SUSE-IU-2025:2334-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:2334-1 Interim 1 1 2026-03-19T08:56:22Z current 2025-08-19T01:00:00Z 2025-08-19T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:2334-1 / google/sles-15-sp6-chost-byos-v20250819-x86-64 This image update for google/sles-15-sp6-chost-byos-v20250819-x86-64 contains the following changes: Package boost was updated: - CVE-2016-9840: fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) - adds patch boost-zlib.patch Package coreutils was updated: - coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch: sort with key character offsets of SIZE_MAX, could induce a read of 1 byte before an allocated heap buffer. (CVE-2025-5278, bsc#1243767) Package crypto-policies was updated: - Update the BSI policy [jsc#PED-12880] * BSI: switch to 3072 minimum RSA key size [322f0ba4] * BSI: Update BSI policy for new 2024 minimum [64b9dddd] * Add patches: - crypto-policies-BSI-Update-BSI-policy-for-new-2024-minimum-recommend.patch - crypto-policies-BSI-switch-to-3072-minimum-RSA-key-size.patch Package docker was updated: - Update to Docker 28.3.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2833&gt; CVE-2025-54388 bsc#1247367 - Update to docker-buildx v0.26.1. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.26.1&gt; - Update to docker-buildx v0.26.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.26.0&gt; - Update to Go 1.24 for builds, to match upstream. - Update to Docker 28.3.2-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2832&gt; - Update to Docker 28.3.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2831&gt; - Update to Docker 28.3.0-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2830&gt; bsc#1246556 - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch Package google-dracut-config was updated: Package google-guest-oslogin was updated: - Cherry-pick dont-retry-bad-requests.patch to stop retrying bad requests causing timeouts during container startup (bsc#1243992) Package grub2 was updated: - Skip mount point in grub_find_device function (bsc#1246231) * 0001-getroot-Skip-mount-points-in-grub_find_device.patch - Fix CVE-2024-56738: side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) * grub2-constant-time-grub_crypto_memcmp.patch - Fix test -f and -s do not work properly over the network files served via tftp and http (bsc#1246157) (bsc#1246237) * 0001-test-Fix-f-test-on-files-over-network.patch * 0002-http-Return-HTTP-status-code-in-http_establish.patch * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch * 0004-tftp-Fix-hang-when-file-is-a-directory.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#168- fix usb network card detection (bsc#1245950) - 21.89 Package iputils was updated: - Security fix [bsc#1243772, CVE-2025-48964] * Fix integer overflow in ping statistics via zero timestamp * Add iputils-CVE-2025-48964_01.patch * Add iputils-CVE-2025-48964_02.patch * Add iputils-CVE-2025-48964_03.patch * Add iputils-CVE-2025-48964_04.patch * Add iputils-CVE-2025-48964_regression.patch Package jq was updated: - Add patches CVE-2025-48060-1.patch and CVE-2025-48060-2.patch (CVE-2025-48060, bsc#1244116) - Add patch CVE-2024-23337.patch (CVE-2024-23337, bsc#1243450) Package kernel-default was updated: - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - commit 9bd4e20 - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - commit d8e756f - add bug reference to existing hv_storvsc change (bsc#1245455). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - commit 1c553b0 - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - commit 784f61d - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - commit dd145d5 - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053 bsc#1244746). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: fix vf-&gt;num_mac count with port representors (git-fixes). - devlink: fix port dump cmd type (git-fixes). - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - commit 6dccf5f - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - commit bf8eb79 - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - commit 652de47 - drm/amdgpu: csa unmap use uninterruptible lock (CVE-2025-38011 bsc#1244729). - commit d370e7c - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - drm/i915: fix build error some more (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab-&gt;base_lock (stable-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq-&gt;read (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - commit 0dc7dde - Update patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch (git-fixes CVE-2025-38007 bsc#1244938). - Update patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch (git-fixes CVE-2025-38022 bsc#1245003). - Update patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch (git-fixes CVE-2025-38024 bsc#1245025). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch (bsc#1243342 CVE-2025-38059 bsc#1244759). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch (bsc#1236208 CVE-2025-21658). - Update patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch (git-fixes CVE-2025-38004 bsc#1244274). - Update patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch (git-fixes CVE-2025-38003 bsc#1244275). - Update patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch (git-fixes CVE-2025-38079 bsc#1245217). - Update patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch (stable-fixes CVE-2025-38068 bsc#1245210). - Update patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch (git-fixes CVE-2025-38014 bsc#1244732). - Update patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch (git-fixes CVE-2025-38015 bsc#1244789). - Update patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch (git-fixes CVE-2025-38005 bsc#1244727). - Update patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch (stable-fixes CVE-2025-38080 bsc#1244738). - Update patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch (bsc#1242556 CVE-2025-22120 bsc#1241592). - Update patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch (stable-fixes CVE-2025-38043 bsc#1245081). - Update patches.suse/media-cx231xx-set-device_caps-for-417.patch (stable-fixes CVE-2025-38044 bsc#1245082). - Update patches.suse/net-handshake-Fix-handshake_req_destroy_test1.patch (git-fixes CVE-2024-26831 bsc#1223008). - Update patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch (git-fixes CVE-2025-38020 bsc#1245001). - Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch (git-fixes CVE-2025-38083 bsc#1245183). - Update patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch (git-fixes CVE-2025-38023 bsc#1245004). - Update patches.suse/orangefs-Do-not-truncate-file-size.patch (git-fixes CVE-2025-38065 bsc#1244906). - Update patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch (git-fixes CVE-2025-38031 bsc#1245046). - Update patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch (git-fixes CVE-2025-38010 bsc#1244996). - Update patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch (git-fixes CVE-2025-38077 bsc#1244736). - Update patches.suse/regulator-max20086-fix-invalid-memory-access.patch (git-fixes CVE-2025-38027 bsc#1245042). - Update patches.suse/s390-pci-Fix-duplicate-pci_dev_put-in-disable_slot-w.patch (git-fixes bsc#1244145 CVE-2025-37946 bsc#1243506). - Update patches.suse/s390-pci-fix-potential-double-remove-of-hotplug-slot.patch (bsc#1244145 CVE-2024-56699 bsc#1235490). - Update patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch (git fixes (sched/numa) CVE-2024-56613 bsc#1244176). - Update patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch (git-fixes CVE-2025-38040 bsc#1245078). - Update patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch (stable-fixes CVE-2025-38081 bsc#1244739). - Update patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-37994 bsc#1243823). - Update patches.suse/vhost-scsi-Fix-handling-of-multiple-calls-to-vhost_s.patch (git-fixes CVE-2025-22083 bsc#1241414). - Update patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch (git-fixes CVE-2025-37973 bsc#1244172). - Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch (stable-fixes CVE-2025-38045 bsc#1245083). - Update patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch (git-fixes CVE-2025-38013 bsc#1244731). - Update patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch (git-fixes CVE-2025-38009 bsc#1244995). - commit fee1c31 - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - commit 8d2d6ad - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - scsi: storvsc: Don't report the host packet status as the hv status (git-fixes). - commit cde971c - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - commit 9370aa3 - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - commit 59b0f84 - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - commit b11e8b5 - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - commit e13d6e0 - ntp: Remove invalid cast in time offset math (git-fixes) - commit 92649f3 - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - commit 17fecee - ntp: Safeguard against time_constant overflow (git-fixes) - commit fb90573 - ntp: Clamp maxerror and esterror to operating range (git-fixes) - commit 947fc29 - clocksource: Fix brown-bag boolean thinko in (git-fixes) - commit f65bb99 - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - commit a87f573 - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - commit 1a57489 - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - commit dc250ae - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - commit 4e863aa - Refresh patches.kabi/kabi-restore-layout-of-struct-mem_control.patch. - commit 5049495 - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - commit 2014732 - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - commit 36dffbc - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - commit 1697414 - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - commit a8fd69f - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - commit f73056c - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - commit 23262fc - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - commit b4e63e6 - bpf: Force uprobe bpf program to always return 0 (git-fixes). - commit 90effed - uprobes: Use kzalloc to allocate xol area (git-fixes). - Refresh patches.suse/uprobes-introduce-the-global-struct-vm_special_mapping-xol_mapping.patch. - commit 30d8536 - bpf: abort verification if env-&gt;cur_state-&gt;loop_entry != NULL (CVE-2025-38060 bsc#1245155). - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. - commit c80eca0 - selftests/bpf: check states pruning for deeply nested iterator (CVE-2025-38060 bsc#1245155). - bpf: don't do clean_live_states when state-&gt;loop_entry-&gt;branches &gt; 0 (CVE-2025-38060 bsc#1245155). - commit f0d9333 - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - commit 0aa445e - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - commit 44584be - vmxnet3: update MTU after device quiesce (bsc#1244626). - commit 14400a7 - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - commit 11611ac - tracing: Fix compilation warning on arm32 (bsc#1243551). - commit bc2f48d - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923 bsc#1243551). - commit ff6a777 - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - commit 07065f3 - bpf: copy_verifier_state() should copy 'loop_entry' field (CVE-2025-38060 bsc#1245155). - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. - commit 815fadf - selftests/bpf: test correct loop_entry update in copy_verifier_state (CVE-2025-38060 bsc#1245155). - commit b2e3449 - tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035 bsc#1241544). - commit b6d43f4 - bpf: Fix deadlock between rcu_tasks_trace and event_mutex (CVE-2025-37884 bsc#1243060). - commit 7f690ab - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - commit 84579a6 - kabi: restore layout of struct page_counter (jsc#PED-12551). - commit ef34a22 - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - commit 39cb14b - ucsi_debugfs_entry: hide signedness change (git-fixes). - commit 154816e - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit 40f2bc3 - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - commit b5678d7 - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - commit 416e192 - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - commit 53b0cf2 - Update reference for patches.suse/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch (bsc#1242504) - commit 8730da1 - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - commit e4f3ff4 - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - commit 7cf700b - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - Refresh patches.suse/ceph-improve-error-handling-and-short-overflow-read-.patch. - commit 04880f5 - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - commit e7c7fa7 - ceph: Fix incorrect flush end position calculation (git-fixes). - commit 626f897 - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - commit 7cc3455 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927 bsc#1243620). - commit 4916f47 - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvmet-fcloop: don't wait for lport cleanup (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - commit 20104c4 - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - commit 0396c23 - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - commit 19caac0 - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - commit a6f21ed - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - commit 36de06b - net/tls: fix kernel panic when alloc_page failed (CVE-2025-38018 bsc#1244999). - commit 1124110 - espintcp: fix skb leaks (CVE-2025-38057 bsc#1244862). - commit dffbfd5 - nvme: fix command limits status code (git-fixes). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - commit 990928c - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - commit afe6d07 - x86/microcode/AMD: Add get_patch_level() (git-fixes). - commit 73bb23d - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - commit c818693 - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - commit 761df14 - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - commit d6c2d35 - x86/microcode: Consolidate the loader enablement checking (git-fixes). - commit d0fff01 - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - commit cbd3a76 - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - commit 871b129 - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - commit 3df7edd - libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743, CVE-2025-38072). - commit 42a394c - kabi: restore layout of struct mem_control (jsc#PED-12551). - commit e948e2e - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - commit 97c4d37 - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - commit 5798451 - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - NFC: nci: uart: Set tty-&gt;disc_data only in success path (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: don't wait when there is no vdev started (git-fixes). - wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - commit d77b71f - Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch (CVE-2025-38078 bsc#1244737). - commit 9ad878b - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - commit 1a53756 - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - commit bd7e23e - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - commit c8863c2 - net_sched: tbf: fix a race in tbf_change() (git-fixes). - commit 8dd49d3 - net_sched: red: fix a race in __red_change() (git-fixes). - commit eb63704 - net_sched: prio: fix a race in prio_tune() (git-fixes). - commit 2898595 - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - commit 11af7b7 - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - commit 9bf44e9 - Update patches.suse/dlm-mask-sk_shutdown-value.patch (bsc#1241278). - Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch (bsc#1241278). Original bsc number was wrong. Fix it. - commit 37c9443 - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001 bsc#1244234). - commit 6a31481 - packaging: Add support for suse-kabi-tools The current workflow to check kABI stability during the RPM build of SUSE kernels consists of the following steps: * The downstream script rpm/modversions unpacks the consolidated kABI symtypes reference data from kabi/&lt;arch&gt;/symtypes-&lt;flavor&gt; and creates individual symref files. * The build performs a regular kernel make. During this operation, genksyms is invoked for each source file. The tool determines type signatures of all exports within the file, reports any differences compared to the associated symref reference, calculates symbol CRCs from the signatures and writes new type data into a symtypes file. * The script rpm/modversions is invoked again, this time it packs all new symtypes files to a consolidated kABI file. * The downstream script rpm/kabi.pl checks symbol CRCs in the new build and compares them to a reference from kabi/&lt;arch&gt;/symvers-&lt;flavor&gt;, taking kabi/severities into account. suse-kabi-tools is a new set of tools to improve the kABI checking process. The suite includes two tools, ksymtypes and ksymvers, which replace the existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison functionality previously provided by genksyms. The tools have their own source repository and package. The tools provide faster operation and more detailed, unified output. In addition, they allow the use of the new upstream tool gendwarfksyms, which lacks any built-in comparison functionality. The updated workflow is as follows: * The build performs a regular kernel make. During this operation, genksyms (gendwarfksyms) is invoked as usual, determinining signatures and CRCs of all exports and writing the type data to symtypes files. However, genksyms no longer performs any comparison. * 'ksymtypes consolidate' packs all new symtypes files to a consolidated kABI file. * 'ksymvers compare' checks symbol CRCs in the new build and compares them to a reference from kabi/&lt;arch&gt;/symvers-&lt;flavor&gt;, taking kabi/severities into account. The tool writes its result in a human-readable form on standard output and also writes a list of all changed exports (not ignored by kabi/severities) to the changed-exports file. * 'ksymtypes compare' takes the changed-exports file, the consolidated kABI symtypes reference data from kabi/&lt;arch&gt;/symtypes-&lt;flavor&gt; and the new consolidated data. Based on this data, it produces a detailed report explaining why the symbols changed. The patch enables the use of suse-kabi-tools via rpm/config.sh, providing explicit control to each branch. To enable the support, set USE_SUSE_KABI_TOOLS=Yes in the config file. - commit a2c6f89 - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - commit 5432961 - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - commit 1373cac - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - commit 4eb007c - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - commit cc24dff - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - commit 45b89a8 - kernel-source: Remove log.sh from sources - commit 96bd779 - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - commit 8ae69e3 - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - commit 25c308f - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - commit 5b8c5a3 - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - commit c259874 - loop: add file_start_write() and file_end_write() (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - commit 6dba36f - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - commit d67c7bf - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - commit 67e24e5 - Bluetooth: MGMT: Fix sparse errors (git-fixes). - commit bcd5c33 - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - ptp: remove ptp-&gt;n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - commit d9ecc09 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000 bsc#1244277). - commit ffb9ab4 - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - commit 8196566 - Revert &quot;ipv6: save dontfrag in cork (git-fixes).&quot; This reverts commit d3fe600164867bd0529ed1049fbd53ca9fce2eaf. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit b9e7a4e - Revert &quot;kABI: ipv6: save dontfrag in cork (git-fixes).&quot; This reverts commit cbc81e238815721048ac709726467c90981753c9. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit 38d0091 - kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (CVE-2025-22111 bsc#1241572). - commit edfd43c - page_pool: avoid infinite loop to schedule delayed worker (CVE-2025-37859 bsc#1243051). - commit b8f1dfd - tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521) - commit 48e0415 - struct usci: hide additional member (git-fixes). - commit 1b8456a - net_sched: Flush gso_skb list too during -&gt;change() (CVE-2025-37992 bsc#1243698). - netfilter: ipset: fix region locking in hash types (CVE-2025-37997 bsc#1243832). - ipvs: fix uninit-value for saddr in do_output_route4 (CVE-2025-37961 bsc#1243523). - net: dsa: free routing table on probe failure (CVE-2025-37786 bsc#1242725). - net: tls: explicitly disallow disconnect (CVE-2025-37756 bsc#1242515). - net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (CVE-2025-22111 bsc#1241572). - vlan: enforce underlying device type (CVE-2025-21920 bsc#1240686). - xfrm: delete intermediate secpath entry in packet offload mode (CVE-2025-21720 bsc#1238859). - xfrm: state: fix out-of-bounds read during lookup (CVE-2024-57982 bsc#1237913). - rxrpc: Fix handling of received connection abort (CVE-2024-58053 bsc#1238982). - commit d3e755f - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). Return the correct upper limit of the allocated cpumask. modified: - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch - patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number.patch - commit 092bf4a - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - commit 24d5250 - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - commit 28d162e - Revert &quot;arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - commit 9dd3301 - xen/x86: fix initial memory balloon target (git-fixes). - commit 7e938b1 - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - commit 9d209cd - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - commit e8737ac - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - commit 498a796 - Revert &quot;ALSA: usb-audio: Skip setting clock selector for single connections&quot; (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit d0138e9 - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit ee97bec - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit 7326e0b - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - commit d4a0ce3 - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - commit 4cfebaa - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909 bsc#1243467). - vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921 bsc#1243480). - commit 788c92a - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - commit 4df631e - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - commit ba2db88 - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827) - commit 6979c9a - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - commit 7c95ae0 - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - commit ad18aba - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - commit 2d4ad48 - tracing: Verify event formats that have &quot;%*p..&quot; (CVE-2025-37938 bsc#1243544). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - commit c705d1d - fbdev/efifb: Remove PM for parent device (bsc#1244261). - Refresh patches.suse/fbdev-efifb-Register-sysfs-groups-through-driver-cor.patch. - commit 0c56458 - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - commit 7d2ce51 - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - commit bfdc372 - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b (&quot;bs-upload-kernel: Pass limit_packages also on multibuild&quot;) - commit f4c6047 - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - commit e4c2851 - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc (&quot;MyBS: Use buildflags to set which package to build&quot;) - commit 27588c9 - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc (&quot;MyBS: Use buildflags to set which package to build&quot;) Fixes: 747f601d4156 (&quot;bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)&quot;) - commit 8ef486c - ftrace: Avoid potential division by zero in function_stat_show() (CVE-2025-21898 bsc#1240610). - commit d476f96 - tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899 bsc#1240577). - commit 60219e4 - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - commit 647b2f4 - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - commit ca42766 - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - commit 153c2a2 - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - commit af8b93e - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - commit 91b6192 - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - commit 254a145 - jffs2: check that raw node were preallocated before writing summary (git-fixes). - commit 4a6701a - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - commit ae818bc - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - commit dcdd8b6 - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - commit 65dff7c - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - commit 662ffcd - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - commit 15bb5b3 - blacklist.conf: Disable fineibt part of ITS mitigation - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - commit cedb857 - xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823 CVE-2025-21997). - commit 931fc27 - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dlm: mask sk_shutdown value (bsc#1228854). - commit 730d8cf - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - commit 7d227ae - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: filter: admv8818: Support frequencies &gt;= 2^32 (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - commit def2214 - s390/pci: Serialize device addition and removal (bsc#1244145). - commit f1ae730 - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - commit a73fcdb - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - commit 136fe4f - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - commit 9bbc219 - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - commit 9714d95 - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - commit 1415bb1 - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - commit 3430d11 - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - Refresh patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch. - Refresh patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch. - commit 2644b79 - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - Refresh patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch. - Refresh patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch. - Refresh patches.suse/s390-pci-Use-topology-ID-for-multi-function-devices.patch. - commit 9223df0 - media: mediatek: vcodec: Only free buffer VA that is not NULL (CVE-2023-52888 bsc#1228557). - commit 0299171 - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - commit 8353437 - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - commit 69ccdcd - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - commit d107edf - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - commit 71395f7 - neighbour: Don't let neigh_forced_gc() disable preemption for long (git-fixes). - commit fea49bb - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - commit eea3eab - Move upstreamed patches into sorted section - commit c9465fb - kernel-source: Do not use multiple -r in sed parameters This usage is enabled in commit b18d64d (sed: allow multiple (non-conflicting) -E/-r parameters, 2016-07-31) only available since sed 4.3 Fixes: dc2037cd8f94 (&quot;kernel-source: Also replace bin/env&quot; - commit 91ad98e - Drop AMDGPU patch that may cause regressions (bsc#1243782) Deleted: patches.suse/drm-amd-display-more-liberal-vmin-vmax-update-for-fr.patch - commit c23b99f - wifi: ath12k: Avoid memory leak while enabling statistics (CVE-2025-37743 bsc#1242163). - commit f493528 - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - rtc: Fix offset calculation for .start_secs &lt; 0 (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - commit ec23ee6 - net: usb: aqc111: debug info before sanitation (git-fixes). - commit fc18979 - openvswitch: Fix unsafe attribute parsing in output_userspace() (CVE-2025-37998 bsc#1243836) - commit 51afd13 - octeon_ep: Fix host hang issue during device reboot (CVE-2025-37933 bsc#1243628) - commit 44230dd - kABI: ipv6: save dontfrag in cork (git-fixes). Patch-up the kABI change with an #ifdef __GENKSYMS__. This change is safe (as detailed in the patch commit message) due to the struct having a 6-byte hole at the end we can use. - commit cbc81e2 - ipv6: save dontfrag in cork (git-fixes). - commit d3fe600 - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - commit 756fa72 - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - commit e02eac4 - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - commit d943643 - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - commit 09561a1 - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). - commit 9908bc6 - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - commit fc52734 - spi: spi-imx: Add check for spi_imx_setupxfer() (CVE-2025-37801 bsc#1242850) - commit f3955e7 - ipmr: fix tables suspicious RCU usage (git-fixes). - commit d029f0f - ip6mr: fix tables suspicious RCU usage (git-fixes). - commit 79bb134 - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - commit f180c62 - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - commit 895e121 - net/neighbor: clear error in case strict check is not set (git-fixes). - commit 9eb711a - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - commit 401defe - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - commit a6910eb - udp: fix receiving fraglist GSO packets (git-fixes). - commit 5b87500 - net: linkwatch: use system_unbound_wq (git-fixes). - commit 34d590e - net: page_pool: fix warning code (git-fixes). - commit 0d77245 - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - commit a1b1859 - tcp/dccp: complete lockless accesses to sk-&gt;sk_max_ack_backlog (git-fixes). - commit b96b4a8 - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - commit afdb9bb - udp: preserve the connected status if only UDP cmsg (git-fixes). - commit 8714e3a - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - commit 34a2994 - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - commit f23f4c9 - ip_tunnel: annotate data-races around t-&gt;parms.link (git-fixes). - commit 765e083 - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - commit 1e0fceb - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - commit 935ac41 - udp: annotate data-races around up-&gt;pending (git-fixes). - commit 72fda93 - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - commit 011b9c9 - driver core: fix potential NULL pointer dereference in dev_uevent() (CVE-2025-37800 bsc#1242849). - driver core: introduce device_set_driver() helper (CVE-2025-37800 bsc#1242849). - commit 3aecdc2 - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - commit a145886 - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - Revert &quot;wifi: mt76: mt7996: fill txd by host driver&quot; (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: ath12k: fix node corruption in ar-&gt;arvifs list (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - commit 3f5d0e4 - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - commit 0de0b80 - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath11k: fix node corruption in ar-&gt;arvifs list (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: mac80211: don't unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - commit 9963350 - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - usb: xhci: Don't change the status of stalled TDs on failed Stop EP (stable-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - commit 38d0a8f - PM: sleep: Print PM debug messages during hibernation (git-fixes). - commit 96179c7 - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs &gt; 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - phy: core: don't require set_mode() callback for phy_get_mode() to work (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: bcm281xx: Use &quot;unsigned int&quot; instead of bare &quot;unsigned&quot; (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - regulator: ad5398: Add device tree support (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - commit 32a9142 - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - commit 2a9c7bb - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: clear phydev-&gt;devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - commit eedda90 - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: venus: Fix probe error handling (git-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: don't call schedule in loop (stable-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - commit de6c9a2 - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - commit e29f865 - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - gpiolib: Revert &quot;Don't WARN on gpiod_put() for optional GPIO&quot; (stable-fixes). - Input: xpad - add more controllers (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - intel_th: avoid using deprecated page-&gt;mapping, index fields (stable-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: pxa: fix call balance of i2c-&gt;clk handling routines (stable-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - commit 50f84af - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - Revert &quot;drm/amdgpu: don't allow userspace to create a doorbell BO&quot; (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/vkms: Adjust vkms_state-&gt;active_planes allocation type (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amd/display: Don't try AUX transactions on disconnected link (stable-fixes). - drm/amdgpu: reset psp-&gt;cmd to NULL after releasing the buffer (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/atomic: clarify the rules around drm_atomic_state-&gt;allow_modeset (stable-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm: Add valid clones check (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - commit 0574d41 - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - commit 8e41cce - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - Revert &quot;bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first&quot; (stable-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list-&gt;pipelines allocation type (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - commit 595e083 - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - commit 255f2cb - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - commit ab5fcf6 - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - commit 11aaa35 - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPICA: Utilities: Fix spelling mistake &quot;Incremement&quot; -&gt; &quot;Increment&quot; (git-fixes). - ACPICA: exserial: don't forget to handle FFixedHW opregions for reading (git-fixes). - ACPI: OSI: Stop advertising support for &quot;3.0 _SCP Extensions&quot; (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - commit 6ebe577 - net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (CVE-2025-37917 bsc#1243475). - commit 0f659f2 - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - commit bae0091 - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - commit a0506dd - usb: typec: ucsi: Only enable supported notifications (git-fixes). - commit 3a52706 - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - commit 5ca6578 - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - commit 1564858 - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - commit 2bfd2a7 - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - commit c964f36 - orangefs: Do not truncate file size (git-fixes). - commit 9fbe3ae - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - commit a689f10 - NFS: Don't allow waiting for exiting tasks (git-fixes). - Refresh patches.suse/nfs-add-missing-selections-of-CONFIG_CRC32.patch. - commit 899f47c - SUNRPC: Don't allow waiting for exiting tasks (git-fixes). - commit 8b942ca - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - commit 9139fd5 - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - commit e2112a4 - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - commit f49c9db - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - commit 39e7a29 - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - commit 6adbec5 - ext4: define ext4_journal_destroy wrapper (CVE-2025-22113 bsc#1241617). - commit 8dddf47 - ext4: ignore xattrs past end (bsc#1242846 CVE-2025-37738). - commit 2a74454 - ext4: avoid journaling sb update on error if journal is destroying (bsc#1241617 CVE-2025-22113). - commit 0445179 - net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (CVE-2024-49568 bsc#1235728). - commit a7c2f15 - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - commit 625407a - iio: light: opt3001: fix deadlock due to concurrent flag access (CVE-2025-37968 bsc#1243571) - commit 0e5e655 - perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (CVE-2025-37936 bsc#1243537) - commit 2e13950 - net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (CVE-2025-37945 bsc#1243538) - commit efc17f3 - pds_core: Prevent possible adminq overflow/stuck condition (CVE-2025-37987 bsc#1243542) - commit ba1ea39 - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - commit dc6e86f - Refresh patches.suse/nfs-ignore-SB_RDONLY-when-remounting-nfs.patch. - commit 359f356 - Refresh patches.suse/nfs-clear-SB_RDONLY-before-getting-superblock.patch. - commit 2697e51 - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - commit fcf1703 - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - commit 2d2709b - Update patches.suse/nfsd-Fix-race-to-FREE_STATEID-and-cl_revoked.patch (bsc#1012628 CVE-2024-50106 bsc#1232882). - commit a87a308 - net: ngbe: fix memory leak in ngbe_probe() error path (CVE-2025-37874 bsc#1242940) - commit bc2e64d Package gcc14 was updated: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap variant conflict with the unversioned cross-*-gcc package. - Disable build of glibc cross to loongarch64 and hppa in SLFO and SLE15. - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Remove gcc14-pr120061.patch which is now included upstream. - Add gcc14-pr120061.patch to fix the PR108900 fix instead of reverting it. - Remove gcc14-pr108900.patch - Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build. - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 * Remove gcc14-pr118780.patch now on the upstream branch - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - Add gcc14-pr119680.patch to fix cross-compiler builds with - -enable-host-pie. Package libgcrypt was updated: - Security fix [bsc#1221107, CVE-2024-2236] * Add --enable-marvin-workaround to spec to enable workaround * Fix timing based side-channel in RSA implementation ( Marvin attack ) * Add libgcrypt-CVE-2024-2236_01.patch * Add libgcrypt-CVE-2024-2236_02.patch Package gnutls was updated: - Fix heap buffer overread when handling the CT SCT extension during X.509 certificate parsing [bsc#1246233, CVE-2025-32989] * Add patch gnutls-CVE-2025-32989.patch - Fix double-free due to incorrect ownership handling in the export logic of SAN entries containing an otherName [bsc#1246232, CVE-2025-32988] * Add patch gnutls-CVE-2025-32988.patch - Fix 1-byte heap buffer overflow when parsing templates with certtool [bsc#1246267, CVE-2025-32990] * Add patch gnutls-CVE-2025-32990.patch - Fix NULL pointer dereference when 2nd Client Hello omits PSK [bsc#1246299, CVE-2025-6395] * Add patch gnutls-CVE-2025-6395.patch Package libnvme was updated: - Update to version 1.8+82.g9a64f8f4: * tree: free ctrl attributes when (re)configure ctrl (bsc#1243716) * tree: filter tree after scan has completed (bsc#1243716) * sysfs: minimize heap allocations of sysfs paths Package openssl-1_1 was updated: - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] * Add openssl-fips-ECDSA-KAT.patch Package python3 was updated: - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). - Add CVE-2025-4435-normalize-lnk-trgts-tarfile.patch Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on tarfile (bsc#1244032, bsc#1244061, bsc#1244059, bsc#1244060, bsc#1244056). The backported fixes do not contain changes for ntpath.py and related tests, because the support for symlinks and junctions were added later in Python 3.9, and it does not make sense to backport them to 3.6 here. The patch is contains the following changes: - python@42deeab fixes symlink handling for tarfile.data_filter - python@9d2c2a8 fixes handling of existing files/symlinks in tarfile - python@00af979 adds a new &quot;strict&quot; argument to realpath() - python@dd8f187 fixes mulriple CVE fixes in the tarfile module - downstream only fixes that makes the changes work and compatible with Python 3.6 - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add python36-* provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 - Add ipaddress-update-pr60.patch from gh#phihag/ipaddress!60 to update vendored ipaddress module to 3.8 equivalent - Add gh-128840_parse-IPv6-with-emb-IPv4.patch to limit buffer size for IPv6 address parsing (gh#python/cpython#128840, bsc#1244401). - Update CVE-2025-4516-DecodeError-handler.patch not to break _PyBytes_DecodeEscape signature. - Add CVE-2025-4516-DecodeError-handler.patch fixing CVE-2025-4516 (bsc#1243273) blocking DecodeError handling vulnerability, which could lead to DoS. Package cyrus-sasl was updated: - Add Channel Binding support for GSSAPI/GSS-SPNEGO; (bsc#1229655); (jsc#PED-12097); Add patch 0009-Add-Channel-Binding-support-for-GSSAPI-GSS-SPNEGO.patch - Add support for setting max ssf 0 to GSS-SPNEGO; (bsc#1229655); (jsc#PED-12097); Add patch 0010-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch Package libsolv was updated: - add support for product-obsoletes() provides in the product autopackage generation code - bump version to 0.7.34 - improve transaction ordering by allowing more uninst-&gt;uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - bump version to 0.7.33 Package sqlite3 was updated: - Backpatch the URLs in sqlite3.n from https to http to avoid a file conflict with the tcl package on SLE-15-GA up to SP2. In SP3 and onwards the Tcl package does not contain the sqlite extension anymore. - Sync version 3.50.2 from Factory: * CVE-2025-6965, bsc#1246597: Raise an error early if the number of aggregate terms in a query exceeds the maximum number of columns, to avoid downstream assertion faults. * Add subpackage for the lemon parser generator. + sqlite-3.49.0-fix-lemon-missing-cflags.patch + sqlite-3.6.23-lemon-system-template.patch Package systemd was updated: - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - systemd-repart is no more considered as experimental (jsc#PED-13213) - Import commit 130293e510ceb4d121d11823e6ebd4b1e8332ea0 (merge of v254.27) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/278fb676146e35a7b4057f52f34a7bbaf1b82369...130293e510ceb4d121d11823e6ebd4b1e8332ea0 Package libxml2 was updated: - security update- added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch - security update - added patches CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS) CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS) + libxml2-CVE-2025-49794,49796.patch CVE-2025-49795 [bsc#1244555], null pointer dereference may lead to Denial of service (DoS) + libxml2-CVE-2025-49795.patch - security update - added patches CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2 + libxml2-CVE-2025-6170,6021.patch Package libzypp was updated: - BuildRequires: %{libsolv_devel_package} &gt;= 0.7.34 (bsc#1243486) Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an Obsoletes: product:oldproductname &lt; oldproductversion into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: Provides: product-obsoletes(oldproductname) &lt; oldproductversion in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - version 17.37.10 (35) - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - version 17.37.9 (35) - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a &quot;filesize exceeded&quot; error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - version 17.37.8 (35) - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - version 17.37.7 (35) - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to &quot;/var/log/YaST2/autoTestcase&quot; should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - version 17.37.6 (35) Package nvme-cli was updated: - Update to version 2.8+92.g998dceae: * nvme: fix mem leak in nvme copy (bsc#1243716) * nvme-print: suppress output when no ctrl is present for list-subsys (bsc#1243716) * nvme: extend filter to match device name (bsc#1243716) * udev-rules-ontap: switch to queue-depth iopolicy (bsc#1246599) Package python-appdirs was updated: - Add python36-appdirs provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-packaging was updated: - Add python36-packaging provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-pyparsing was updated: - Add python36-pyparsing provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python3-setuptools was updated: - Add python36-setuptools provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-six was updated: - Add python36-six provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package samba was updated: - Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876). Package suse-build-key was updated: - adjust UID (name + email) of SLES16 signing key with official names. (bsc#1245223) Package suse-module-tools was updated: - Update to version 15.6.11: * spec file: add missing util-linux requirement (bsc#1241038) * regenerate-initrd-posttrans: Fix SKIP_REGENERATE_INITRD_ALL (bsc#1228929) Package systemd-rpm-macros was updated: - Bump version to 16 - Introduce %udev_trigger_with_reload() for packages that need to trigger events in theirs scriplets. The new macro automatically triggers a reload of the udev rule files as this step is often overlooked by packages (bsc#1237143). Package xen was updated: - bsc#1246112, bsc#1238896 - VUL-0: xen: More AMD transient execution attack (CVE-2024-36350, CVE-2024-36357, XSA-471) 66f28b47-x86-cpufeature-reposition-ext-leaf-21-EAX.patch 685c29cf-x86-idle-Move-monitor-mwait-wrappers.patch 685c29d0-x86-idle-remove-MFENCEs-for-CLFLUSH_MONITOR.patch 685c29d1-revert-part-of-mwait-idle-disable-IBRS-.patch 686277ed-x86-cpu-policy-simplify-logic-in-gcdfa.patch 68656b6f-x86-cpu-policy-leaf-80000021-handling.patch 68681770-x86-idle-remove-broken-MWAIT-implementation.patch 68681771-x86-idle-drop-incorrect-smp_mb-in-.patch 68681772-x86-idle-convert-force_mwait_ipi_wakeup-to-.patch 68681773-rework-arch_skip_send_event_check-into-.patch 68681774-x86-new-MWAIT-IPI-elision-algorithm.patch 68681775-x86-idle-fix-IRQ-enable-before-C1-on-Xeons.patch xsa471-13.patch 686d2646-x86-cpu-policy-rearrange-gc_fa.patch 686d2647-x86-cpu-policy-CPUID-leaf-0x80000021-ecx.patch 686d2648-x86-AMD-ucode-digests-for-TSA.patch 686d2649-x86-idle-rearrange-VERW-and-MONITOR-in-.patch 686d264a-x86-spec-ctrl-mitigate-Transitive-Scheduler-Attacks.patch - bsc#1244644 - VUL-0: CVE-2025-27465: xen: x86: Incorrect stubs exception handling for flags recovery (XSA-470) 6863cd0b-x86emul-extable-registration-in-invoke_stub.patch Replaces xsa470.patch - Upstream bug fixes (bsc#1027519) 6835a042-VMX-VMEntry-failure-on-ADL-SPR-with-shadow.patch 6835a043-x86-PV-breakpoint-reporting.patch - bsc#1244644 - VUL-0: CVE-2025-27465: xen: x86: Incorrect stubs exception handling for flags recovery (XSA-470) xsa470.patch Package zypper was updated: - sh: Reset solver options after command (bsc#1245496)- Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - version 1.14.92 - BuildRequires: libzypp-devel &gt;= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - version 1.14.91 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-chost-byos-v20250819-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 boost-license1_66_0-1.66.0-150200.12.7.1 coreutils-8.32-150400.9.9.1 crypto-policies-20230920.570ea89-150600.3.12.1 docker-28.3.3_ce-150000.230.1 google-dracut-config-0.0.4-150300.7.12.1 google-guest-oslogin-20240311.01-150000.1.56.1 grub2-2.12-150600.8.34.1 grub2-i386-pc-2.12-150600.8.34.1 grub2-x86_64-efi-2.12-150600.8.34.1 hwinfo-21.89-150500.3.12.1 iputils-20221126-150500.3.14.1 jq-1.6-150000.3.9.1 kernel-default-6.4.0-150600.23.60.5 libboost_system1_66_0-1.66.0-150200.12.7.1 libboost_thread1_66_0-1.66.0-150200.12.7.1 libgcc_s1-14.3.0+git11799-150000.1.11.1 libgcrypt20-1.10.3-150600.3.9.1 libgnutls30-3.8.3-150600.4.9.1 libjq1-1.6-150000.3.9.1 libnvme-mi1-1.8+82.g9a64f8f4-150600.3.15.2 libnvme1-1.8+82.g9a64f8f4-150600.3.15.2 libopenssl1_1-1.1.1w-150600.5.15.1 libpython3_6m1_0-3.6.15-150300.10.97.1 libsasl2-3-2.1.28-150600.7.6.2 libsolv-tools-base-0.7.34-150600.8.17.2 libsqlite3-0-3.50.2-150000.3.33.1 libstdc++6-14.3.0+git11799-150000.1.11.1 libsystemd0-254.27-150600.4.43.3 libudev1-254.27-150600.4.43.3 libxml2-2-2.10.3-150500.5.32.1 libzypp-17.37.10-150600.3.74.1 nvme-cli-2.8+92.g998dceae-150600.3.18.2 python3-appdirs-1.4.3-150000.3.3.1 python3-base-3.6.15-150300.10.97.1 python3-packaging-21.3-150200.3.6.1 python3-pyparsing-2.4.7-150300.3.3.1 python3-setuptools-44.1.1-150400.9.15.1 python3-six-1.14.0-150200.15.1 samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 suse-build-key-12.0-150000.8.61.2 suse-module-tools-15.6.11-150600.3.9.2 systemd-254.27-150600.4.43.3 systemd-rpm-macros-16-150000.7.42.1 udev-254.27-150600.4.43.3 update-alternatives-1.19.0.4-150000.4.7.1 xen-libs-4.18.5_04-150600.3.28.1 zypper-1.14.92-150600.10.46.2 boost-license1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 coreutils-8.32-150400.9.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 crypto-policies-20230920.570ea89-150600.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 docker-28.3.3_ce-150000.230.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 google-dracut-config-0.0.4-150300.7.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 google-guest-oslogin-20240311.01-150000.1.56.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 grub2-2.12-150600.8.34.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 grub2-i386-pc-2.12-150600.8.34.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 grub2-x86_64-efi-2.12-150600.8.34.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 hwinfo-21.89-150500.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 iputils-20221126-150500.3.14.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 jq-1.6-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 kernel-default-6.4.0-150600.23.60.5 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libboost_system1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libboost_thread1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libgcc_s1-14.3.0+git11799-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libgcrypt20-1.10.3-150600.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libgnutls30-3.8.3-150600.4.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libjq1-1.6-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libnvme-mi1-1.8+82.g9a64f8f4-150600.3.15.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libnvme1-1.8+82.g9a64f8f4-150600.3.15.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libopenssl1_1-1.1.1w-150600.5.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libpython3_6m1_0-3.6.15-150300.10.97.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libsasl2-3-2.1.28-150600.7.6.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libsolv-tools-base-0.7.34-150600.8.17.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libsqlite3-0-3.50.2-150000.3.33.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libstdc++6-14.3.0+git11799-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libsystemd0-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libudev1-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libxml2-2-2.10.3-150500.5.32.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 libzypp-17.37.10-150600.3.74.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 nvme-cli-2.8+92.g998dceae-150600.3.18.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-appdirs-1.4.3-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-base-3.6.15-150300.10.97.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-packaging-21.3-150200.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-pyparsing-2.4.7-150300.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-setuptools-44.1.1-150400.9.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 python3-six-1.14.0-150200.15.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 samba-client-libs-4.19.8+git.430.a10fe64854c-150600.3.18.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 suse-build-key-12.0-150000.8.61.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 suse-module-tools-15.6.11-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 systemd-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 systemd-rpm-macros-16-150000.7.42.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 udev-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 update-alternatives-1.19.0.4-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 xen-libs-4.18.5_04-150600.3.28.1 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 zypper-1.14.92-150600.10.46.2 as a component of Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVE-2016-9840 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings. CVE-2023-52888 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. CVE-2024-12718 moderate A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts. CVE-2024-2236 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libgcrypt20-1.10.3-150600.3.9.1 moderate jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. CVE-2024-23337 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:jq-1.6-150000.3.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libjq1-1.6-150000.3.9.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshake_req_destroy_test1 Recently, handshake_req_destroy_test1 started failing: Expected handshake_req_destroy_test == req, but handshake_req_destroy_test == 0000000000000000 req == 0000000060f99b40 not ok 11 req_destroy works This is because "sock_release(sock)" was replaced with "fput(filp)" to address a memory leak. Note that sock_release() is synchronous but fput() usually delays the final close and clean-up. The delay is not consequential in the other cases that were changed but handshake_req_destroy_test1 is testing that handshake_req_cancel() followed by closing the file actually does call the ->hp_destroy method. Thus the PTR_EQ test at the end has to be sure that the final close is complete before it checks the pointer. We cannot use a completion here because if ->hp_destroy is never called (ie, there is an API bug) then the test will hang. Reported by: Guenter Roeck <linux@roeck-us.net> CVE-2024-26831 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. CVE-2024-36350 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:xen-libs-4.18.5_04-150600.3.28.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg When receiving proposal msg in server, the fields v2_ext_offset/ eid_cnt/ism_gid_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field v2_ext_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt before using them. CVE-2024-49568 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely. CVE-2024-50106 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/ CVE-2024-56613 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 low In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases. CVE-2024-56699 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks. CVE-2024-56738 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:grub2-2.12-150600.8.34.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:grub2-i386-pc-2.12-150600.8.34.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:grub2-x86_64-efi-2.12-150600.8.34.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch. CVE-2024-57982 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts. CVE-2024-58053 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport. CVE-2025-21658 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: <IRQ> ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 </TASK> Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated--- CVE-2025-21720 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier. CVE-2025-21898 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated. CVE-2025-21899 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. CVE-2025-21920 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-21997 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/ CVE-2025-22035 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first. CVE-2025-22083 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-22111 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here. CVE-2025-22113 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-22120 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead. CVE-2025-27465 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:xen-libs-4.18.5_04-150600.3.28.1 important A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. CVE-2025-32988 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libgnutls30-3.8.3-150600.4.9.1 important A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. CVE-2025-32989 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libgnutls30-3.8.3-150600.4.9.1 moderate A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. CVE-2025-32990 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libgnutls30-3.8.3-150600.4.9.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated--- CVE-2025-37738 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid memory leak while enabling statistics Driver uses monitor destination rings for extended statistics mode and standalone monitor mode. In extended statistics mode, TLVs are parsed from the buffer received from the monitor destination ring and assigned to the ppdu_info structure to update per-packet statistics. In standalone monitor mode, along with per-packet statistics, the packet data (payload) is captured, and the driver updates per MSDU to mac80211. When the AP interface is enabled, only extended statistics mode is activated. As part of enabling monitor rings for collecting statistics, the driver subscribes to HAL_RX_MPDU_START TLV in the filter configuration. This TLV is received from the monitor destination ring, and kzalloc for the mon_mpdu object occurs, which is not freed, leading to a memory leak. The kzalloc for the mon_mpdu object is only required while enabling the standalone monitor interface. This causes a memory leak while enabling extended statistics mode in the driver. Fix this memory leak by removing the kzalloc for the mon_mpdu object in the HAL_RX_MPDU_START TLV handling. Additionally, remove the standalone monitor mode handlings in the HAL_MON_BUF_ADDR and HAL_RX_MSDU_END TLVs. These TLV tags will be handled properly when enabling standalone monitor mode in the future. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 CVE-2025-37743 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: <TASK> tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237 CVE-2025-37756 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns. CVE-2025-37757 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory. CVE-2025-37786 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing. CVE-2025-37800 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200 CVE-2025-37801 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. CVE-2025-37859 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: ngbe: fix memory leak in ngbe_probe() error path When ngbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent error paths after ngbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx->mac_table. Also change the label to which execution jumps when ngbe_sw_init() fails, because otherwise, it could lead to a double free for rss_key, when the mac_table allocation fails in wx_sw_init(). CVE-2025-37874 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency. CVE-2025-37884 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak CVE-2025-37909 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ``` CVE-2025-37917 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-37921 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument. CVE-2025-37923 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-37927 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called. CVE-2025-37933 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on VM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE value. Consulting only the host kernel's host vs. guest masks results in running the guest with PEBS enabled even when the guest doesn't want to use PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply looking at exclude_host can't differentiate between events created by host userspace, and events created by KVM on behalf of the guest. Running the guest with PEBS unexpectedly enabled typically manifests as crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't written MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when trying to record PEBS events. The issue is most easily reproduced by running `perf kvm top` from before commit 7b100989b4f6 ("perf evlist: Remove __evlist__add_default") (after which, `perf kvm top` effectively stopped using PEBS). The userspace side of perf creates a guest-only PEBS event, which intel_guest_get_msrs() misconstrues a guest-*owned* PEBS event. Arguably, this is a userspace bug, as enabling PEBS on guest-only events simply cannot work, and userspace can kill VMs in many other ways (there is no danger to the host). However, even if this is considered to be bad userspace behavior, there's zero downside to perf/KVM restricting PEBS to guest-owned events. Note, commit 854250329c02 ("KVM: x86/pmu: Disable guest PEBS temporarily in two rare situations") fixed the case where host userspace is profiling KVM *and* userspace, but missed the case where userspace is profiling only KVM. CVE-2025-37936 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered and that same data is freed before the event is read, then the kernel can crash by reading freed memory. The verifier runs at boot up (or module load) and scans the print formats of the events and checks their arguments to make sure that dereferenced pointers are safe. If the format uses "%*p.." the verifier will ignore it, and that could be dangerous. Cover this case as well. Also add to the sample code a use case of "%*pbl". CVE-2025-37938 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd91016d16 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed b ---truncated--- CVE-2025-37945 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put(). CVE-2025-37946 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated--- CVE-2025-37961 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. CVE-2025-37968 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset. CVE-2025-37973 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent possible adminq overflow/stuck condition The pds_core's adminq is protected by the adminq_lock, which prevents more than 1 command to be posted onto it at any one time. This makes it so the client drivers cannot simultaneously post adminq commands. However, the completions happen in a different context, which means multiple adminq commands can be posted sequentially and all waiting on completion. On the FW side, the backing adminq request queue is only 16 entries long and the retry mechanism and/or overflow/stuck prevention is lacking. This can cause the adminq to get stuck, so commands are no longer processed and completions are no longer sent by the FW. As an initial fix, prevent more than 16 outstanding adminq commands so there's no way to cause the adminq from getting stuck. This works because the backing adminq request queue will never have more than 16 pending adminq commands, so it will never overflow. This is done by reducing the adminq depth to 16. CVE-2025-37987 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines. CVE-2025-37992 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. CVE-2025-37994 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. CVE-2025-37995 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts. CVE-2025-37997 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed. CVE-2025-37998 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 low In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek. CVE-2025-38000 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u CVE-2025-38001 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection. CVE-2025-38003 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too. CVE-2025-38004 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking. CVE-2025-38005 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38007 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org). CVE-2025-38009 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 low In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask. CVE-2025-38010 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 low In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab) CVE-2025-38011 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type. CVE-2025-38013 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. CVE-2025-38014 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. CVE-2025-38015 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798 CVE-2025-38018 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated--- CVE-2025-38020 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent(). CVE-2025-38022 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference. CVE-2025-38023 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work. CVE-2025-38024 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match. CVE-2025-38027 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 CVE-2025-38031 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock. CVE-2025-38040 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124 CVE-2025-38043 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it. CVE-2025-38044 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order. CVE-2025-38045 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ... CVE-2025-38053 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. CVE-2025-38057 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option "rescue=idatacsums" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search. CVE-2025-38059 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated--- CVE-2025-38060 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. CVE-2025-38065 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo. CVE-2025-38068 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check. CVE-2025-38072 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38077 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation. CVE-2025-38078 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. CVE-2025-38079 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient. CVE-2025-38080 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. CVE-2025-38081 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38083 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:kernel-default-6.4.0-150600.23.60.5 important When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped. CVE-2025-4435 important There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError. CVE-2025-4516 moderate Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. CVE-2025-4517 important jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. CVE-2025-48060 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:jq-1.6-150000.3.9.1 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libjq1-1.6-150000.3.9.1 moderate ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). CVE-2025-48964 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:iputils-20221126-150500.3.14.1 moderate A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. CVE-2025-49794 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 important A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. CVE-2025-49795 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 important A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. CVE-2025-49796 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 important A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. CVE-2025-5278 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:coreutils-8.32-150400.9.9.1 moderate Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3. CVE-2025-54388 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:docker-28.3.3_ce-150000.230.1 moderate A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. CVE-2025-6021 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 important The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. CVE-2025-6069 moderate A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. CVE-2025-6170 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 moderate A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). CVE-2025-6395 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libgnutls30-3.8.3-150600.4.9.1 moderate There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVE-2025-6965 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libsqlite3-0-3.50.2-150000.3.33.1 important A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. CVE-2025-7425 Public Cloud Image google/sles-15-sp6-chost-byos-v20250819-x86-64:libxml2-2-2.10.3-150500.5.32.1 important There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 CVE-2025-8194 moderate