these into helpers is the same as above and will be dealt with later. Also update the failure case in tp_btf_nullable selftest to capture the new behavior, as the verifier will no longer cause an error when directly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb CVE-2024-56702 moderate In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. CVE-2024-57924 moderate In the Linux kernel, the following vulnerability has been resolved: OPP: add index check to assert to avoid buffer overflow in _read_freq() Pass the freq index to the assert function to make sure we do not read a freq out of the opp->rates[] table when called from the indexed variants: dev_pm_opp_find_freq_exact_indexed() or dev_pm_opp_find_freq_ceil/floor_indexed(). Add a secondary parameter to the assert function, unused for assert_single_clk() then add assert_clk_index() which will check for the clock index when called from the _indexed() find functions. CVE-2024-57998 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: handle a symlink read error correctly Patch series "Convert ocfs2 to use folios". Mark did a conversion of ocfs2 to use folios and sent it to me as a giant patch for review ;-) So I've redone it as individual patches, and credited Mark for the patches where his code is substantially the same. It's not a bad way to do it; his patch had some bugs and my patches had some bugs. Hopefully all our bugs were different from each other. And hopefully Mark likes all the changes I made to his code! This patch (of 23): If we can't read the buffer, be sure to unlock the page before returning. CVE-2024-58001 low In the Linux kernel, the following vulnerability has been resolved: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized If a driver calls dev_pm_opp_find_bw_ceil/floor() the retrieve bandwidth from the OPP table but the bandwidth table was not created because the interconnect properties were missing in the OPP consumer node, the kernel will crash with: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 ... pc : _read_bw+0x8/0x10 lr : _opp_table_find_key+0x9c/0x174 ... Call trace: _read_bw+0x8/0x10 (P) _opp_table_find_key+0x9c/0x174 (L) _find_key+0x98/0x168 dev_pm_opp_find_bw_ceil+0x50/0x88 ... In order to fix the crash, create an assert function to check if the bandwidth table was created before trying to get a bandwidth with _read_bw(). CVE-2024-58068 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled. [ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs [ 35.118569] preempt_count: 1, expected: 0 [ 35.118571] RCU nest depth: 1, expected: 1 [ 35.118577] INFO: lockdep is turned off. ... [ 35.118647] __might_resched+0x433/0x5b0 [ 35.118677] rt_spin_lock+0xc3/0x290 [ 35.118700] ___slab_alloc+0x72/0xc40 [ 35.118723] __kmalloc_noprof+0x13f/0x4e0 [ 35.118732] bpf_map_kzalloc+0xe5/0x220 [ 35.118740] bpf_selem_alloc+0x1d2/0x7b0 [ 35.118755] bpf_local_storage_update+0x2fa/0x8b0 [ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0 [ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66 [ 35.118795] bpf_trace_run3+0x222/0x400 [ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20 [ 35.118824] trace_inet_sock_set_state+0x112/0x130 [ 35.118830] inet_sk_state_store+0x41/0x90 [ 35.118836] tcp_set_state+0x3b3/0x640 There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context. It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next. bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage. CVE-2024-58070 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock when freeing cgroup storage The following commit bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]") first introduced deadlock prevention for fentry/fexit programs attaching on bpf_task_storage helpers. That commit also employed the logic in map free path in its v6 version. Later bpf_cgrp_storage was first introduced in c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs") which faces the same issue as bpf_task_storage, instead of its busy counter, NULL was passed to bpf_local_storage_map_free() which opened a window to cause deadlock: <TASK> (acquiring local_storage->lock) _raw_spin_lock_irqsave+0x3d/0x50 bpf_local_storage_update+0xd1/0x460 bpf_cgrp_storage_get+0x109/0x130 bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170 ? __bpf_prog_enter_recur+0x16/0x80 bpf_trampoline_6442485186+0x43/0xa4 cgroup_storage_ptr+0x9/0x20 (holding local_storage->lock) bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160 bpf_selem_unlink_storage+0x6f/0x110 bpf_local_storage_map_free+0xa2/0x110 bpf_map_free_deferred+0x5b/0x90 process_one_work+0x17c/0x390 worker_thread+0x251/0x360 kthread+0xd2/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30 </TASK> Progs: - A: SEC("fentry/cgroup_storage_ptr") - cgid (BPF_MAP_TYPE_HASH) Record the id of the cgroup the current task belonging to in this hash map, using the address of the cgroup as the map key. - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE) If current task is a kworker, lookup the above hash map using function parameter @owner as the key to get its corresponding cgroup id which is then used to get a trusted pointer to the cgroup through bpf_cgroup_from_id(). This trusted pointer can then be passed to bpf_cgrp_storage_get() to finally trigger the deadlock issue. - B: SEC("tp_btf/sys_enter") - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE) The only purpose of this prog is to fill Prog A's hash map by calling bpf_cgrp_storage_get() for as many userspace tasks as possible. Steps to reproduce: - Run A; - while (true) { Run B; Destroy B; } Fix this issue by passing its busy counter to the free procedure so it can be properly incremented before storage/smap locking. CVE-2024-58088 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix link state exit during switch upstream function removal Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed. That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after. After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link. That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports. The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order. On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone. [kwilczynski: commit log] CVE-2024-58093 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: add check read-only before truncation in jfs_truncate_nolock() Added a check for "read-only" mode in the `jfs_truncate_nolock` function to avoid errors related to writing to a read-only filesystem. Call stack: block_write_begin() { jfs_write_failed() { jfs_truncate() { jfs_truncate_nolock() { txEnd() { ... log = JFS_SBI(tblk->sb)->log; // (log == NULL) If the `isReadOnly(ip)` condition is triggered in `jfs_truncate_nolock`, the function execution will stop, and no further data modification will occur. Instead, the `xtTruncate` function will be called with the "COMMIT_WMAP" flag, preventing modifications in "read-only" mode. CVE-2024-58094 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: add check read-only before txBeginAnon() call Added a read-only check before calling `txBeginAnon` in `extAlloc` and `extRecord`. This prevents modification attempts on a read-only mounted filesystem, avoiding potential errors or crashes. Call trace: txBeginAnon+0xac/0x154 extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78 jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248 __block_write_begin_int+0x580/0x166c fs/buffer.c:2128 __block_write_begin fs/buffer.c:2177 [inline] block_write_begin+0x98/0x11c fs/buffer.c:2236 jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299 CVE-2024-58095 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode ath11k_hal_srng_* should be used with srng->lock to protect srng data. For ath11k_dp_rx_mon_dest_process() and ath11k_dp_full_mon_process_rx(), they use ath11k_hal_srng_* for many times but never call srng->lock. So when running (full) monitor mode, warning will occur: RIP: 0010:ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k] Call Trace: ? ath11k_hal_srng_dst_peek+0x18/0x30 [ath11k] ath11k_dp_rx_process_mon_status+0xc45/0x1190 [ath11k] ? idr_alloc_u32+0x97/0xd0 ath11k_dp_rx_process_mon_rings+0x32a/0x550 [ath11k] ath11k_dp_service_srng+0x289/0x5a0 [ath11k] ath11k_pcic_ext_grp_napi_poll+0x30/0xd0 [ath11k] __napi_poll+0x30/0x1f0 net_rx_action+0x198/0x320 __do_softirq+0xdd/0x319 So add srng->lock for them to avoid such warnings. Inorder to fetch the srng->lock, should change srng's definition from 'void' to 'struct hal_srng'. And initialize them elsewhere to prevent one line of code from being too long. This is consistent with other ring process functions, such as ath11k_dp_process_rx(). Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 CVE-2024-58096 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix RCU stall while reaping monitor destination ring While processing the monitor destination ring, MSDUs are reaped from the link descriptor based on the corresponding buf_id. However, sometimes the driver cannot obtain a valid buffer corresponding to the buf_id received from the hardware. This causes an infinite loop in the destination processing, resulting in a kernel crash. kernel log: ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed Fix this by skipping the problematic buf_id and reaping the next entry, replacing the break with the next MSDU processing. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 CVE-2024-58097 moderate A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVE-2024-8176 important In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm "test_progs", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): __kmalloc_noprof+0x3bf/0x560 __reuseport_alloc+0x1d/0x40 reuseport_alloc+0xca/0x150 reuseport_attach_prog+0x87/0x140 sk_reuseport_attach_bpf+0xc8/0x100 sk_setsockopt+0x1181/0x1990 do_sock_setsockopt+0x12b/0x160 __sys_setsockopt+0x7b/0xc0 __x64_sys_setsockopt+0x1b/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21683 low In the Linux kernel, the following vulnerability has been resolved: mm: clear uffd-wp PTE/PMD state on mremap() When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths. CVE-2025-21696 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated--- CVE-2025-21707 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> CVE-2025-21729 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-21755 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. CVE-2025-21758 moderate In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels Some lwtunnels have a dst cache for post-transformation dst. If the packet destination did not change we may end up recording a reference to the lwtunnel in its own cache, and the lwtunnel state will never be freed. Discovered by the ioam6.sh test, kmemleak was recently fixed to catch per-cpu memory leaks. I'm not sure if rpl and seg6 can actually hit this, but in principle I don't see why not. CVE-2025-21768 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. An AX25 device can be bound to a socket by either calling ax25_bind() or setting SO_BINDTODEVICE socket option. In both cases the refcounts should be incremented, but in fact it is done only in ax25_bind(). This bug leads to the following issue reported by Syzkaller: ================================================================ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Modules linked in: CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31 Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4156 [inline] netdev_put include/linux/netdevice.h:4173 [inline] netdev_put include/linux/netdevice.h:4169 [inline] ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069 __sock_release+0xb0/0x270 net/socket.c:640 sock_close+0x1c/0x30 net/socket.c:1408 ... do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Fix the implementation of ax25_setsockopt() by adding increment of refcounts for the new device bound, and decrement of refcounts for the old unbound device. CVE-2025-21792 moderate In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced). CVE-2025-21806 moderate In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means they can't work in generic XDP mode. However, there is no check to disallow such programs from being attached in generic mode, in which case the metadata kfuncs will be called in an invalid context, leading to crashes. Fix this by adding a check to disallow attaching device-bound programs in generic mode. CVE-2025-21808 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible UAF in ax25. [1] WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted ------------------------------------------------------ syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574 stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated--- CVE-2025-21812 important In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE There is a WARN_ON_ONCE to catch an unlikely situation when domain_remove_dev_pasid can't find the `pasid`. In case it nevertheless happens we must avoid using a NULL pointer. CVE-2025-21833 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: reallocate buf lists on upgrade IORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it was created for legacy selected buffer and has been emptied. It violates the requirement that most of the field should stay stable after publish. Always reallocate it instead. CVE-2025-21836 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during writeability checks, bump (proactively) "write active" count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that "write active" counter increment. [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/ CVE-2025-21853 moderate In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX. CVE-2025-21854 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. CVE-2025-21863 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 CVE-2025-21867 moderate In the Linux kernel, the following vulnerability has been resolved: net: better track kernel sockets lifetime While kernel sockets are dismantled during pernet_operations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skb_set_owner_w() prior calls. This then trigger the following warning from ref_tracker_dir_exit() [1] To fix this, make sure that kernel sockets own a reference on net->passive. Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket is converted to a refcounted one. [1] [ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] sk_alloc+0x2b3/0x370 [ 136.263918][ T35] inet6_create+0x6ce/0x10f0 [ 136.263918][ T35] __sock_create+0x4c0/0xa30 [ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.263918][ T35] igmp6_net_init+0x39/0x390 [ 136.263918][ T35] ops_init+0x31e/0x590 [ 136.263918][ T35] setup_net+0x287/0x9e0 [ 136.263918][ T35] copy_net_ns+0x33f/0x570 [ 136.263918][ T35] create_new_namespaces+0x425/0x7b0 [ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.263918][ T35] ksys_unshare+0x57d/0xa70 [ 136.263918][ T35] __x64_sys_unshare+0x38/0x40 [ 136.263918][ T35] do_syscall_64+0xf3/0x230 [ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] sk_alloc+0x2b3/0x370 [ 136.343488][ T35] inet6_create+0x6ce/0x10f0 [ 136.343488][ T35] __sock_create+0x4c0/0xa30 [ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0 [ 136.343488][ T35] ops_init+0x31e/0x590 [ 136.343488][ T35] setup_net+0x287/0x9e0 [ 136.343488][ T35] copy_net_ns+0x33f/0x570 [ 136.343488][ T35] create_new_namespaces+0x425/0x7b0 [ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.343488][ T35] ksys_unshare+0x57d/0xa70 [ 136.343488][ T35] __x64_sys_unshare+0x38/0x40 [ 136.343488][ T35] do_syscall_64+0xf3/0x230 [ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-21884 moderate In the Linux kernel, the following vulnerability has been resolved: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash if VFs are used to test one-step timestamp, the crash log as follows. [ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0 [ 129.287769] Call trace: [ 129.290219] enetc_port_mac_wr+0x30/0xec (P) [ 129.294504] enetc_start_xmit+0xda4/0xe74 [ 129.298525] enetc_xmit+0x70/0xec [ 129.301848] dev_hard_start_xmit+0x98/0x118 CVE-2025-21894 moderate In the Linux kernel, the following vulnerability has been resolved: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list Syskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same perf_event_pmu_context, but not in the same order. The problem is that the order of pmu_ctx_list for the parent is impacted by the time when an event/PMU is added. While the order for a child is impacted by the event order in the pinned_groups and flexible_groups. So the order of pmu_ctx_list in the parent and child may be different. To fix this problem, insert the perf_event_pmu_context to its proper place after iteration of the pmu_ctx_list. The follow testcase can trigger above warning: # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out & # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out test.c void main() { int count = 0; pid_t pid; printf("%d running\n", getpid()); sleep(30); printf("running\n"); pid = fork(); if (pid == -1) { printf("fork error\n"); return; } if (pid == 0) { while (1) { count++; } } else { while (1) { count++; } } } The testcase first opens an LBR event, so it will allocate task_ctx_data, and then open tracepoint and software events, so the parent context will have 3 different perf_event_pmu_contexts. On inheritance, child ctx will insert the perf_event_pmu_context in another order and the warning will trigger. [ mingo: Tidied up the changelog. ] CVE-2025-21895 moderate In the Linux kernel, the following vulnerability has been resolved: caif_virtio: fix wrong pointer check in cfv_probe() del_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked for NULL before calling it, not cfv->vdev. Also the current implementation is redundant because the pointer cfv->vdev is dereferenced before it is checked for NULL. Fix this by checking cfv->vq_tx for NULL instead of cfv->vdev before calling del_vqs(). CVE-2025-21904 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have. CVE-2025-21905 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: clean up ROC on failure If the firmware fails to start the session protection, then we do call iwl_mvm_roc_finished() here, but that won't do anything at all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set. Set IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. If it started successfully before, it's already set, so that doesn't matter, and if it didn't start it needs to be set to clean up. Not doing so will lead to a WARN_ON() later on a fresh remain- on-channel, since the link is already active when activated as it was never deactivated. CVE-2025-21906 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd. Otherwise NFS can deadlock waiting for kcompactd enduced writeback which recurses back to NFS (which triggers writeback to NFSD via NFS loopback mount on the same host, NFSD blocks waiting for XFS's call to __filemap_get_folio): 6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds. {--- [58] "kcompactd0" [<0>] folio_wait_bit+0xe8/0x200 [<0>] folio_wait_writeback+0x2b/0x80 [<0>] nfs_wb_folio+0x80/0x1b0 [nfs] [<0>] nfs_release_folio+0x68/0x130 [nfs] [<0>] split_huge_page_to_list_to_order+0x362/0x840 [<0>] migrate_pages_batch+0x43d/0xb90 [<0>] migrate_pages_sync+0x9a/0x240 [<0>] migrate_pages+0x93c/0x9f0 [<0>] compact_zone+0x8e2/0x1030 [<0>] compact_node+0xdb/0x120 [<0>] kcompactd+0x121/0x2e0 [<0>] kthread+0xcf/0x100 [<0>] ret_from_fork+0x31/0x40 [<0>] ret_from_fork_asm+0x1a/0x30 ---} [akpm@linux-foundation.org: fix build] CVE-2025-21908 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing that bit. Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with other flags. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21909 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2025-21910 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20 CVE-2025-21912 moderate In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe. CVE-2025-21913 moderate In the Linux kernel, the following vulnerability has been resolved: slimbus: messaging: Free transaction ID in delayed interrupt scenario In case of interrupt delay for any reason, slim_do_transfer() returns timeout error but the transaction ID (TID) is not freed. This results into invalid memory access inside qcom_slim_ngd_rx_msgq_cb() due to invalid TID. Fix the issue by freeing the TID in slim_do_transfer() before returning timeout error to avoid invalid memory access. Call trace: __memcpy_fromio+0x20/0x190 qcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl] vchan_complete+0x2a0/0x4a0 tasklet_action_common+0x274/0x700 tasklet_action+0x28/0x3c _stext+0x188/0x620 run_ksoftirqd+0x34/0x74 smpboot_thread_fn+0x1d8/0x464 kthread+0x178/0x238 ret_from_fork+0x10/0x20 Code: aa0003e8 91000429 f100044a 3940002b (3800150b) ---[ end trace 0fe00bec2b975c99 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt. CVE-2025-21914 moderate In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. CVE-2025-21915 moderate In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ... CVE-2025-21916 moderate In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable. CVE-2025-21917 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them. CVE-2025-21918 moderate In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000 CVE-2025-21922 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This can lead to scheduling deferred work to reattach the input device. Though the cleanup cancels the deferred work, this was done before the client_hdev itself is cleaned up, so it gets rescheduled. This patch fixes the ordering to make sure the deferred work is properly canceled. CVE-2025-21923 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed. CVE-2025-21924 moderate In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() uses in net/llc. [1] kernel BUG at net/core/skbuff.c:2178 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178 Call Trace: <TASK> __skb_pad+0x18a/0x610 net/core/skbuff.c:2466 __skb_put_padto include/linux/skbuff.h:3843 [inline] skb_put_padto include/linux/skbuff.h:3862 [inline] eth_skb_pad include/linux/etherdevice.h:656 [inline] e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3806 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:4045 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621 dev_queue_xmit include/linux/netdevice.h:3313 [inline] llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209 llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993 sock_sendmsg_nosec net/socket.c:718 [inline] CVE-2025-21925 moderate In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment. CVE-2025-21926 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. CVE-2025-21927 moderate In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed. CVE-2025-21928 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't try to talk to a dead firmware This fixes: bad state = 0 WARNING: CPU: 10 PID: 702 at drivers/net/wireless/inel/iwlwifi/iwl-trans.c:178 iwl_trans_send_cmd+0xba/0xe0 [iwlwifi] Call Trace: <TASK> ? __warn+0xca/0x1c0 ? iwl_trans_send_cmd+0xba/0xe0 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] iwl_fw_dbg_clear_monitor_buf+0xd7/0x110 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] _iwl_dbgfs_fw_dbg_clear_write+0xe2/0x120 [iwlmvm 0e8adb18cea92d2c341766bcc10b18699290068a] Ask whether the firmware is alive before sending a command. CVE-2025-21930 moderate In the Linux kernel, the following vulnerability has been resolved: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined) add page poison checks in do_migrate_range in order to make offline hwpoisoned page possible by introducing isolate_lru_page and try_to_unmap for hwpoisoned page. However folio lock must be held before calling try_to_unmap. Add it to fix this problem. Warning will be produced if folio is not locked during unmap: ------------[ cut here ]------------ kernel BUG at ./include/linux/swapops.h:400! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41 Tainted: [W]=WARN Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : try_to_unmap_one+0xb08/0xd3c lr : try_to_unmap_one+0x3dc/0xd3c Call trace: try_to_unmap_one+0xb08/0xd3c (P) try_to_unmap_one+0x3dc/0xd3c (L) rmap_walk_anon+0xdc/0x1f8 rmap_walk+0x3c/0x58 try_to_unmap+0x88/0x90 unmap_poisoned_folio+0x30/0xa8 do_migrate_range+0x4a0/0x568 offline_pages+0x5a4/0x670 memory_block_action+0x17c/0x374 memory_subsys_offline+0x3c/0x78 device_offline+0xa4/0xd0 state_store+0x8c/0xf0 dev_attr_store+0x18/0x2c sysfs_kf_write+0x44/0x54 kernfs_fop_write_iter+0x118/0x1a8 vfs_write+0x3a8/0x4bc ksys_write+0x6c/0xf8 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xd0 el0t_64_sync_handler+0xc8/0xcc el0t_64_sync+0x198/0x19c Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000) ---[ end trace 0000000000000000 ]--- CVE-2025-21931 moderate In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. CVE-2025-21934 moderate In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net(). CVE-2025-21935 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() in mgmt_device_connected() to prevent null pointer dereference. CVE-2025-21936 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference. CVE-2025-21937 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Null pointer dereference issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not null before accessing. This prevents a null pointer dereference. Found by code review. (cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092) CVE-2025-21941 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems: #!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait Starting with the following warning, several kinds of warnings will appear and the system may become unstable: ------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: <TASK> ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- CVE-2025-21943 moderate In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21948 moderate In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes. CVE-2025-21950 moderate In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done. CVE-2025-21951 moderate In the Linux kernel, the following vulnerability has been resolved: net: mana: cleanup mana struct after debugfs_remove() When on a MANA VM hibernation is triggered, as part of hibernate_snapshot(), mana_gd_suspend() and mana_gd_resume() are called. If during this mana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of power_down(), mana_gd_shutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up mana_port_debugfs value and hits the following bug: [ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: error_code(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:down_write+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? show_regs+0x64/0x70 [ 191.374040] ? __die+0x24/0x70 [ 191.374468] ? page_fault_oops+0x290/0x5b0 [ 191.374875] ? do_user_addr_fault+0x448/0x800 [ 191.375357] ? exc_page_fault+0x7a/0x160 [ 191.375971] ? asm_exc_page_fault+0x27/0x30 [ 191.376416] ? down_write+0x19/0x50 [ 191.376832] ? down_write+0x12/0x50 [ 191.377232] simple_recursive_removal+0x4a/0x2a0 [ 191.377679] ? __pfx_remove_one+0x10/0x10 [ 191.378088] debugfs_remove+0x44/0x70 [ 191.378530] mana_detach+0x17c/0x4f0 [ 191.378950] ? __flush_work+0x1e2/0x3b0 [ 191.379362] ? __cond_resched+0x1a/0x50 [ 191.379787] mana_remove+0xf2/0x1a0 [ 191.380193] mana_gd_shutdown+0x3b/0x70 [ 191.380642] pci_device_shutdown+0x3a/0x80 [ 191.381063] device_shutdown+0x13e/0x230 [ 191.381480] kernel_power_off+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] state_store+0xcb/0xd0 [ 191.382734] kobj_attr_store+0x12/0x30 [ 191.383211] sysfs_kf_write+0x3e/0x50 [ 191.383640] kernfs_fop_write_iter+0x140/0x1d0 [ 191.384106] vfs_write+0x271/0x440 [ 191.384521] ksys_write+0x72/0xf0 [ 191.384924] __x64_sys_write+0x19/0x20 [ 191.385313] x64_sys_call+0x2b0/0x20b0 [ 191.385736] do_syscall_64+0x79/0x150 [ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240 [ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0 [ 191.387124] ? __pfx_lru_add+0x10/0x10 [ 191.387515] ? queued_spin_unlock+0x9/0x10 [ 191.387937] ? do_anonymous_page+0x33c/0xa00 [ 191.388374] ? __handle_mm_fault+0xcf3/0x1210 [ 191.388805] ? __count_memcg_events+0xbe/0x180 [ 191.389235] ? handle_mm_fault+0xae/0x300 [ 19 ---truncated--- CVE-2025-21953 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775) CVE-2025-21956 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info. CVE-2025-21957 moderate In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed is CHECKSUM_NONE or not. It means that ip_summed should be CHECKSUM_NONE at this moment. But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the XDP-MB-PASS path. So the by skb_checksum_none_assert() WARNS about it. This is duplicate work and updating ip_summed in the bnxt_xdp_build_skb() is not needed. Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00 ... Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21960 moderate In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21961 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing closetimeo mount option User-provided mount parameter closetimeo of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-21962 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-21963 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acregmax mount option User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-21964 moderate In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init CVE-2025-21966 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) CVE-2025-21968 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2025-21969 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK> CVE-2025-21970 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. CVE-2025-21971 important In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue. CVE-2025-21972 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and return error pointer. CVE-2025-21975 moderate In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequently the kernel address space for the mapping is leaked. Fix this by adding iounmap() calls in the device removal path, and in the error path during device probing. CVE-2025-21978 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy. CVE-2025-21979 moderate In the Linux kernel, the following vulnerability has been resolved: sched: address a potential NULL pointer dereference in the GRED scheduler. If kzalloc in gred_init returns a NULL pointer, the code follows the error handling path, invoking gred_destroy. This, in turn, calls gred_offload, where memset could receive a NULL pointer as input, potentially leading to a kernel crash. When table->opt is NULL in gred_init(), gred_change_table_def() is not called yet, so it is not necessary to call ->ndo_setup_tc() in gred_offload(). CVE-2025-21980 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allocated resources. This led to the memory leak with the following signature: [root@os-delivery ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xff3c1ca7252e6000 (size 8192): comm "kworker/0:0", pid 8, jiffies 4296833052 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340 [<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice] [<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice] [<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice] [<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice] [<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice] [<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0 [<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20 [<ffffffff98f0b6d9>] process_one_work+0x179/0x390 [<ffffffff98f0c1e9>] worker_thread+0x239/0x340 [<ffffffff98f14abc>] kthread+0xcc/0x100 [<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50 [<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30 ... CVE-2025-21981 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bound accesses [WHAT & HOW] hpo_stream_to_link_encoder_mapping has size MAX_HPO_DP2_ENCODERS(=4), but location can have size up to 6. As a result, it is necessary to check location against MAX_HPO_DP2_ENCODERS. Similiarly, disp_cfg_stream_location can be used as an array index which should be 0..5, so the ASSERT's conditions should be less without equal. CVE-2025-21985 moderate In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ] CVE-2025-21991 moderate In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff Add this device to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. CVE-2025-21992 moderate In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. CVE-2025-21993 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] CVE-2025-21995 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) CVE-2025-21996 moderate In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path] CVE-2025-21999 important In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. CVE-2025-22001 moderate In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(dest, src, len); dest[len] = '\0'; strncpy() will read up to len bytes from src. On the other hand: strscpy(dest, src, len + 1); will read up to len + 1 bytes from src, that is to say, an out of bound read of one byte will occur on src if it is not NUL terminated. Note that the src[len] byte is never copied, but strscpy() still needs to read it to check whether a truncation occurred or not. This exact pattern happened in ucan. The root cause is that the source is not NUL terminated. Instead of doing a copy in a local buffer, directly NUL terminate it as soon as usb_control_msg() returns. With this, the local firmware_str[] variable can be removed. On top of this do a couple refactors: - ucan_ctl_payload->raw is only used for the firmware string, so rename it to ucan_ctl_payload->fw_str and change its type from u8 to char. - ucan_device_request_in() is only used to retrieve the firmware string, so rename it to ucan_get_fw_str() and refactor it to make it directly handle all the string termination logic. CVE-2025-22003 moderate In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. CVE-2025-22004 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. CVE-2025-22007 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. CVE-2025-22008 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). In the JTAG debugger I can see that dummy_regulator_probe() and anatop_regulator_probe() can be run by different kernel threads (kworker/u4:*). I haven't further investigated whether this can be changed or if there are other possibilities to force synchronization between these two probe routines. On the other hand I don't expect much boot time penalty by probing the 'dummy' regulator synchronously. CVE-2025-22009 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... Call trace: hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2] hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2] hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2] alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2] hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x118/0x290 watchdog: BUG: soft lockup - CPU#35 stuck for 23s! ... Call trace: hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2] mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2] hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2] alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2] hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x120/0x2bc Add a cond_resched() to fix soft lockup during these loops. In order not to affect the allocation performance of normal-size buffer, set the loop count of a 100GB MR as the threshold to call cond_resched(). CVE-2025-22010 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees. CVE-2025-22013 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d\n", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1] CVE-2025-22014 moderate In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here. CVE-2025-22015 moderate In the Linux kernel, the following vulnerability has been resolved: dpll: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (pin). Fix it by checking if err is lower than zero. This wasn't found in real usecase, only noticed. Credit to Pierre. CVE-2025-22016 moderate In the Linux kernel, the following vulnerability has been resolved: devlink: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (rel). Fix it by checking if err is lower than zero. This wasn't found in real usecase, only noticed. Credit to Pierre. CVE-2025-22017 moderate In the Linux kernel, the following vulnerability has been resolved: atm: Fix NULL pointer dereference When MPOA_cache_impos_rcvd() receives the msg, it can trigger Null Pointer Dereference Vulnerability if both entry and holding_time are NULL. Because there is only for the situation where entry is NULL and holding_time exists, it can be passed when both entry and holding_time are NULL. If these are NULL, the entry will be passd to eg_cache_put() as parameter and it is referenced by entry->use code in it. kasan log: [ 3.316691] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006:I [ 3.317568] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 3.318188] CPU: 3 UID: 0 PID: 79 Comm: ex Not tainted 6.14.0-rc2 #102 [ 3.318601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 3.319298] RIP: 0010:eg_cache_remove_entry+0xa5/0x470 [ 3.319677] Code: c1 f7 6e fd 48 c7 c7 00 7e 38 b2 e8 95 64 54 fd 48 c7 c7 40 7e 38 b2 48 89 ee e80 [ 3.321220] RSP: 0018:ffff88800583f8a8 EFLAGS: 00010006 [ 3.321596] RAX: 0000000000000006 RBX: ffff888005989000 RCX: ffffffffaecc2d8e [ 3.322112] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000030 [ 3.322643] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6558b88 [ 3.323181] R10: 0000000000000003 R11: 203a207972746e65 R12: 1ffff11000b07f15 [ 3.323707] R13: dffffc0000000000 R14: ffff888005989000 R15: ffff888005989068 [ 3.324185] FS: 000000001b6313c0(0000) GS:ffff88806d380000(0000) knlGS:0000000000000000 [ 3.325042] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.325545] CR2: 00000000004b4b40 CR3: 000000000248e000 CR4: 00000000000006f0 [ 3.326430] Call Trace: [ 3.326725] <TASK> [ 3.326927] ? die_addr+0x3c/0xa0 [ 3.327330] ? exc_general_protection+0x161/0x2a0 [ 3.327662] ? asm_exc_general_protection+0x26/0x30 [ 3.328214] ? vprintk_emit+0x15e/0x420 [ 3.328543] ? eg_cache_remove_entry+0xa5/0x470 [ 3.328910] ? eg_cache_remove_entry+0x9a/0x470 [ 3.329294] ? __pfx_eg_cache_remove_entry+0x10/0x10 [ 3.329664] ? console_unlock+0x107/0x1d0 [ 3.329946] ? __pfx_console_unlock+0x10/0x10 [ 3.330283] ? do_syscall_64+0xa6/0x1a0 [ 3.330584] ? entry_SYSCALL_64_after_hwframe+0x47/0x7f [ 3.331090] ? __pfx_prb_read_valid+0x10/0x10 [ 3.331395] ? down_trylock+0x52/0x80 [ 3.331703] ? vprintk_emit+0x15e/0x420 [ 3.331986] ? __pfx_vprintk_emit+0x10/0x10 [ 3.332279] ? down_trylock+0x52/0x80 [ 3.332527] ? _printk+0xbf/0x100 [ 3.332762] ? __pfx__printk+0x10/0x10 [ 3.333007] ? _raw_write_lock_irq+0x81/0xe0 [ 3.333284] ? __pfx__raw_write_lock_irq+0x10/0x10 [ 3.333614] msg_from_mpoad+0x1185/0x2750 [ 3.333893] ? __build_skb_around+0x27b/0x3a0 [ 3.334183] ? __pfx_msg_from_mpoad+0x10/0x10 [ 3.334501] ? __alloc_skb+0x1c0/0x310 [ 3.334809] ? __pfx___alloc_skb+0x10/0x10 [ 3.335283] ? _raw_spin_lock+0xe0/0xe0 [ 3.335632] ? finish_wait+0x8d/0x1e0 [ 3.335975] vcc_sendmsg+0x684/0xba0 [ 3.336250] ? __pfx_vcc_sendmsg+0x10/0x10 [ 3.336587] ? __pfx_autoremove_wake_function+0x10/0x10 [ 3.337056] ? fdget+0x176/0x3e0 [ 3.337348] __sys_sendto+0x4a2/0x510 [ 3.337663] ? __pfx___sys_sendto+0x10/0x10 [ 3.337969] ? ioctl_has_perm.constprop.0.isra.0+0x284/0x400 [ 3.338364] ? sock_ioctl+0x1bb/0x5a0 [ 3.338653] ? __rseq_handle_notify_resume+0x825/0xd20 [ 3.339017] ? __pfx_sock_ioctl+0x10/0x10 [ 3.339316] ? __pfx___rseq_handle_notify_resume+0x10/0x10 [ 3.339727] ? selinux_file_ioctl+0xa4/0x260 [ 3.340166] __x64_sys_sendto+0xe0/0x1c0 [ 3.340526] ? syscall_exit_to_user_mode+0x123/0x140 [ 3.340898] do_syscall_64+0xa6/0x1a0 [ 3.341170] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 3.341533] RIP: 0033:0x44a380 [ 3.341757] Code: 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c00 [ ---truncated--- CVE-2025-22018 moderate In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated--- CVE-2025-22020 important In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall. CVE-2025-22025 moderate In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-22027 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-22029 important In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]--- CVE-2025-22033 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpage_read_folio <<bh on stack>> do_mpage_readpage exfat_get_block bh_read __bh_read get_bh(bh) submit_bh wait_on_buffer ... end_buffer_read_sync __end_buffer_read_notouch unlock_buffer <<keep going>> ... ... ... ... <<bh is not valid out of mpage_read_folio>> . . another_function <<variable A on stack>> put_bh(bh) atomic_dec(bh->b_count) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bh_read needs to be called. By doing this, the caller can fallback to functions like block_read_full_folio(), create a buffer_head in the folio, and then call get_block again. Let's do not call bh_read() with on-stack buffer_head. CVE-2025-22036 moderate In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary bus families can be translated". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while the lower 32 bits are zero. Furthermore, it is best to return EINVAL immediately upon seeing the invalid user input. The WARNING is insufficient to prevent further undefined behavior based on other invalid user input. All checks of the input value should be applied to the original variable call_pkg->nd_family. [iweiny: update commit message] CVE-2025-22044 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse. CVE-2025-22045 moderate In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued. Subsequent processes: (e.g., rx_complete -> defer_bh -> __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic). CVE-2025-22050 moderate In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventing multiple calls in a row to napi_disable. Background: Two (or more) threads could call veth_pool_store through writing to /sys/devices/vio/30000002/pool*/*. You can do this easily with a little shell script. This causes a hang. I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new kernel. I ran this test again and saw: Setting pool0/active to 0 Setting pool1/active to 1 [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting Setting pool1/active to 1 Setting pool1/active to 0 [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 [ 243.683833][ T123] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 [ 243.683852][ T123] Call Trace: [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec ... [ 243.684087][ T123] Showing all locks held in the system: [ 243.684095][ T123] 1 lock held by khungtaskd/123: [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 [ 243.684114][ T123] 4 locks held by stress.sh/4365: [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 [ 243.684166][ T123] 5 locks held by stress.sh/4366: [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 [ 243. ---truncated--- CVE-2025-22053 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies. CVE-2025-22055 important In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops. We can reproduce the issue with the script below [0]: 1. /proc/net/sockstat reports 0 pages # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 0 2. Run the script till the report reaches 524,288 # python3 test.py & sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT 3. Kill the socket and confirm the number never drops # pkill python3 && sleep 5 # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 524288 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() # python3 test.py & sleep 1 && pkill python3 5. The number doubles # cat /proc/net/sockstat | grep UDP: UDP: inuse 1 mem 1048577 The application set INT_MAX to SO_RCVBUF, which triggered an integer overflow in udp_rmem_release(). When a socket is close()d, udp_destruct_common() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable. The total size is then passed to udp_rmem_release() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow. Then, the released amount is calculated as follows: 1) Add size to sk->sk_forward_alloc. 2) Round down sk->sk_forward_alloc to the nearest lower multiple of PAGE_SIZE and assign it to amount. 3) Subtract amount from sk->sk_forward_alloc. 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). When the issue occurred, the total in udp_destruct_common() was 2147484480 (INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inet_sock_destruct(). However, udp_memory_allocated ends up doubling at 4). Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __sk_mem_reduce_allocated() caches the amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double. This issue makes further memory allocation fail once the socket's sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet drops. To prevent this issue, let's use unsigned int for the calculation and call sk_forward_alloc_add() only once for the small delta. Note that first_packet_length() also potentially has the same problem. [0]: from socket import * SO_RCVBUFFORCE = 33 INT_MAX = (2 ** 31) - 1 s = socket(AF_INET, SOCK_DGRAM) s.bind(('', 0)) s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) c = socket(AF_INET, SOCK_DGRAM) c.connect(s.getsockname()) data = b'a' * 100 while True: c.send(data) CVE-2025-22058 moderate In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free rows in the hardware table, it must also be protected in order to avoid TOCTOU errors where multiple cores allocate the same row. This issue was detected in a situation where `mvpp2_set_rx_mode()` ran concurrently on two CPUs. In this particular case the MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the classifier unit to drop all incoming unicast - indicated by the `rx_classifier_drops` counter. CVE-2025-22060 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 Call Trace: <TASK> udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 do_splice_from fs/splice.c:935 [inline] direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 do_splice_direct_actor fs/splice.c:1201 [inline] do_splice_direct+0x174/0x240 fs/splice.c:1227 do_sendfile+0xafd/0xe50 fs/read_write.c:1368 __do_sys_sendfile64 fs/read_write.c:1429 [inline] __se_sys_sendfile64 fs/read_write.c:1415 [inline] __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] CVE-2025-22062 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block. CVE-2025-22064 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net/<netif>/device/sriov_numvfs reboot BUG: kernel NULL pointer dereference, address: 0000000000000020 ... RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] ... ? idpf_remove+0x22/0x1f0 [idpf] ? idpf_remove+0x1e4/0x1f0 [idpf] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19f/0x200 pci_stop_bus_device+0x6d/0x90 pci_stop_and_remove_bus_device+0x12/0x20 pci_iov_remove_virtfn+0xbe/0x120 sriov_disable+0x34/0xe0 idpf_sriov_configure+0x58/0x140 [idpf] idpf_remove+0x1b9/0x1f0 [idpf] idpf_shutdown+0x12/0x30 [idpf] pci_device_shutdown+0x35/0x60 device_shutdown+0x156/0x200 ... Replace the direct idpf_remove() call in idpf_shutdown() with idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform the bulk of the cleanup, such as stopping the init task, freeing IRQs, destroying the vports and freeing the mailbox. This avoids the calls to sriov_disable() in addition to a small netdev cleanup, and destroying workqueues, which don't seem to be required on shutdown. CVE-2025-22065 moderate In the Linux kernel, the following vulnerability has been resolved: rtnetlink: Allocate vfinfo size for VF GUIDs when supported Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs # ip link show dev ib0 RTNETLINK answers: Message too long Cannot send link get request: Message too long Kernel warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0 Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rtnl_getlink+0x586/0x5a0 Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffff888113557348 EFLAGS: 00010246 RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0xa5/0x230 ? rtnl_getlink+0x586/0x5a0 ? report_bug+0x22d/0x240 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? skb_trim+0x6a/0x80 ? rtnl_getlink+0x586/0x5a0 ? __pfx_rtnl_getlink+0x10/0x10 ? rtnetlink_rcv_msg+0x1e5/0x860 ? __pfx___mutex_lock+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx_lock_acquire+0x10/0x10 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1d/0x70 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 rtnetlink_rcv_msg+0x21c/0x860 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? arch_stack_walk+0x9e/0xf0 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 ? rcu_is_watching+0x34/0x60 netlink_rcv_skb+0xe0/0x210 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? __pfx___netlink_lookup+0x10/0x10 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0xfd/0x290 ? rcu_is_watching+0x34/0x60 ? lock_release+0x62/0x200 ? netlink_deliver_tap+0x95/0x290 netlink_unicast+0x31f/0x480 ? __pfx_netlink_unicast+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? lock_acquire+0xd5/0x410 netlink_sendmsg+0x369/0x660 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ? import_ubuf+0xb9/0xf0 ? __import_iovec+0x254/0x2b0 ? lock_release+0x62/0x200 ? __pfx_netlink_sendmsg+0x10/0x10 ____sys_sendmsg+0x559/0x5a0 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ? rcu_is_watching+0x34/0x60 ? do_read_fault+0x213/0x4a0 ? rcu_is_watching+0x34/0x60 ___sys_sendmsg+0xe4/0x150 ? __pfx____sys_sendmsg+0x10/0x10 ? do_fault+0x2cc/0x6f0 ? handle_pte_fault+0x2e3/0x3d0 ? __pfx_handle_pte_fault+0x10/0x10 ---truncated--- CVE-2025-22075 moderate In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come from the disk so they both need to check. The problem is that on 32bit systems if they're both greater than UINT_MAX - 16 then the check does work as intended because of an integer overflow. CVE-2025-22080 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number. Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below. This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp. BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] __ib_process_cq+0x5a/0x150 [ib_core] ib_cq_poll_work+0x31/0x90 [ib_core] process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 </TASK> CVE-2025-22086 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. CVE-2025-22088 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not copied. The easiest fix would be to simply clear the VM_PAT flag of the dst VMA if track_pfn_copy() fails. However, the whole thing is about "simply" clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() and performed a reservation, but copying the page tables fails, we'll simply clear the VM_PAT flag, not properly undoing the reservation ... which is also wrong. So let's fix it properly: set the VM_PAT flag only if the reservation succeeded (leaving it clear initially), and undo the reservation if anything goes wrong while copying the page tables: clearing the VM_PAT flag after undoing the reservation. Note that any copied page table entries will get zapped when the VMA will get removed later, after copy_page_range() succeeded; as VM_PAT is not set then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be happy. Note that leaving these page tables in place without a reservation is not a problem, as we are aborting fork(); this process will never run. A reproducer can trigger this usually at the first try: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 Modules linked in: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Call Trace: <TASK> ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Likely this case was missed in: d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed") ... and instead of undoing the reservation we simply cleared the VM_PAT flag. Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately. CVE-2025-22090 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid NPD when ASIC does not support DMUB ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is tested in dm_dmub_sw_init. However, it will be dereferenced in dmub_hw_lock_mgr_cmd if should_use_dmub_lock returns true. This has been the case since dmub support has been added for PSR1. Fix this by checking for dmub_srv in should_use_dmub_lock. [ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 37.447808] #PF: supervisor read access in kernel mode [ 37.452959] #PF: error_code(0x0000) - not-present page [ 37.458112] PGD 0 P4D 0 [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 [ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0 [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 [ 37.572697] Call Trace: [ 37.575152] <TASK> [ 37.577258] ? __die_body+0x66/0xb0 [ 37.580756] ? page_fault_oops+0x3e7/0x4a0 [ 37.584861] ? exc_page_fault+0x3e/0xe0 [ 37.588706] ? exc_page_fault+0x5c/0xe0 [ 37.592550] ? asm_exc_page_fault+0x22/0x30 [ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0 [ 37.601107] dcn10_cursor_lock+0x1e1/0x240 [ 37.605211] program_cursor_attributes+0x81/0x190 [ 37.609923] commit_planes_for_stream+0x998/0x1ef0 [ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0 [ 37.619703] dc_update_planes_and_stream+0x78/0x140 [ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0 [ 37.629832] ? srso_return_thunk+0x5/0x5f [ 37.633847] ? mark_held_locks+0x6d/0xd0 [ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50 [ 37.642135] ? srso_return_thunk+0x5/0x5f [ 37.646148] ? lockdep_hardirqs_on+0x95/0x150 [ 37.650510] ? srso_return_thunk+0x5/0x5f [ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50 [ 37.658883] ? srso_return_thunk+0x5/0x5f [ 37.662897] ? wait_for_common+0x186/0x1c0 [ 37.666998] ? srso_return_thunk+0x5/0x5f [ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170 [ 37.675983] commit_tail+0xf5/0x1c0 [ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0 [ 37.684186] drm_atomic_commit+0xd6/0x100 [ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10 [ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130 [ 37.698054] drm_mode_cursor_common+0x501/0x670 [ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 [ 37.707572] drm_mode_cursor_ioctl+0x48/0x70 [ 37.711851] drm_ioctl_kernel+0xf2/0x150 [ 37.715781] drm_ioctl+0x363/0x590 [ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 [ 37.724165] amdgpu_drm_ioctl+0x41/0x80 [ 37.728013] __se_sys_ioctl+0x7f/0xd0 [ 37.731685] do_syscall_64+0x87/0x100 [ 37.735355] ? vma_end_read+0x12/0xe0 [ 37.739024] ? srso_return_thunk+0x5/0x5f [ 37.743041] ? find_held_lock+0x47/0xf0 [ 37.746884] ? vma_end_read+0x12/0xe0 [ 37.750552] ? srso_return_thunk+0x5/0 ---truncated--- CVE-2025-22093 moderate In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization succeeded. CVE-2025-22097 important In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix kernel panic during FW release This fixes a kernel panic seen during release FW in a stress test scenario where WLAN and BT FW download occurs simultaneously, and due to a HW bug, chip sends out only 1 bootloader signatures. When driver receives the bootloader signature, it enters FW download mode, but since no consequtive bootloader signatures seen, FW file is not requested. After 60 seconds, when FW download times out, release_firmware causes a kernel panic. [ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573 [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000 [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000 [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP [ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1 [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2602.010191] pc : _raw_spin_lock+0x34/0x68 [ 2602.010201] lr : free_fw_priv+0x20/0xfc [ 2602.020561] sp : ffff800089363b30 [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000 [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000 [ 2602.020577] x23: ffff0000dc856f38 [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000 [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000 [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480 [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002 [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30 [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000 [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001 [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573 [ 2602.083354] Call trace: [ 2602.083356] _raw_spin_lock+0x34/0x68 [ 2602.083364] release_firmware+0x48/0x6c [ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart] [ 2602.083383] hci_dev_open_sync+0xf0/0xa34 [ 2602.083391] hci_dev_open+0xd8/0x178 [ 2602.083399] hci_sock_ioctl+0x3b0/0x590 [ 2602.083405] sock_do_ioctl+0x60/0x118 [ 2602.083413] sock_ioctl+0x2f4/0x374 [ 2602.091430] __arm64_sys_ioctl+0xac/0xf0 [ 2602.091437] invoke_syscall+0x48/0x110 [ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0 [ 2602.091452] do_el0_svc+0x1c/0x28 [ 2602.091457] el0_svc+0x40/0xe4 [ 2602.091465] el0t_64_sync_handler+0x120/0x12c [ 2602.091470] el0t_64_sync+0x190/0x194 CVE-2025-22102 moderate In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 <...> ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ================================================================== BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic] Read of size 8 at addr c0000001331a9aa8 by task ip/17681 <...> Allocated by task 17681: <...> ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 <...> The buggy address is located 168 bytes inside of allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf) <...> ================================================================= ibmvnic 30000003 env3: 000000000033766e CVE-2025-22104 moderate In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the bond mode. If bond mode is changed after attaching xdp program, the warning may occur. Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode with xdp program attached is not good. Add check for xdp program when set bond mode. [1] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Modules linked in: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000 FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Call Trace: <TASK> ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? bond_net_exit_batch_rtnl+0x5c/0x90 cleanup_net+0x237/0x3d0 process_one_work+0x163/0x390 worker_thread+0x293/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xec/0x1e0 ? __pfx_kthread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- CVE-2025-22105 moderate In the Linux kernel, the following vulnerability has been resolved: vmxnet3: unregister xdp rxq info in the reset path vmxnet3 does not unregister xdp rxq info in the vmxnet3_reset_work() code path as vmxnet3_rq_destroy() is not invoked in this code path. So, we get below message with a backtrace. Missing unregister, handled but fix driver WARNING: CPU:48 PID: 500 at net/core/xdp.c:182 __xdp_rxq_info_reg+0x93/0xf0 This patch fixes the problem by moving the unregister code of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup(). CVE-2025-22106 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only that we touch it, not that it becomes in active use. But I suppose it can lead to issues if the out-of-bounds element is part of an unmapped page. CVE-2025-22107 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Mask the bd_cnt field in the TX BD properly The bd_cnt field in the TX BD specifies the total number of BDs for the TX packet. The bd_cnt field has 5 bits and the maximum number supported is 32 with the value 0. CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB fragments can approach or exceed the maximum supported by the chip. Add a macro to properly mask the bd_cnt field so that the value 32 will be properly masked and set to 0 in the bd_cnd field. Without this patch, the out-of-range bd_cnt value will corrupt the TX BD and may cause TX timeout. The next patch will check for values exceeding 32. CVE-2025-22108 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (net/ax25/ax25_route.c:428) ax25_connect (net/ax25/af_ax25.c:1282) __sys_connect_file (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64_sys_connect (net/socket.c:2067) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) ================================================================ When socket is bound, refcounts must be incremented the way it is done in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented. This bug leads to the following issue reported by Syzkaller: ================================================================ ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: <TASK> __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4302 [inline] netdev_put include/linux/netdevice.h:4319 [inline] ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080 __sock_release net/socket.c:647 [inline] sock_close+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __do_sys_close fs/open.c:1580 [inline] __se_sys_close fs/open.c:1565 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> ================================================================ Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs. Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-22109 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'. However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur: btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent. The broken refcount aspect will result in a warning like: [1272.943527] refcount_t: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcount_warn_saturate+0xba/0x110 [1272.955173] ? __warn.cold+0x93/0xd7 [1272.955487] ? refcount_warn_saturate+0xba/0x110 [1272.955816] ? report_bug+0xe7/0x120 [1272.956103] ? handle_bug+0x53/0x90 [1272.956424] ? exc_invalid_op+0x13/0x60 [1272.956700] ? asm_exc_invalid_op+0x16/0x20 [1272.957011] ? refcount_warn_saturate+0xba/0x110 [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs] [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs] [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs] [1272.958729] process_one_work+0x130/0x290 [1272.959026] worker_thread+0x2ea/0x420 [1272.959335] ? __pfx_worker_thread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? __pfx_kthread+0x10/0x10 [1272.960172] ret_from_fork+0x30/0x50 [1272.960474] ? __pfx_kthread+0x10/0x10 [1272.960745] ret_from_fork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]--- Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc. Fix this fully by taking the lock arou ---truncated--- CVE-2025-22115 important In the Linux kernel, the following vulnerability has been resolved: idpf: check error for register_netdev() on init Current init logic ignores the error code from register_netdev(), which will cause WARN_ON() on attempt to unregister it, if there was one, and there is no info for the user that the creation of the netdev failed. WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10 ... [ 3707.563641] unregister_netdev+0x1c/0x30 [ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf] [ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf] [ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf] [ 3707.563739] idpf_remove+0xbf/0x780 [idpf] [ 3707.563769] pci_device_remove+0xab/0x1e0 [ 3707.563786] device_release_driver_internal+0x371/0x530 [ 3707.563803] driver_detach+0xbf/0x180 [ 3707.563816] bus_remove_driver+0x11b/0x2a0 [ 3707.563829] pci_unregister_driver+0x2a/0x250 Introduce an error check and log the vport number and error code. On removal make sure to check VPORT_REG_NETDEV flag prior to calling unregister and free on the netdev. Add local variables for idx, vport_config and netdev for readability. CVE-2025-22116 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification. CVE-2025-22121 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath12k_pci_msi_alloc(). This does no harm unless one of the functions requesting the IRQ fails and attempt to free the IRQ. This may end up with a warning from the IRQ core that is expecting the affinity hint to be cleared before freeing the IRQ: kernel/irq/manage.c: /* make sure affinity_hint is cleaned up */ if (WARN_ON_ONCE(desc->affinity_hint)) desc->affinity_hint = NULL; So to fix this issue, clear the IRQ affinity hint before calling ath12k_pci_free_irq() in the error path. The affinity will be cleared once again further down the error path due to code organization, but that does no harm. CVE-2025-22128 moderate A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath11k_pci_alloc_msi(). This does no harm unless one of the functions requesting the IRQ fails and attempt to free the IRQ. This results in the below warning: WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c Call trace: free_irq+0x278/0x29c ath11k_pcic_free_irq+0x70/0x10c [ath11k] ath11k_pci_probe+0x800/0x820 [ath11k_pci] local_pci_probe+0x40/0xbc The warning is due to not clearing the affinity hint before freeing the IRQs. So to fix this issue, clear the IRQ affinity hint before calling ath11k_pcic_free_irq() in the error path. The affinity will be cleared once again further down the error path due to code organization, but that does no harm. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1 CVE-2025-23129 moderate In the Linux kernel, the following vulnerability has been resolved: dlm: prevent NPD when writing a positive value to event_done do_uevent returns the value written to event_done. In case it is a positive value, new_lockspace would undo all the work, and lockspace would not be set. __dlm_new_lockspace, however, would treat that positive value as a success due to commit 8511a2728ab8 ("dlm: fix use count with multiple joins"). Down the line, device_create_lockspace would pass that NULL lockspace to dlm_find_lockspace_local, leading to a NULL pointer dereference. Treating such positive values as successes prevents the problem. Given this has been broken for so long, this is unlikely to break userspace expectations. CVE-2025-23131 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: update channel list in reg notifier instead reg worker Currently when ath11k gets a new channel list, it will be processed according to the following steps: 1. update new channel list to cfg80211 and queue reg_work. 2. cfg80211 handles new channel list during reg_work. 3. update cfg80211's handled channel list to firmware by ath11k_reg_update_chan_list(). But ath11k will immediately execute step 3 after reg_work is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0 Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, cfg80211 will notify ath11k after step 2 is done. So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 CVE-2025-23133 moderate In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: Add NULL check for adev Not all devices have an ACPI companion fwnode, so adev might be NULL. This is similar to the commit cd2fd6eab480 ("platform/x86: int3472: Check for adev == NULL"). Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in int3402_thermal_probe(). Note, under the same directory, int3400_thermal_probe() has such a check. [ rjw: Subject edit, added Fixes: ] CVE-2025-23136 moderate In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?) CVE-2025-23138 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to. CVE-2025-23145 important A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVE-2025-2588 low In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies. CVE-2025-27219 moderate In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. CVE-2025-27220 moderate In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory. CVE-2025-29087 moderate In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect. CVE-2025-29088 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. CVE-2025-32414 moderate In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2025-32415 low In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. CVE-2025-32728 moderate A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function. CVE-2025-3360 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-37785 moderate In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). CVE-2025-37798 important In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again. CVE-2025-37799 moderate In the Linux kernel, the following vulnerability has been resolved: sfc: fix NULL dereferences in ef100_process_design_param() Since cited commit, ef100_probe_main() and hence also ef100_check_design_params() run before efx->net_dev is created; consequently, we cannot netif_set_tso_max_size() or _segs() at this point. Move those netif calls to ef100_probe_netdev(), and also replace netif_err within the design params code with pci_err. CVE-2025-37860 moderate In the Linux kernel, the following vulnerability has been resolved: clk: samsung: Fix UBSAN panic in samsung_clk_init() With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to dereferencing `ctx->clk_data.hws` before setting `ctx->clk_data.num = nr_clks`. Move that up to fix the crash. UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP <snip> Call trace: samsung_clk_init+0x110/0x124 (P) samsung_clk_init+0x48/0x124 (L) samsung_cmu_register_one+0x3c/0xa0 exynos_arm64_register_cmu+0x54/0x64 __gs101_cmu_top_of_clk_init_declare+0x28/0x60 ... CVE-2025-39728 moderate A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern. CVE-2025-4382 moderate ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVE-2025-47268 moderate setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. CVE-2025-47273 moderate Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). CVE-2025-4802 important