SUSE-IU-2025:3185-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:3185-1 Interim 1 1 2026-03-19T08:58:03Z current 2025-10-22T01:00:00Z 2025-10-22T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:3185-1 / google/sles-15-sp6-byos-v20251022-arm64 This image update for google/sles-15-sp6-byos-v20251022-arm64 contains the following changes: Package bind was updated: - ensure file descriptors 0-2 are in use before using libuv (bsc#1230649) * bind-ensure-file-descriptors-0-2-are-in-use-before-using-.patch Package boost was updated: - CVE-2016-9840: fixed out-of-bounds pointer arithmetic in zlib in beast (bsc#1245936) - adds patch boost-zlib.patch Package cloud-regionsrv-client was updated: - Update version to 10.5.2 (bsc#1247539) + When an instance fails verification server side the default credentials were left behind requireing manual intervantion prior to the next registration attempt. + Fix issue triggered when using instance-billing-flavor-check due to IP address handling as object rather than string introduced 10.5.0 - Update version to 10.5.1 + Fix issue with picking up configured server names from the regionsrv config file. Previously only IP addresses were collected + Update scriptlet for package uninstall to avoid issues in the build service - Update version to 10.5.0 + Use region server IP addresses to determine Internet access rather than a generic address. Region server IP addresses may not be blocked in the network construct. (bsc#1245305) Package crypto-policies was updated: - Update the BSI policy [jsc#PED-12880] * BSI: switch to 3072 minimum RSA key size [322f0ba4] * BSI: Update BSI policy for new 2024 minimum [64b9dddd] * Add patches: - crypto-policies-BSI-Update-BSI-policy-for-new-2024-minimum-recommend.patch - crypto-policies-BSI-switch-to-3072-minimum-RSA-key-size.patch Package curl was updated: - tool_operate: fix return code when --retry is used but not triggered [bsc#1249367] * Add curl-tool_operate-fix-return-code-when-retry-is-used.patch - Security fixes: * [bsc#1249191, CVE-2025-9086] Out of bounds read for cookie path * [bsc#1249348, CVE-2025-10148] Predictable WebSocket mask * Add patches: - curl-CVE-2025-9086.patch - curl-CVE-2025-10148.patch - Fix the --ftp-pasv option in curl v8.14.1 [bsc#1246197] * tool_getparam: fix --ftp-pasv [5f805ee] * Add curl-fix--ftp-pasv.patch - Update to 8.14.1: [jsc#PED-13055, jsc#PED-13056] * Add _multibuild * Remove patches fixed in the update: - curl-CVE-2024-11053.patch - curl-CVE-2024-2004.patch - curl-CVE-2024-2379.patch - curl-CVE-2024-2398.patch - curl-CVE-2024-2466.patch - curl-CVE-2024-6197.patch - curl-CVE-2024-7264.patch - curl-CVE-2024-8096.patch - curl-CVE-2024-9681.patch - curl-CVE-2025-0167.patch - curl-CVE-2025-0725.patch - curl-aws_sigv4-url-encode-the-canonical-path.patch - curl-mstp-starttls.patch - Sync spec file with SLE codestreams: [jsc#PED-13055, jsc#PED-13056] * Add curl-mini.rpmlintrc to avoid rpmlint shlib-policy-name-error when building the curl-mini package in SLE. * Add libssh minimum version requirements. * Use ldconfig_scriptlets when available. * Remove unused option --disable-ntlm-wb. - Update to 8.14.1: * Security fixes: - [bsc#1243933, CVE-2025-5399] libcurl can possibly get trapped in an endless busy-loop when processing specially crafted packets [d1145df2] * Bugfixes: - asyn-thrdd: fix cleanup when RR fails due to OOM - ftp: fix teardown of DATA connection in done - http: fail early when rewind of input failed when following redirects - multi: fix add_handle resizing - tls BIOs: handle BIO_CTRL_EOF correctly - tool_getparam: make --no-anyauth not be accepted - wolfssl: fix sending of early data - ws: handle blocked sends better - ws: tests and fixes - Update to 8.14.0: * Security fixes: - [CVE-2025-4947, bsc#1243397] QUIC certificate check skip with wolfSSL - [CVE-2025-5025, bsc#1243706] No QUIC certificate pinning with wolfSSL * Changes: - mqtt: send ping at upkeep interval - schannel: handle pkcs12 client certificates containing CA certificates - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs - vquic: ngtcp2 + openssl support - wcurl: import v2025.04.20 script + docs - websocket: add option to disable auto-pong reply * Bugfixes: - asny-thrdd: fix detach from running thread - async-threaded resolver: use ref counter - async: DoH improvements - build: enable gcc-12/13+, clang-10+ picky warnings - build: enable gcc-15 picky warnings - certs: drop unused `default_bits` from `.prm` files - cf-https-connect: use the passed in dns struct pointer - cf-socket: fix FTP accept connect - cfilters: remove assert - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON` - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options - cmake: revert `CURL_LTO` behavior for multi-config generators - configure: fix --disable-rt - CONTRIBUTE: add project guidelines for AI use - cpool/cshutdown: force close connections under pressure - curl: fix memory leak when -h is used in config file - curl_get_line: handle lines ending on the buffer boundary - headers: enforce a max number of response header to accept - http: fix HTTP/2 handling of TE request header using &quot;trailers&quot; - lib: include files using known path - lib: unify conversions to/from hex - libssh: add NULL check for Curl_meta_get() - libssh: fix memory leak - mqtt: use conn/easy meta hash - multi: do transfer book keeping using mid - multi: init_do(): check result - netrc: avoid NULL deref on weird input - netrc: avoid strdup NULL - netrc: deal with null token better - openssl-quic: avoid potential `-Wnull-dereference`, add assert - openssl-quic: fix shutdown when stream not open - openssl: enable builds for *both* engines and providers - openssl: set the cipher string before doing private cert - progress: avoid integer overflow when gathering total transfer size - rand: update comment on Curl_rand_bytes weak random - rustls: make max size of cert and key reasonable - smb: avoid integer overflow on weird input date - urlapi: redirecting to &quot;&quot; is considered fine * Remove curl-8.13.0-CloseSocket.patch upstream * Rebase libcurl-ocloexec.patch - fix Leap build add curl-8.13.0-CloseSocket.patch - Update to 8.13.0: * Changes: - curl: add write-out variable 'tls_earlydata' - curl: make --url support a file with URLs - gnutls: set priority via --ciphers - IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags - lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY - OpenSSL/quictls: add support for TLSv1.3 early data - rustls: add support for CERTINFO - rustls: add support for SSLKEYLOGFILE - rustls: support ECH w/ DoH lookup for config - rustls: support native platform verifier - var: add a '64dec' function that can base64 decode a string * Bugfixes: - conn: fix connection reuse when SSL is optional - hash: use single linked list for entries - http2: detect session being closed on ingress handling - http2: reset stream on response header error - http: remove a HTTP method size restriction - http: version negotiation - httpsrr: fix port detection - libssh: fix freeing of resources in disconnect - libssh: fix scp large file upload for 32-bit size_t systems - openssl-quic: do not iterate over multi handles - openssl: check return value of X509_get0_pubkey - openssl: drop support for old OpenSSL/LibreSSL versions - openssl: fix crash on missing cert password - openssl: fix pkcs11 URI checking for key files. - openssl: remove bad `goto`s into other scope - setopt: illegal CURLOPT_SOCKS5_AUTH should return error - setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine - sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version - sshserver: fix excluding obsolete client config lines - SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR - tftpd: prefix TFTP protocol error `E*` constants with `TFTP_` - tool_operate: fail SSH transfers without server auth - url: call protocol handler's disconnect in Curl_conn_free - urlapi: remove percent encoded dot sequences from the URL path - urldata: remove 'hostname' from struct Curl_async * Rebase patches: - libcurl-ocloexec.patch - curl-secure-getenv.patch - Update to 8.12.1: * Bugfixes: - asyn-thread: fix build with 'CURL_DISABLE_SOCKETPAIR' - asyn-thread: fix HTTPS RR crash - asyn-thread: fix the returned bitmask from Curl_resolver_getsock - asyn-thread: survive a c-ares channel set to NULL - cmake: always reference OpenSSL and ZLIB via imported targets - cmake: respect 'GNUTLS_CFLAGS' when detected via 'pkg-config' - cmake: respect 'GNUTLS_LIBRARY_DIRS' in 'libcurl.pc' and 'curl-config' - content_encoding: #error on too old zlib - imap: TLS upgrade fix - ldap: drop support for legacy Novell LDAP SDK - libssh2: comparison is always true because rc &lt;= -1 - libssh2: raise lowest supported version to 1.2.8 - libssh: drop support for libssh older than 0.9.0 - openssl-quic: ignore ciphers for h3 - pop3: TLS upgrade fix - runtests: fix the disabling of the memory tracking - runtests: quote commands to support paths with spaces - scache: add magic checks - smb: silence '-Warray-bounds' with gcc 13+ - smtp: TLS upgrade fix - tool_cfgable: sort struct fields by size, use bitfields for booleans - tool_getparam: add &quot;TLS required&quot; flag for each such option - vtls: fix multissl-init - wakeup_write: make sure the eventfd write sends eight bytes - Update to 8.12.0: * Security fixes: - [bsc#1234068, CVE-2024-11053] curl could leak the password used for the first host to the followed-to host under certain circumstances. - [bsc#1232528, CVE-2024-9681] HSTS subdomain overwrites parent cache entry - [bsc#1236589, CVE-2025-0665] eventfd double close * Changes: - curl: add byte range support to --variable reading from file - curl: make --etag-save acknowledge --create-dirs - getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var - getinfo: provide info which auth was used for HTTP and proxy - hyper: drop support - openssl: add support to use keys and certificates from PKCS#11 provider - QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA - vtls: feature ssls-export for SSL session im-/export * Bugfixes: - altsvc: avoid integer overflow in expire calculation - asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL - asyn-ares: fix memory leak - asyn-ares: initial HTTPS resolve support - asyn-thread: use c-ares to resolve HTTPS RR - async-thread: avoid closing eventfd twice - cd2nroff: do not insist on quoted &lt;&gt; within backticks - cd2nroff: support &quot;none&quot; as a TLS backend - conncache: count shutdowns against host and max limits - content_encoding: drop support for zlib before 1.2.0.4 - content_encoding: namespace GZIP flag constants - content_encoding: put the decomp buffers into the writer structs - content_encoding: support use of custom libzstd memory functions - cookie: cap expire times to 400 days - cookie: parse only the exact expire date - curl: return error if etag options are used with multiple URLs - curl_multi_fdset: include the shutdown connections in the set - curl_sha512_256: rename symbols to the curl namespace - curl_url_set.md: adjust the added-in to 7.62.0 - doh: send HTTPS RR requests for all HTTP(S) transfers - easy: allow connect-only handle reuse with easy_perform - easy: make curl_easy_perform() return error if connection still there - easy_lock: use Sleep(1) for thread yield on old Windows - ECH: update APIs to those agreed with OpenSSL maintainers - GnuTLS: fix 'time_appconnect' for early data - HTTP/2: strip TE request header - http2: fix data_pending check - http2: fix value stored to 'result' is never read - http: ignore invalid Retry-After times - http_aws_sigv4: Fix invalid compare function handling zero-length pairs - https-connect: start next immediately on failure - lib: redirect handling by protocol handler - multi: fix curl_multi_waitfds reporting of fd_count - netrc: 'default' with no credentials is not a match - netrc: fix password-only entries - netrc: restore _netrc fallback logic - ngtcp2: fix memory leak on connect failure - openssl: define `HAVE_KEYLOG_CALLBACK` before use - openssl: fix ECH logic - osslq: use SSL_poll to determine writeability of QUIC streams - sectransp: free certificate on error - select: avoid a NULL deref in cwfds_add_sock - src: omit hugehelp and ca-embed from libcurltool - ssl session cache: change cache dimensions - system.h: add 64-bit curl_off_t definitions for NonStop - telnet: handle single-byte input option - TLS: check connection for SSL use, not handler - tool_formparse.c: make curlx_uztoso a static in here - tool_formparse: accept digits in --form type= strings - tool_getparam: ECH param parsing refix - tool_getparam: fail --hostpubsha256 if libssh2 is not used - tool_getparam: fix &quot;Ignored Return Value&quot; - tool_getparam: fix memory leak on error in parse_ech - tool_getparam: fix the ECH parser - tool_operate: make --etag-compare always accept a non-existing file - transfer: fix CURLOPT_CURLU override logic - urlapi: fix redirect to a new fragment or query (only) - vquic: make vquic_send_packets not return without setting psent - vtls: fix default SSL backend as a fallback - vtls: only remember the expiry timestamp in session cache - websocket: fix message send corruption - x509asn1: add parse recursion limit * Rebase pathes: - libcurl-ocloexec.patch - dont-mess-with-rpmoptflags.patch Package docker was updated: - Update to Docker 28.3.3-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2833&gt; CVE-2025-54388 bsc#1247367 - Update to docker-buildx v0.26.1. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.26.1&gt; - Update to docker-buildx v0.26.0. Upstream changelog: &lt;https://github.com/docker/buildx/releases/tag/v0.26.0&gt; - Update to Go 1.24 for builds, to match upstream. - Update to Docker 28.3.2-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2832&gt; - Update to Docker 28.3.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2831&gt; - Update to Docker 28.3.0-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/28/#2830&gt; bsc#1246556 - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch Package dracut was updated: - Update to version 059+suse.562.geca59f6b: * fix(dracut-util): crash if CMDLINE ends with quotation mark (bsc#1247819) * fix(rngd): adjust license to match the license of the whole project * fix(nfs): set correct ownership of rpc.statd state directories (bsc#1217885) * perf(nfs): remove references to old rpcbind state dir * fix(nfs): libnfsidmap plugins not added in some distributions Package glibc was updated: - regcomp-double-free.patch: posix: Fix double-free after allocation failure in regcomp (CVE-2025-8058, bsc#1246965, BZ #33185) - nscd-gethst-race.patch: Reduce chance of crash when using nscd GETFDHST (bsc#1240058) Package google-dracut-config was updated: Package google-guest-oslogin was updated: - Cherry-pick dont-retry-bad-requests.patch to stop retrying bad requests causing timeouts during container startup (bsc#1243992) Package grub2 was updated: - Fix boot hangs in setting up serial console when ACPI SPCR table is present and redirection is disabled (bsc#1249088) * 0001-term-ns8250-spcr-Return-if-redirection-is-disabled.patch - Skip mount point in grub_find_device function (bsc#1246231) * 0001-getroot-Skip-mount-points-in-grub_find_device.patch - Fix CVE-2024-56738: side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) * grub2-constant-time-grub_crypto_memcmp.patch - Fix test -f and -s do not work properly over the network files served via tftp and http (bsc#1246157) (bsc#1246237) * 0001-test-Fix-f-test-on-files-over-network.patch * 0002-http-Return-HTTP-status-code-in-http_establish.patch * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch * 0004-tftp-Fix-hang-when-file-is-a-directory.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#168- fix usb network card detection (bsc#1245950) - 21.89 Package iproute2 was updated: - add post-6.4 follow-up fixes (bsc#1243005) * patches/bond-fix-stack-smash-in-xstats.patch * patches/tc-gred-fix-debug-print.patch - sync UAPI header copies with SLE15-SP6 kernel * sync-UAPI-header-copies-with-SLE15-SP6.patch - drop Update-kernel-headers.patch (no longer needed with full UAPI sync) - devlink: support ipsec_crypto and ipsec_packet cap (bsc#1248660) * add Update-kernel-headers.patch * add devlink-Support-setting-port-function-ipsec_crypto-c.patch * add devlink-Support-setting-port-function-ipsec_packet-c.patch * refresh ss-Tone-down-cgroup-path-resolution.patch - add post-6.4 follow-up fix (bsc#1243005) * ss-show-extra-info-when-processes-is-not-used.patch - add post-6.4 follow-up fixes (bsc#1243005): * bpf-fix-warning-from-basename.patch * bridge-fdb-add-an-error-print-for-unknown-command.patch * bridge-vni-Accept-del-command.patch * bridge-vni-Fix-duplicate-group-and-remote-error-mess.patch * bridge-vni-Fix-vni-filter-help-strings.patch * bridge-vni-Remove-dead-code-in-group-argument-parsin.patch * bridge-vni-Report-duplicate-vni-argument-using-dupar.patch * f_flower-Treat-port-0-as-valid.patch * genl-ctrl.c-spelling-fix-in-error-message.patch * ip-Add-missing-echo-option-to-usage.patch * ip-Add-missing-stats-command-to-usage.patch * ip-ipmroute-use-preferred_family-to-get-prefix.patch * ip-remove-non-existent-amt-subcommand-from-usage.patch * iplink-fix-fd-leak-when-playing-with-netns.patch * iplink_bridge-fix-incorrect-root-id-dump.patch * iplink_xstats-spelling-fix-in-error-message.patch * iproute2-fix-type-incompatibility-in-ifstat.c.patch * iproute2-prevent-memory-leak.patch * libnetlink-validate-nlmsg-header-length-first.patch * man-devlink-resource-add-missing-words-in-the-exampl.patch * mnl_utils-sanitize-incoming-netlink-payload-size-in-.patch * rdma-Fix-help-information-of-rdma-resource.patch * rdma-Fix-the-error-of-accessing-string-variable-outs.patch * rdma-use-print_XXX-instead-of-COLOR_NONE.patch * ss-Fix-socket-type-check-in-packet_show_line.patch * ss-fix-directory-leak-when-T-option-is-used.patch * ss-mptcp-display-info-counters-as-unsigned.patch * ss-prevent-Process-column-from-being-printed-unless-.patch * tc-taprio-don-t-print-netlink-attributes-which-weren.patch * tc-taprio-fix-JSON-output-when-TCA_TAPRIO_ATTR_ADMIN.patch * tc-taprio-fix-parsing-of-fp-option-when-it-doesn-t-a.patch * vdpa-consume-device_features-parameter.patch - add to blacklist: * af0ea2cd0b9e (duplicate of 92eac7e4bf14) - refresh: * ss-Add-support-for-dumping-TCP-bound-inactive-socket.patch * add-explicit-typecast-to-avoid-gcc-warning.patch * use-sysconf-_SC_CLK_TCK-if-HZ-undefined.patch Package jq was updated: - Add patches CVE-2025-48060-1.patch and CVE-2025-48060-2.patch (CVE-2025-48060, bsc#1244116) Package kernel-default was updated: - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message (git-fixes). - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog (git-fixes). - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock (git-fixes). - PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() (git-fixes). - PCI: tegra: Fix devm_kcalloc() argument order for port-&gt;phys allocation (git-fixes). - PCI: rcar-host: Drop PMSR spinlock (git-fixes). - PCI: keystone: Use devm_request_irq() to free &quot;ks-pcie-error-irq&quot; on exit (git-fixes). - PCI: tegra194: Handle errors in BPMP response (git-fixes). - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() (git-fixes). - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (git-fixes). - PCI/sysfs: Ensure devices are powered for config reads (git-fixes). - PCI/AER: Fix missing uevent on recovery when a reset is requested (git-fixes). - PCI/ERR: Fix uevent on failure to recover (git-fixes). - dmaengine: Fix dma_async_tx_descriptor-&gt;tx_submit documentation (git-fixes). - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 (git-fixes). - media: rc: fix races with imon_disconnect() (git-fixes). - commit 1710395 - arm64: dts: apple: Add ethernet0 alias for J375 template (git-fixes) - commit 122f705 - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map (git-fixes) - commit 886bc20 - arm64: dts: imx8mp: Correct thermal sensor index (git-fixes) - commit 2283cd3 - wifi: ath12k: Add MODULE_FIRMWARE() entries (bsc#1250952). - commit fbc86d9 - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() (git-fixes). - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() (git-fixes). - scsi: qla2xxx: edif: Fix incorrect sign of error code (git-fixes). - scsi: qla2xxx: Use secs_to_jiffies() instead of msecs_to_jiffies() (git-fixes). - scsi: qla2xxx: Remove firmware URL (git-fixes). - scsi: qla2xxx: Avoid stack frame size warning in qla_dfs (git-fixes). - commit db6525b - scsi: lpfc: Copyright updates for 14.4.0.11 patches (bsc#1250519). - scsi: lpfc: Update lpfc version to 14.4.0.11 (bsc#1250519). - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point topology (bsc#1250519). - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET (bsc#1250519). - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted (bsc#1250519). - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in lpfc_cleanup (bsc#1250519). - scsi: lpfc: Clean up allocated queues when queue setup mbox commands fail (bsc#1250519). - scsi: lpfc: Abort outstanding ELS WQEs regardless of if rmmod is in progress (bsc#1250519). - scsi: lpfc: Remove unused member variables in struct lpfc_hba and lpfc_vport (bsc#1250519). - scsi: lpfc: Use int type to store negative error codes (bsc#1250519). - scsi: fc: Avoid -Wflex-array-member-not-at-end warnings (bsc#1250519). - scsi: lpfc: use min() to improve code (bsc#1250519). - scsi: lpfc: Fix buffer free/clear order in deferred receive path (bsc#1250519). - scsi: lpfc: Remove redundant assignment to avoid memory leak (bsc#1250519). - scsi: lpfc: Fix wrong function reference in a comment (bsc#1250519). - commit 9af1a7a - nvme-fc: use lock accessing port_state and rport state (bsc#1245193 bsc#1247500). - nvmet-fcloop: call done callback even when remote port is gone (bsc#1245193 bsc#1247500). - nvmet-fc: avoid scheduling association deletion twice (bsc#1245193 bsc#1247500). - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op (bsc#1245193 bsc#1247500). - commit 9a1d529 - NFSv4.1: fix backchannel max_resp_sz verification check (git-fixes). - commit 8db6e65 - orangefs: Remove unused type in macro fill_default_sys_attrs (git-fixes). - commit 98fbe5c - ppp: fix memory leak in pad_compress_skb (CVE-2025-39847 bsc#1250292). - ice: fix NULL access of tx-&gt;in_use in ice_ll_ts_intr (CVE-2025-39854 bsc#1250297). - vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects (CVE-2025-39850 bsc#1250276). - net/mlx5: Fix lockdep assertion on sync reset unload event (CVE-2025-39832 bsc#1249901). - net/mlx5: Reload auxiliary drivers on fw_activate (CVE-2025-39832 bsc#1249901). - bnxt_en: Fix memory corruption when FW resources change during ifdown (CVE-2025-39810 bsc#1249975). - gve: prevent ethtool ops after shutdown (CVE-2025-38735 bsc#1249288). - net/mlx5: Add sync reset drop mode support (CVE-2025-39832 bsc#1249901). - commit 703f4a7 - Update patches.suse/0780-drm-mediatek-dp-Change-logging-to-dev-for-mtk_dp_aux.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53325 bsc#1250035). - Update patches.suse/ACPI-APEI-send-SIGBUS-to-current-task-if-synchronous.patch (stable-fixes CVE-2025-39763 bsc#1249615). - Update patches.suse/ACPI-pfr_update-Fix-the-driver-update-version-check.patch (git-fixes CVE-2025-39701 bsc#1249308). - Update patches.suse/ACPICA-Add-AML_NO_OPERAND_RESOLVE-flag-to-Timer.patch (git-fixes CVE-2023-53395 bsc#1250358). - Update patches.suse/ALSA-hda-ca0132-Fix-buffer-overflow-in-add_tuning_co.patch (stable-fixes CVE-2025-39751 bsc#1249538). - Update patches.suse/ALSA-hda-fix-a-possible-null-pointer-dereferen.patch (bsc#1012628 CVE-2023-53275 bsc#1250459). - Update patches.suse/ALSA-usb-audio-Validate-UAC3-cluster-segment-descrip.patch (git-fixes CVE-2025-39757 bsc#1249515). - Update patches.suse/ALSA-usb-audio-Validate-UAC3-power-domain-descriptor.patch (git-fixes CVE-2025-38729 bsc#1249164). - Update patches.suse/ASoC-core-Check-for-rtd-NULL-in-snd_soc_remove_pcm_r.patch (stable-fixes CVE-2025-38706 bsc#1249195). - Update patches.suse/Bluetooth-Fix-hci_suspend_sync-crash.patch (git-fixes CVE-2023-53520 bsc#1250957). - Update patches.suse/Bluetooth-Fix-potential-use-after-free-when-clear-ke.patch (git-fixes CVE-2023-53386 bsc#1250106). - Update patches.suse/Bluetooth-Fix-use-after-free-in-l2cap_sock_cleanup_l.patch (git-fixes CVE-2025-39860 bsc#1250247). - Update patches.suse/Bluetooth-L2CAP-Fix-use-after-free.patch (bsc#1012628 CVE-2023-53305 bsc#1250049). - Update patches.suse/Bluetooth-hci_conn-fail-SCO-ISO-via-hci_conn_failed-.patch (git-fixes CVE-2023-53374 bsc#1250196). - Update patches.suse/Bluetooth-l2cap-Check-encryption-key-size-on-incomin.patch (git-fixes CVE-2025-39889 bsc#1249833). - Update patches.suse/Bluetooth-use-RCU-for-hci_conn_params-and-itera.patch (bsc#1012628 CVE-2023-53252 bsc#1249756). - Update patches.suse/Bluetooth-vhci-Prevent-use-after-free-by-removing-de.patch (git-fixes CVE-2025-39861 bsc#1250249). - Update patches.suse/FS-JFS-Fix-null-ptr-deref-Read-in-txBegin.patch (bsc#1012628 CVE-2023-53457 bsc#1250763). - Update patches.suse/HID-asus-fix-UAF-via-HID_CLAIMED_INPUT-validation.patch (git-fixes CVE-2025-39824 bsc#1250007). - Update patches.suse/HID-hid-ntrig-fix-unable-to-handle-page-fault-in-ntr.patch (stable-fixes CVE-2025-39808 bsc#1250088). - Update patches.suse/HID-multitouch-Correct-devm-device-reference-for-hid.patch (git-fixes CVE-2023-53454 bsc#1250759). - Update patches.suse/HID-multitouch-fix-slab-out-of-bounds-access-in-mt_r.patch (git-fixes CVE-2025-39806 bsc#1249888). - Update patches.suse/IB-hfi1-Fix-possible-panic-during-hotplug-remo.patch (bsc#1012628 CVE-2023-53488 bsc#1250825). - Update patches.suse/KVM-arm64-Handle-kvm_arm_init-failure-correctly.patch (bsc#1012628 CVE-2023-53319 bsc#1250067). - Update patches.suse/KVM-nSVM-Load-L1-s-TSC-multiplier-based-on-L1-state-.patch (git-fixes CVE-2023-53208 bsc#1249698). - Update patches.suse/KVM-s390-diag-fix-racy-access-of-physical-cpu-n.patch (bsc#1012628 CVE-2023-53205 bsc#1249677). - Update patches.suse/NFS-Fix-filehandle-bounds-checking-in-nfs_fh_to_dentry.patch (git-fixes CVE-2025-39730 bsc#1249296). - Update patches.suse/NFS-Fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch (git-fixes CVE-2025-39798 bsc#1249774). - Update patches.suse/NFSv4.2-Rework-scratch-handling-for-READ_PLUS-again.patch (git-fixes CVE-2023-53360 bsc#1249990). - Update patches.suse/PCI-ASPM-Disable-ASPM-on-MFD-function-removal-t.patch (bsc#1012628 CVE-2023-53446 bsc#1250145). - Update patches.suse/PCI-endpoint-Fix-configfs-group-list-head-handling.patch (git-fixes CVE-2025-39783 bsc#1249486). - Update patches.suse/PCI-hv-Fix-a-crash-in-hv_pci_restore_msi_msg-during-.patch (git-fixes CVE-2023-53175 bsc#1249845). - Update patches.suse/PM-devfreq-Fix-leak-in-devfreq_dev_release.patch (git-fixes CVE-2023-53518 bsc#1250923). - Update patches.suse/RDMA-bnxt_re-Properly-order-ib_device_unalloc-.patch (bsc#1012628 CVE-2023-53504 bsc#1250813). - Update patches.suse/RDMA-bnxt_re-wraparound-mbox-producer-index.patch (bsc#1012628 CVE-2023-53201 bsc#1249687). - Update patches.suse/RDMA-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch (git-fixes CVE-2025-39742 bsc#1249479). - Update patches.suse/RDMA-mlx5-Return-the-firmware-result-upon-dest.patch (bsc#1012628 CVE-2023-53286 bsc#1250325). - Update patches.suse/RDMA-rxe-Fix-unsafe-drain-work-queue-code.patch (git-fixes CVE-2023-53528 bsc#1250930). - Update patches.suse/RDMA-siw-Fix-the-sendmsg-byte-count-in-siw_tcp_sendp.patch (git-fixes CVE-2025-39758 bsc#1249490). - Update patches.suse/accel-habanalabs-fix-mem-leak-in-capture-user-.patch (bsc#1012628 CVE-2023-53367 bsc#1250243). - Update patches.suse/accel-qaic-Fix-slicing-memory-leak.patch (bsc#1012628 CVE-2023-53350 bsc#1250012). - Update patches.suse/accel-qaic-tighten-bounds-checking-in-decode_me.patch (bsc#1012628 CVE-2023-53493 bsc#1250820). - Update patches.suse/af_unix-Fix-data-races-around-user-unix_inflight.patch (git-fixes CVE-2023-53204 bsc#1249682). - Update patches.suse/arm64-sme-Set-new-vector-length-before-realloca.patch (bsc#1012628 CVE-2023-53184 bsc#1249823). - Update patches.suse/ax25-properly-unshare-skbs-in-ax25_kiss_rcv.patch (git-fixes CVE-2025-39848 bsc#1250298). - Update patches.suse/batman-adv-fix-OOB-read-write-in-network-coding-deco.patch (git-fixes CVE-2025-39839 bsc#1250291). - Update patches.suse/blk-cgroup-Reinit-blkg_iostat_set-after-clearin.patch (bsc#1012628 CVE-2023-53421 bsc#1250171). - Update patches.suse/blk-mq-fix-NULL-dereference-on-q-elevator-in-bl.patch (bsc#1012628 CVE-2023-53292 bsc#1250163). - Update patches.suse/bpf-Fix-memleak-due-to-fentry-attach-failure.patch (bsc#1012628 CVE-2023-53221 bsc#1249662). - Update patches.suse/bpf-cpumap-Fix-memory-leak-in-cpu_map_update_el.patch (bsc#1012628 CVE-2023-53441 bsc#1250150). - Update patches.suse/btrfs-abort-transaction-on-unexpected-eb-generation-.patch (git-fixes CVE-2025-39800 bsc#1250177). - Update patches.suse/btrfs-add-handling-for-RAID1C23-DUP-to-btrfs_re.patch (bsc#1012628 CVE-2023-53243 bsc#1249640). - Update patches.suse/btrfs-don-t-check-PageError-in-__extent_writepa.patch (bsc#1012628 CVE-2023-53429 bsc#1250384). - Update patches.suse/btrfs-exit-gracefully-if-reloc-roots-don-t-mat.patch (bsc#1012628 CVE-2023-53183 bsc#1249863). - Update patches.suse/btrfs-fix-BUG_ON-condition-in-btrfs_cancel_bal.patch (bsc#1012628 CVE-2023-53339 bsc#1250329). - Update patches.suse/btrfs-fix-use-after-free-of-new-block-group-th.patch (bsc#1012628 CVE-2023-53187 bsc#1249815). - Update patches.suse/btrfs-qgroup-fix-race-between-quota-disable-and-quot.patch (git-fixes CVE-2025-39759 bsc#1249522). - Update patches.suse/btrfs-set_page_extent_mapped-after-read_folio-i.patch (bsc#1012628 CVE-2023-53247 bsc#1249870). - Update patches.suse/bus-fsl-mc-don-t-assume-child-devices-are-all-f.patch (bsc#1012628 CVE-2023-53362 bsc#1249993). - Update patches.suse/bus-mhi-host-Detect-events-pointing-to-unexpected-TR.patch (git-fixes CVE-2025-39790 bsc#1249548). - Update patches.suse/can-gs_usb-fix-time-stamp-counter-initializatio.patch (bsc#1012628 CVE-2023-53523 bsc#1250926). - Update patches.suse/can-j1939-implement-NETDEV_UNREGISTER-notification-h.patch (git-fixes CVE-2025-39925 bsc#1250736). - Update patches.suse/can-xilinx_can-xcan_write_frame-fix-use-after-free-o.patch (git-fixes CVE-2025-39873 bsc#1250371). - Update patches.suse/cifs-prevent-use-after-free-by-freeing-the-cfil.patch (bsc#1012628 CVE-2023-53377 bsc#1250161). - Update patches.suse/clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_cl.patch (bsc#1012628 CVE-2023-53249 bsc#1249642). - Update patches.suse/clk-imx-clk-imxrt1050-fix-memory-leak-in-imxrt1.patch (bsc#1012628 CVE-2023-53264 bsc#1249795). - Update patches.suse/clk-mediatek-fix-of_iomap-memory-leak.patch (bsc#1012628 CVE-2023-53424 bsc#1250169). - Update patches.suse/clk-mediatek-mt8183-Add-back-SSPM-related-cloc.patch (bsc#1012628 CVE-2023-53274 bsc#1249919). - Update patches.suse/clk-tegra-tegra124-emc-Fix-potential-memory-lea.patch (bsc#1012628 CVE-2023-53505 bsc#1250807). - Update patches.suse/comedi-Fix-use-of-uninitialized-memory-in-do_insn_io.patch (git-fixes CVE-2025-39684 bsc#1249281). - Update patches.suse/comedi-Make-insn_rw_emulate_bits-do-insn-n-samples.patch (git-fixes CVE-2025-39686 bsc#1249312). - Update patches.suse/comedi-fix-race-between-polling-and-detaching.patch (git-fixes CVE-2025-38687 bsc#1249177). - Update patches.suse/comedi-pcl726-Prevent-invalid-irq-number.patch (git-fixes CVE-2025-39685 bsc#1249282). - Update patches.suse/crypto-qat-flush-misc-workqueue-during-device-shutdo.patch (git-fixes CVE-2025-39721 bsc#1249323). - Update patches.suse/cxl-acpi-Fix-a-use-after-free-in-cxl_parse_cfmw.patch (bsc#1012628 CVE-2023-53479 bsc#1250837). - Update patches.suse/cxl-downgrade-a-warning-message-to-debug-level-in-cxl.patch (bsc#1229165 CVE-2023-53479 bsc#1250837). - Update patches.suse/dma-buf-dma-resv-Stop-leaking-on-krealloc-failu.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53181 bsc#1249824). - Update patches.suse/dmaengine-idxd-Fix-double-free-in-idxd_setup_wqs.patch (git-fixes CVE-2025-39870 bsc#1250402). - Update patches.suse/dmaengine-idxd-Remove-improper-idxd_free.patch (git-fixes CVE-2025-39871 bsc#1250377). - Update patches.suse/dmaengine-qcom-bam_dma-Fix-DT-error-handling-for-num.patch (git-fixes CVE-2025-39923 bsc#1250741). - Update patches.suse/dmaengine-ti-edma-Fix-memory-allocation-size-for-que.patch (git-fixes CVE-2025-39869 bsc#1250406). - Update patches.suse/drm-amd-display-Add-null-pointer-check-in-mod_hdcp_h.patch (git-fixes CVE-2025-39675 bsc#1249263). - Update patches.suse/drm-amd-display-Avoid-a-NULL-pointer-dereference.patch (stable-fixes CVE-2025-39693 bsc#1249279). - Update patches.suse/drm-amd-display-Fix-possible-underflow-for-disp.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53258 bsc#1249780). - Update patches.suse/drm-amdgpu-fix-calltrace-warning-in-amddrm_bud.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53152 bsc#1249883). - Update patches.suse/drm-amdgpu-fix-memory-leak-in-mes-self-test.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53370 bsc#1250208). - Update patches.suse/drm-amdgpu-install-stub-fence-into-potential-u.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53248 bsc#1249779). - Update patches.suse/drm-amdkfd-Destroy-KFD-debugfs-after-destroy-KFD-wq.patch (stable-fixes CVE-2025-39706 bsc#1249413). - Update patches.suse/drm-client-Fix-memory-leak-in-drm_client_modese.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53288 bsc#1250058). - Update patches.suse/drm-hisilicon-hibmc-fix-the-hibmc-loaded-failed-bug.patch (git-fixes CVE-2025-39772 bsc#1249506). - Update patches.suse/drm-mediatek-fix-potential-OF-node-use-after-free.patch (git-fixes CVE-2025-39882 bsc#1250389). - Update patches.suse/drm-msm-dp-Free-resources-after-unregistering-t.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53316 bsc#1250066). - Update patches.suse/drm-msm-mdp5-Don-t-leak-some-plane-state.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53324 bsc#1250070). - Update patches.suse/drm-nouveau-disp-fix-use-after-free-in-error-h.patch (bsc#1012628 bsc#1214073 CVE-2023-53263 bsc#1249861). - Update patches.suse/drm-nouveau-nvif-Fix-potential-memory-leak-in-nvif_v.patch (git-fixes CVE-2025-39679 bsc#1249338). - Update patches.suse/drm-radeon-Fix-integer-overflow-in-radeon_cs_pa.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53309 bsc#1250055). - Update patches.suse/drm-tests-helpers-Avoid-a-driver-uaf.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53235 bsc#1249785). - Update patches.suse/drm-ttm-check-null-pointer-before-accessing-wh.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53352 bsc#1250006). - Update patches.suse/drm-ttm-fix-bulk_move-corruption-when-adding-a-.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53444 bsc#1250157). - Update patches.suse/erofs-Fix-detection-of-atomic-context.patch (bsc#1012628 CVE-2023-53231 bsc#1249787). - Update patches.suse/exfat-add-cluster-chain-loop-check-for-dir.patch (git-fixes CVE-2025-38692 bsc#1249221). - Update patches.suse/ext2-dax-Fix-ext2_setsize-when-len-is-page-alig.patch (bsc#1012628 CVE-2023-53323 bsc#1250069). - Update patches.suse/f2fs-don-t-reset-unchangable-mount-option-in-f2.patch (bsc#1012628 CVE-2023-53447 bsc#1250241). - Update patches.suse/fbdev-Fix-vmalloc-out-of-bounds-write-in-fast_imageb.patch (stable-fixes CVE-2025-38685 bsc#1249220). - Update patches.suse/fbdev-ep93xx-fb-Do-not-assign-to-struct-fb_info.dev.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53314 bsc#1250065). - Update patches.suse/fbdev-fix-potential-buffer-overflow-in-do_register_f.patch (stable-fixes CVE-2025-38702 bsc#1249254). - Update patches.suse/fbdev-imxfb-Removed-unneeded-release_mem_region.patch (jsc#PED-3527 jsc#PED-5475 jsc#PED-6068 jsc#PED-6070 jsc#PED-6116 jsc#PED-6120 jsc#PED-5065 jsc#PED-5477 jsc#PED-5511 jsc#PED-6041 jsc#PED-6069 jsc#PED-6071 CVE-2023-53448 bsc#1250873). - Update patches.suse/firewire-net-fix-use-after-free-in-fwnet_finis.patch (bsc#1012628 CVE-2023-53432 bsc#1250426). - Update patches.suse/firmware-stratix10-svc-Fix-a-potential-resource.patch (bsc#1012628 CVE-2023-53255 bsc#1249762). - Update patches.suse/fs-jfs-Fix-UBSAN-array-index-out-of-bounds-in-d.patch (bsc#1012628 CVE-2023-53485 bsc#1250872). - Update patches.suse/fs-ntfs3-Enhance-sanity-check-while-generating.patch (bsc#1012628 CVE-2023-53328 bsc#1249952). - Update patches.suse/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch (git-fixes CVE-2025-38715 bsc#1249196). - Update patches.suse/hfsplus-don-t-use-BUG_ON-in-hfsplus_create_attributes_file.patch (git-fixes CVE-2025-38712 bsc#1249194). - Update patches.suse/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch (git-fixes CVE-2025-38714 bsc#1249260). - Update patches.suse/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch (git-fixes CVE-2025-38713 bsc#1249200). - Update patches.suse/hsr-Fix-uninit-value-access-in-fill_frame_info.patch (bsc#1220419 CVE-2023-53462 bsc#1250878). - Update patches.suse/hwmon-pmbus_core-Fix-NULL-pointer-dereference.patch (bsc#1012628 CVE-2023-53206 bsc#1249679). - Update patches.suse/ibmvnic-Do-not-reset-dql-stats-on-NON_FATAL-err.patch (bsc#1012628 CVE-2023-53463 bsc#1250867). - Update patches.suse/ice-Block-switchdev-mode-when-ADQ-is-active-an.patch (bsc#1012628 CVE-2023-53442 bsc#1250201). - Update patches.suse/icmp6-Fix-null-ptr-deref-of-ip6_null_entry-rt6i.patch (bsc#1012628 CVE-2023-53343 bsc#1250022). - Update patches.suse/igb-Fix-igb_down-hung-on-surprise-removal.patch (bsc#1012628 CVE-2023-53148 bsc#1249842). - Update patches.suse/iio-imu-bno055-fix-OOB-access-of-hw_xlate-array.patch (git-fixes CVE-2025-39719 bsc#1249271). - Update patches.suse/io_uring-wait-interruptibly-for-request-complet.patch (bsc#1012628 CVE-2023-53461 bsc#1250941). - Update patches.suse/iommu-amd-iommu_v2-Fix-pasid_state-refcount-dec-hit-.patch (git-fixes CVE-2023-53501 bsc#1250815). - Update patches.suse/iommu-arm-smmu-qcom-Add-SM6115-MDSS-compatible.patch (git-fixes CVE-2025-39739 bsc#1249542). - Update patches.suse/ip6mr-Fix-skb_under_panic-in-ip6mr_cache_repor.patch (bsc#1012628 CVE-2023-53365 bsc#1249988). - Update patches.suse/ipv6-addrconf-fix-a-potential-refcount-underflo.patch (bsc#1012628 CVE-2023-53189 bsc#1249894). - Update patches.suse/jbd2-check-jh-b_transaction-before-removing-it-from-.patch (bsc#1214953 CVE-2023-53526 bsc#1250928). - Update patches.suse/jfs-Regular-file-corruption-check.patch (git-fixes CVE-2025-38698 bsc#1249255). - Update patches.suse/jfs-jfs_dmap-Validate-db_l2nbperpage-while-moun.patch (bsc#1012628 CVE-2023-53222 bsc#1249864). - Update patches.suse/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch (git-fixes CVE-2025-39743 bsc#1249489). - Update patches.suse/jfs-upper-bound-check-of-tree-index-in-dbAllocAG.patch (git-fixes CVE-2025-38697 bsc#1249257). - Update patches.suse/kobject-Add-sanity-check-for-kset-kobj.ktype-in-kset.patch (git-fixes CVE-2023-53480 bsc#1250861). - Update patches.suse/lwt-Fix-return-values-of-BPF-xmit-ops.patch (jsc#PED-6811 CVE-2023-53338 bsc#1250074). - Update patches.suse/mISDN-hfcpci-Fix-warning-when-deleting-uninitialized.patch (git-fixes CVE-2025-39833 bsc#1250028). - Update patches.suse/macvlan-add-forgotten-nla_policy-for-IFLA_MACVL.patch (bsc#1012628 CVE-2023-53516 bsc#1250918). - Update patches.suse/md-raid10-check-slab-out-of-bounds-in-md_bitmap.patch (bsc#1012628 CVE-2023-53357 bsc#1249994). - Update patches.suse/md-raid10-fix-null-ptr-deref-of-mreplace-in-rai.patch (bsc#1012628 CVE-2023-53380 bsc#1250198). - Update patches.suse/md-raid10-fix-wrong-setting-of-max_corr_read_er.patch (bsc#1012628 CVE-2023-53313 bsc#1249911). - Update patches.suse/md-raid10-prevent-soft-lockup-while-flush-write.patch (bsc#1012628 CVE-2023-53151 bsc#1249865). - Update patches.suse/md-raid5-cache-fix-null-ptr-deref-for-r5l_flush_stri-0d0b.patch (jsc#PED-7542 CVE-2023-53210 bsc#1249673). - Update patches.suse/media-az6007-Fix-null-ptr-deref-in-az6007_i2c_xfer.patch (git-fixes CVE-2023-53220 bsc#1250337). - Update patches.suse/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch (stable-fixes CVE-2025-38694 bsc#1249272). - Update patches.suse/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch (stable-fixes CVE-2025-38693 bsc#1249190). - Update patches.suse/media-hi846-fix-usage-of-pm_runtime_get_if_in_u.patch (bsc#1012628 CVE-2023-53177 bsc#1249849). - Update patches.suse/media-ipu-bridge-Fix-null-pointer-deref-on-SSDB-PLD-.patch (git-fixes CVE-2023-53336 bsc#1250073). - Update patches.suse/media-mdp3-Fix-resource-leaks-in-of_find_device_by_n.patch (git-fixes CVE-2023-53385 bsc#1250319). - Update patches.suse/media-platform-mediatek-vpu-fix-NULL-ptr-deref.patch (bsc#1012628 CVE-2023-53425 bsc#1250290). - Update patches.suse/media-rainshadow-cec-fix-TOCTOU-race-condition-in-ra.patch (git-fixes CVE-2025-39713 bsc#1249321). - Update patches.suse/media-usbtv-Lock-resolution-while-streaming.patch (git-fixes CVE-2025-39714 bsc#1249273). - Update patches.suse/media-uvcvideo-Fix-1-byte-out-of-bounds-read-in-uvc_.patch (git-fixes CVE-2025-38680 bsc#1249203). - Update patches.suse/media-v4l2-mem2mem-add-lock-to-protect-paramet.patch (bsc#1012628 CVE-2023-53519 bsc#1250964). - Update patches.suse/media-venus-Add-a-check-for-packet-size-after-readin.patch (git-fixes CVE-2025-39710 bsc#1249304). - Update patches.suse/media-venus-protect-against-spurious-interrupts-duri.patch (git-fixes CVE-2025-39709 bsc#1249278). - Update patches.suse/mlxsw-minimal-fix-potential-memory-leak-in-mlxs.patch (bsc#1012628 CVE-2023-53195 bsc#1249761). - Update patches.suse/mm-kmem-fix-a-NULL-pointer-dereference-in-obj_.patch (bsc#1012628 CVE-2023-53401 bsc#1250120). - Update patches.suse/mm-move-page-table-sync-declarations-to-linux-pgtabl.patch (git-fixes CVE-2025-39844 bsc#1250268). - Update patches.suse/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_.patch (git-fixes CVE-2025-38681 bsc#1249204). - Update patches.suse/modpost-fix-off-by-one-in-is_executable_section.patch (bsc#1012628 CVE-2023-53397 bsc#1250125). - Update patches.suse/mptcp-fix-disconnect-vs-accept-race.patch (bsc#1012628 CVE-2023-53490 bsc#1250827). - Update patches.suse/msft-hv-3329-hv_netvsc-Fix-panic-during-namespace-deletion-with-V.patch (bsc#1248111 CVE-2025-38683 bsc#1249159). - Update patches.suse/mtd-rawnand-stm32_fmc2-avoid-overlapping-mappings-on.patch (git-fixes CVE-2025-39907 bsc#1250713). - Update patches.suse/net-dcb-choose-correct-policy-to-parse-DCB_ATT.patch (bsc#1012628 CVE-2023-53369 bsc#1250206). - Update patches.suse/net-dsa-Removed-unneeded-of_node_put-in-felix_p.patch (bsc#1012628 CVE-2023-53170 bsc#1249850). - Update patches.suse/net-ena-fix-shift-out-of-bounds-in-exponential-.patch (bsc#1012628 CVE-2023-53272 bsc#1249917). - Update patches.suse/net-ethernet-mvpp2_main-fix-possible-OOB-write-in-mv.patch (git-fixes CVE-2023-53495 bsc#1250907). - Update patches.suse/net-fix-net_dev_start_xmit-trace-event-vs-skb_t.patch (bsc#1012628 CVE-2023-53312 bsc#1250063). - Update patches.suse/net-marvell-prestera-fix-handling-IPv4-routes-.patch (bsc#1012628 CVE-2023-53342 bsc#1250029). - Update patches.suse/net-microchip-vcap-api-Fix-possible-memory-leak-for-.patch (git-fixes CVE-2023-53303 bsc#1249896). - Update patches.suse/net-mlx5-Unregister-devlink-params-in-case-int.patch (bsc#1012628 CVE-2023-53507 bsc#1250808). - Update patches.suse/net-mlx5e-fix-memory-leak-in-mlx5e_fs_tt_redire.patch (bsc#1012628 CVE-2023-53371 bsc#1250112). - Update patches.suse/net-mlx5e-xsk-Fix-crash-on-regular-rq-reactiva.patch (bsc#1012628 CVE-2023-53394 bsc#1250199). - Update patches.suse/net-rose-convert-use-field-to-refcount_t.patch (git-fixes CVE-2025-39826 bsc#1250203). - Update patches.suse/net-rose-include-node-references-in-rose_neigh-refco.patch (git-fixes CVE-2025-39827 bsc#1250204). - Update patches.suse/net-usb-asix_devices-Fix-PHY-address-mask-in-MDIO-bu.patch (git-fixes CVE-2025-38736 bsc#1249318). - Update patches.suse/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-b.patch (git-fixes CVE-2025-38725 bsc#1249170). - Update patches.suse/netfilter-conntrack-dccp-copy-entire-header-to-.patch (CVE-2023-39197 bsc#1012628 bsc#1216976 CVE-2023-53333 bsc#1249949). - Update patches.suse/netfilter-ipset-add-the-missing-IP_SET_HASH_WITH_NET.patch (CVE-2023-42753 bsc#1215150 CVE-2023-53179 bsc#1249825). - Update patches.suse/netfilter-nf_tables-do-not-ignore-genmask-when-.patch (bsc#1012628 CVE-2023-31248 bsc#1213061 CVE-2023-53492 bsc#1250823). - Update patches.suse/netfilter-nft_set_rbtree-fix-overlap-expiration.patch (bsc#1012628 CVE-2023-53304 bsc#1249923). - Update patches.suse/netlink-avoid-infinite-retry-looping-in-netlink_unic.patch (CVE-2025-38465 bsc#1247118 CVE-2025-38727 bsc#1249166). - Update patches.suse/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch (git-fixes CVE-2025-38724 bsc#1249169). - Update patches.suse/nilfs2-fix-use-after-free-of-nilfs_root-in-dir.patch (bsc#1012628 CVE-2023-53311 bsc#1250062). - Update patches.suse/ntfs-Fix-panic-about-slab-out-of-bounds-caused-.patch (bsc#1012628 CVE-2023-53420 bsc#1250186). - Update patches.suse/nubus-Partially-revert-proc_create_single_data-.patch (bsc#1012628 CVE-2023-53217 bsc#1249672). - Update patches.suse/null_blk-fix-poll-request-timeout-handling.patch (bsc#1216436 CVE-2023-53531 bsc#1250931). - Update patches.suse/ovl-fix-null-pointer-dereference-in-ovl_permiss.patch (bsc#1012628 CVE-2023-53260 bsc#1249768). - Update patches.suse/pNFS-Fix-uninited-ptr-deref-in-block-scsi-layout.patch (git-fixes CVE-2025-38691 bsc#1249215). - Update patches.suse/pcmcia-Add-error-handling-for-add_interval-in-do_val.patch (git-fixes CVE-2025-39920 bsc#1250732). - Update patches.suse/pcmcia-Fix-a-NULL-pointer-dereference-in-__iodyn_fin.patch (git-fixes CVE-2025-39846 bsc#1250263). - Update patches.suse/phy-hisilicon-Fix-an-out-of-bounds-check-in-his.patch (bsc#1012628 CVE-2023-53238 bsc#1249707). - Update patches.suse/powercap-arm_scmi-Remove-recursion-while-parsing-zon.patch (git-fixes CVE-2023-53428 bsc#1250167). - Update patches.suse/powerpc-rtas_flash-allow-user-copy-to-flash-bl.patch (bsc#1012628 bsc#1194869 CVE-2023-53487 bsc#1250830). - Update patches.suse/pstore-ram-Check-start-of-empty-przs-during-init.patch (git-fixes CVE-2023-53331 bsc#1249950). - Update patches.suse/pwm-lpc32xx-Remove-handling-of-PWM-channels.patch (git-fixes CVE-2023-53472 bsc#1250841). - Update patches.suse/rcu-rcuscale-Stop-kfree_scale_thread-thread-s-a.patch (bsc#1012628 CVE-2023-53291 bsc#1249926). - Update patches.suse/regulator-da9063-better-fix-null-deref-with-pa.patch (bsc#1012628 CVE-2023-53364 bsc#1249984). - Update patches.suse/s390-ism-fix-concurrency-management-in-ism_cmd.patch (git-fixes bsc#1248735 CVE-2025-39726 bsc#1249266). - Update patches.suse/s390-sclp-Fix-SCCB-present-check.patch (git-fixes bsc#1249123 CVE-2025-39694 bsc#1249299). - Update patches.suse/sched-fair-Don-t-balance-task-to-its-current-ru.patch (bsc#1012628 CVE-2023-53215 bsc#1250397). - Update patches.suse/scsi-core-Fix-possible-memory-leak-if-device_a.patch (bsc#1012628 CVE-2023-53174 bsc#1250024). - Update patches.suse/scsi-lpfc-Check-for-hdwq-null-ptr-when-cleaning-up-l.patch (bsc#1245260 bsc#1243100 bsc#1246125 CVE-2025-38695 bsc#1249285). - Update patches.suse/scsi-qla2xxx-Fix-potential-NULL-pointer-derefer.patch (bsc#1012628 CVE-2023-53451 bsc#1250831). - Update patches.suse/scsi-qla2xxx-Pointer-may-be-dereferenced.patch (bsc#1012628 CVE-2023-53150 bsc#1249853). - Update patches.suse/scsi-qla2xxx-Remove-unused-nvme_ls_waitq-wait-q.patch (bsc#1012628 CVE-2023-53280 bsc#1249938). - Update patches.suse/scsi-qla2xxx-Use-raw_smp_processor_id-instead-of-smp.patch (bsc#1214928 jsc#PED-5063 CVE-2023-53530 bsc#1250949). - Update patches.suse/scsi-qla2xxx-Wait-for-io-return-on-terminate-rp.patch (bsc#1012628 CVE-2023-53322 bsc#1250323). - Update patches.suse/scsi-qla4xxx-Add-length-check-when-parsing-nlattrs.patch (git-fixes CVE-2023-53456 bsc#1250765). - Update patches.suse/scsi-snic-Fix-possible-memory-leak-if-device_a.patch (bsc#1012628 CVE-2023-53436 bsc#1250156). - Update patches.suse/scsi-storvsc-Fix-handling-of-virtual-Fibre-Cha.patch (bsc#1012628 CVE-2023-53245 bsc#1249641). - Update patches.suse/scsi-ufs-core-Fix-handling-of-lrbp-cmd.patch (bsc#1012628 CVE-2023-53510 bsc#1250812). - Update patches.suse/serial-8250-fix-panic-due-to-PSLVERR.patch (git-fixes CVE-2025-39724 bsc#1249265). - Update patches.suse/shmem-use-ramfs_kill_sb-for-kill_sb-method-of-r.patch (bsc#1012628 CVE-2023-53391 bsc#1250117). - Update patches.suse/skbuff-skb_segment-Call-zero-copy-functions-before-u.patch (bsc#1220419 CVE-2023-53354 bsc#1250004). - Update patches.suse/smb-client-fix-warning-in-cifs_smb3_do_mount.patch (bsc#1012628 CVE-2023-53230 bsc#1249866). - Update patches.suse/soundwire-qcom-fix-storing-port-config-out-of-b.patch (bsc#1012628 CVE-2023-53465 bsc#1250863). - Update patches.suse/start_kernel-Add-__no_stack_protector-function-.patch (bsc#1012628 CVE-2023-53491 bsc#1250942). - Update patches.suse/thunderbolt-Fix-memory-leak-in-tb_handle_dp_ba.patch (bsc#1012628 CVE-2023-53527 bsc#1250929). - Update patches.suse/tls-separate-no-async-decryption-request-handling-fr.patch (CVE-2024-26584 bsc#1220186 CVE-2024-58240 bsc#1248847). - Update patches.suse/tracing-Fix-null-pointer-dereference-in-tracing.patch (bsc#1012628 CVE-2023-53167 bsc#1249712). - Update patches.suse/tracing-Fix-race-issue-between-cpu-buffer-write-and-swap.patch (git-fixes CVE-2023-53368 bsc#1249979). - Update patches.suse/ublk-fail-to-recover-device-if-queue-setup-is-i.patch (bsc#1012628 CVE-2023-53207 bsc#1249678). - Update patches.suse/ublk-fail-to-start-device-if-queue-setup-is-int.patch (bsc#1012628 CVE-2023-53508 bsc#1250809). - Update patches.suse/udf-Fix-uninitialized-array-access-for-some-pat.patch (bsc#1012628 CVE-2023-53165 bsc#1250395). - Update patches.suse/usb-cdns3-Put-the-cdns-set-active-part-outside-the-s.patch (git-fixes CVE-2023-53287 bsc#1250089). - Update patches.suse/usb-core-config-Prevent-OOB-read-in-SS-endpoint-comp.patch (stable-fixes CVE-2025-39760 bsc#1249598). - Update patches.suse/usb-dwc3-Remove-WARN_ON-for-device-endpoint-command-.patch (stable-fixes CVE-2025-39801 bsc#1250450). - Update patches.suse/usb-dwc3-qcom-Fix-potential-memory-leak.patch (bsc#1012628 CVE-2023-53196 bsc#1249758). - Update patches.suse/usb-gadget-u_serial-Add-null-pointer-check-in-g.patch (bsc#1012628 CVE-2023-53356 bsc#1249997). - Update patches.suse/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_.patch (bsc#1012628 CVE-2023-53379 bsc#1250128). - Update patches.suse/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch (bsc#1012628 CVE-2023-53515 bsc#1250917). - Update patches.suse/vxlan-Fix-nexthop-hash-size.patch (bsc#1012628 CVE-2023-53192 bsc#1249897). - Update patches.suse/wifi-ath11k-fix-sleeping-in-atomic-in-ath11k_mac_op_.patch (git-fixes CVE-2025-39732 bsc#1249292). - Update patches.suse/wifi-ath12k-Avoid-NULL-pointer-access-during-ma.patch (bsc#1012628 CVE-2023-53180 bsc#1249826). - Update patches.suse/wifi-ath12k-Correct-tid-cleanup-when-tid-setup-fails.patch (stable-fixes CVE-2025-39750 bsc#1249523). - Update patches.suse/wifi-ath12k-Decrement-TID-on-RX-peer-frag-setup-erro.patch (stable-fixes CVE-2025-39761 bsc#1249554). - Update patches.suse/wifi-ath9k-don-t-allow-to-overwrite-ENDPOINT0-a.patch (bsc#1012628 CVE-2023-53185 bsc#1249820). - Update patches.suse/wifi-brcmfmac-fix-use-after-free-when-rescheduling-b.patch (git-fixes CVE-2025-39863 bsc#1250281). - Update patches.suse/wifi-cfg80211-fix-use-after-free-in-cmp_bss.patch (git-fixes CVE-2025-39864 bsc#1250242). - Update patches.suse/wifi-cfg80211-sme-cap-SSID-length-in-__cfg80211_conn.patch (git-fixes CVE-2025-39849 bsc#1250266). - Update patches.suse/wifi-iwlwifi-pcie-fix-NULL-pointer-dereference-.patch (bsc#1012628 CVE-2023-53251 bsc#1249730). - Update patches.suse/wifi-mac80211-check-S1G-action-frame-size.patch (git-fixes CVE-2023-53257 bsc#1249869). - Update patches.suse/wifi-mac80211_hwsim-Fix-possible-NULL-dereferen.patch (bsc#1012628 CVE-2023-53209 bsc#1249856). - Update patches.suse/wifi-mac80211_hwsim-drop-short-frames.patch (git-fixes CVE-2023-53321 bsc#1250313). - Update patches.suse/wifi-mwifiex-Fix-OOB-and-integer-underflow-when-rx-p.patch (git-fixes CVE-2023-53226 bsc#1249658). - Update patches.suse/wifi-mwifiex-Initialize-the-chan_stats-array-to-zero.patch (git-fixes CVE-2025-39891 bsc#1250712). - Update patches.suse/wifi-mwifiex-avoid-possible-NULL-skb-pointer-derefer.patch (git-fixes CVE-2023-53384 bsc#1250127). - Update patches.suse/x86-MCE-Always-save-CS-register-on-AMD-Zen-IF-Poison-error.patch (git-fixes CVE-2023-53438 bsc#1250180). - Update patches.suse/x86-mm-64-define-ARCH_PAGE_TABLE_SYNC_MASK-and-arch_.patch (git-fixes CVE-2025-39845 bsc#1250262). - Update patches.suse/x86-platform-uv-Use-alternate-source-for-socket-to-n.patch (bsc#1215696 CVE-2023-53496 bsc#1250905). - Update patches.suse/xfrm-add-NULL-check-in-xfrm_update_ae_params.patch (bsc#1012628 bsc#1213666 CVE-2023-3772 CVE-2023-53147 bsc#1249880). - Update patches.suse/xfrm-fix-slab-use-after-free-in-decode_session.patch (bsc#1012628 CVE-2023-53500 bsc#1250816). - Update patches.suse/xsk-Fix-xsk_diag-use-after-free-error-during-socket-.patch (bsc#1220419 CVE-2023-53426 bsc#1250166). - commit ee10a6d - i40e: Fix potential invalid access when MAC list is empty (CVE-2025-39853 bsc#1250275) - commit 4246fc5 - RDMA/siw: Always report immediate post SQ errors (git-fixes) - commit c1b6a15 - RDMA/rxe: Fix race in do_task() when draining (git-fixes) - commit 650fcb3 - IB/sa: Fix sa_local_svc_timeout_ms read race (git-fixes) - commit ced2c38 - RDMA/core: Resolve MAC of next-hop device without ARP support (git-fixes) - commit 9a8b6d9 - RDMA/cm: Rate limit destroy CM ID timeout error message (git-fixes) - commit 99220cf - RDMA/mlx5: Fix vport loopback forcing for MPV device (git-fixes) - commit aced925 - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count (git-fixes) - commit 665905d - bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() (git-fixes). - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume (git-fixes). - iio: consumers: Fix offset handling in iio_convert_raw_to_processed() (git-fixes). - iio: dac: ad5421: use int type to store negative error codes (git-fixes). - iio: dac: ad5360: use int type to store negative error codes (git-fixes). - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE (git-fixes). - iio: frequency: adf4350: Fix prescaler usage (git-fixes). - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK (git-fixes). - iio: xilinx-ams: Unmask interrupts after updating alarms (git-fixes). - misc: genwqe: Fix incorrect cmd field being reported in error (git-fixes). - uio: uio_pdrv_genirq: Remove MODULE_DEVICE_TABLE (git-fixes). - thunderbolt: Compare HMAC values in constant time (git-fixes). - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls (git-fixes). - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup (git-fixes). - tty: n_gsm: Don't block input queue by waiting MSC (git-fixes). - serial: max310x: Add error checking in probe() (git-fixes). - mtd: rawnand: omap2: fix device leak on probe failure (git-fixes). - HID: intel-ish-ipc: Remove redundant ready check after timeout function (git-fixes). - hwrng: ks-sa - fix division by zero in ks_sa_rng_init (git-fixes). - crypto: hisilicon/qm - set NULL to qm-&gt;debug.qm_diff_regs (git-fixes). - crypto: aspeed - Fix dma_unmap_sg() direction (git-fixes). - crypto: atmel - Fix dma_unmap_sg() direction (git-fixes). - crypto: hisilicon/qm - check whether the input function and PF are on the same device (git-fixes). - hwrng: nomadik - add ARM_AMBA dependency (git-fixes). - crypto: keembay - Add missing check after sg_nents_for_len() (git-fixes). - commit 6795b42 - drivers/base/node: fix double free in register_one_node() (git-fixes). - commit 205d070 - net: nfc: nci: Add parameter validation for packet data (git-fixes). - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (git-fixes). - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again (git-fixes). - wifi: ath10k: avoid unnecessary wait for service ready message (git-fixes). - wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() (git-fixes). - wifi: rtw89: avoid circular locking dependency in ser_state_run() (git-fixes). - wifi: mac80211: fix Rx packet handling when pubsta information is not available (git-fixes). - wifi: mt76: fix potential memory leak in mt76_wmac_probe() (git-fixes). - wifi: mwifiex: send world regulatory domain to driver (git-fixes). - media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (git-fixes). - media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID (git-fixes). - media: i2c: mt9v111: fix incorrect type for ret (git-fixes). - media: pci: ivtv: Add missing check after DMA map (git-fixes). - media: cx18: Add missing check after DMA map (git-fixes). - media: st-delta: avoid excessive stack usage (git-fixes). - media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() (git-fixes). - wifi: virt_wifi: Fix page fault on connect (stable-fixes). - mmc: sdhci-cadence: add Mobileye eyeQ support (stable-fixes). - usb: core: Add 0x prefix to quirks debug output (stable-fixes). - commit dbb8904 - maple_tree: fix MAPLE_PARENT_RANGE32 and parent pointer docs (git-fixes). - media: rj54n1cb0c: Fix memleak in rj54n1_probe() (git-fixes). - media: lirc: Fix error handling in lirc_register() (git-fixes). - media: zoran: Remove zoran_fh structure (git-fixes). - drm/amdgpu: remove the redeclaration of variable i (git-fixes). - drm/msm/dpu: fix incorrect type for ret (git-fixes). - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() (git-fixes). - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) (git-fixes). - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) (git-fixes). - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) (git-fixes). - drm/amd/pm: Adjust si_upload_smc_data register programming (v3) (git-fixes). - drm/amd/pm: Fix si_upload_smc_data (v3) (git-fixes). - drm/amd/pm: Disable ULV even if unsupported (v3) (git-fixes). - drm/amdgpu: Power up UVD 3 for FW validation (v2) (git-fixes). - drm/rcar-du: dsi: Fix 1/2/3 lane support (git-fixes). - drm/amd/display: Remove redundant semicolons (git-fixes). - firewire: core: fix overlooked update of subsystem ABI version (git-fixes). - commit 2161328 - docs: admin-guide: update to current minimum pipe size default (git-fixes). - drivers/base/node: handle error properly in register_one_node() (git-fixes). - Bluetooth: ISO: don't leak skb in ISO_CONT RX (git-fixes). - Bluetooth: ISO: Fix possible UAF on iso_conn_free (git-fixes). - Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO (git-fixes). - drm/radeon/r600_cs: clean up of dead code in r600_cs (git-fixes). - drm/bridge: it6505: select REGMAP_I2C (git-fixes). - drm/panel: novatek-nt35560: Fix invalid return value (git-fixes). - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI (stable-fixes). - drm/i915/backlight: Return immediately when scale() finds invalid parameters (stable-fixes). - commit 07504f9 - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() (git-fixes). - ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free (git-fixes). - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (git-fixes). - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping (git-fixes). - ASoC: qcom: audioreach: fix potential null pointer dereference (git-fixes). - ASoC: imx-hdmi: remove cpu_pdev related code (git-fixes). - ALSA: lx_core: use int type to store negative error codes (git-fixes). - ALSA: usb-audio: Add mute TLV for playback volumes on more devices (stable-fixes). - ALSA: usb-audio: move mixer_quirks' min_mute into common quirk (stable-fixes). - commit 86dd099 - ALSA: usb-audio: Add DSD support for Comtrue USB Audio device (stable-fixes). - ALSA: usb-audio: Fix build with CONFIG_INPUT=n (git-fixes). - ALSA: usb-audio: Convert comma to semicolon (git-fixes). - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 (stable-fixes). - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks (stable-fixes). - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks (stable-fixes). - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks (stable-fixes). - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks (stable-fixes). - ALSA: usb-audio: Fix block comments in mixer_quirks (stable-fixes). - commit 929e260 - Squashfs: reject negative file sizes in squashfs_read_inode() (git-fixes). - commit 2f68e78 - Squashfs: add additional inode sanity checking (git-fixes). - commit fe46811 - Squashfs: fix uninit-value in squashfs_get_parent (git-fixes). - commit 126861e - kbuild/modpost: Continue processing all unresolved symbols when KLP_SYM_RELA is found (bsc#1218644, bsc#1250655). - commit ec0a51c - Fix BPF selftests compilation error in bpf_iter.c (git-fixes) Since SUSE commit 7cae2487c586, BPF selftests fails to compile. .../tools/testing/selftests/bpf/prog_tests/bpf_iter.c: In function 'test_task_common_nocheck': .../tools/testing/selftests/bpf/prog_tests/bpf_iter.c:231:26: error: implicit declaration of function 'gettid'; did you mean 'getgid'? [-Werror=implicit-function-declaration] 231 | skel-&gt;bss-&gt;tid = gettid(); | ^~~~~~ | getgid Fix the BPF selftests compilation failure by: - bpf: handle implicit declaration of function gettid in bpf_iter.c - Refresh patches.suse/selftests-bpf-Clean-up-open-coded-gettid-syscall-inv.patch. - commit 43aa317 - Drivers: hv: Select CONFIG_SYSFB only if EFI is enabled (git-fixes). - KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (bsc#1246782 CVE-2025-38351). - Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests (git-fixes). - KVM: x86: model canonical checks more precisely (bsc#1246782 CVE-2025-38351). - KVM: x86: Add X86EMUL_F_MSR and X86EMUL_F_DT_LOAD to aid canonical (bsc#1246782 CVE-2025-38351). - KVM: x86: Route non-canonical checks in emulator through emulate_ops (bsc#1246782 CVE-2025-38351). - KVM: x86: drop x86.h include from cpuid.h (bsc#1246782 CVE-2025-38351). - KVM: x86: Bury guest_cpuid_is_amd_or_hygon() in cpuid.c (bsc#1246782 CVE-2025-38351). - KVM: SVM: Emulate SYSENTER RIP/RSP behavior for all Intel compat (bsc#1246782 CVE-2025-38351). - KVM: x86: Inhibit code #DBs in MOV-SS shadow for all Intel compat (bsc#1246782 CVE-2025-38351). - KVM: x86: Apply Intel's TSC_AUX reserved-bit behavior to Intel compat (bsc#1246782 CVE-2025-38351). - KVM: x86/pmu: Squash period for checkpointed events based on host (bsc#1246782 CVE-2025-38351). - commit 6e28165 - Update patches.suse/HID-asus-fix-UAF-via-HID_CLAIMED_INPUT-validation.patch (CVE-2025-39824 bsc#1250007). Added CVE reference - commit 579a063 - smb: client: fix race with concurrent opens in rename(2) (bsc#1250179, CVE-2025-39825). - commit 4df7381 - bus: fsl-mc: Check return value of platform_get_resource() (git-fixes). - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe (git-fixes). - firmware: meson_sm: fix device leak at probe (git-fixes). - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS (git-fixes). - thermal/drivers/qcom/lmh: Add missing IRQ includes (git-fixes). - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT (git-fixes). - ACPI: property: Fix buffer properties extraction for subnodes (git-fixes). - ACPI: processor: idle: Fix memory leak when register cpuidle device failed (git-fixes). - ACPICA: Fix largest possible resource descriptor index (git-fixes). - ACPI: debug: fix signedness issues in read/write helpers (git-fixes). - PM: sleep: core: Clear power.must_resume in noirq suspend error path (git-fixes). - PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() (git-fixes). - i3c: master: svc: Recycle unused IBI slot (git-fixes). - i3c: Fix default I2C adapter timeout value (git-fixes). - i2c: designware: Add disabling clocks when probe fails (git-fixes). - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD (git-fixes). - pinctrl: renesas: Use int type to store negative error codes (git-fixes). - pinctrl: samsung: Drop unused S3C24xx driver data (git-fixes). - pinctrl: meson-gxl: add missing i2c_d pinmux (git-fixes). - pinctrl: equilibrium: Remove redundant semicolons (git-fixes). - power: supply: max77976_charger: fix constant current reporting (git-fixes). - power: supply: cw2015: Fix a alignment coding style issue (git-fixes). - mfd: rz-mtu3: Fix MTU5 NFCR register offset (git-fixes). - spi: cadence-quadspi: Flush posted register writes before DAC access (git-fixes). - spi: cadence-quadspi: Flush posted register writes before INDAC access (git-fixes). - spi: mtk-snfi: Remove redundant semicolons (git-fixes). - spi: bcm2835: Remove redundant semicolons (git-fixes). - regulator: scmi: Use int type to store negative error codes (git-fixes). - regmap: Remove superfluous check for !config in __regmap_init() (git-fixes). - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() (git-fixes). - pwm: tiehrpwm: Fix corner case in clock divisor calculation (git-fixes). - pwm: tiehrpwm: Make code comment in .free() more useful (git-fixes). - pwm: berlin: Fix wrong register in suspend/resume (git-fixes). - hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems (git-fixes). - commit e80711d - Drop patches.suse/drm-amd-display-Disable-PSR-SU-on-eDP-panels.patch (bsc#1243112) The patch caused a regression wrt s2idle on AMD laptops - commit 5a5bec2 - net/smc: fix UAF on smcsk after smc_listen_out() (CVE-2025-38734 bsc#1249324). - commit b4812d3 - Update patches.suse/dmaengine-ti-edma-Fix-memory-allocation-size-for-que.patch (CVE-2025-39869 bsc#1250406). Added CVE reference - commit 056198e - writeback: Avoid contention on wb-&gt;list_lock when switching inodes (kABI fixup) (bsc#1237776). - commit 883c841 - netfilter: ctnetlink: remove refcounting in expectation dumpers (CVE-2025-39764 bsc#1249513). - commit 09ba55b - net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766 bsc#1249510). - commit c0189b7 - net/sched: Fix backlog accounting in qdisc_dequeue_internal (CVE-2025-39677 bsc#1249300). - commit 3cfca22 - tls: handle data disappearing from under the TLS ULP (CVE-2025-38616 bsc#1248512). - tls: fix lockless read of strp-&gt;msg_ready in -&gt;poll (CVE-2025-38616 bsc#1248512). - commit 8c223c9 - cifs: prevent NULL pointer dereference in UTF16 conversion (bsc#1250365, CVE-2025-39838). - commit 9718aa1 - scsi: core: ufs: Fix a hang in the error handler (CVE-2025-38119 bsc#1245700). - commit 43675ce - writeback: Avoid excessively long inode switching times (bsc#1237776). - commit 77817f2 - writeback: Avoid softlockup when switching many inodes (bsc#1237776). - commit 9ecba0d - writeback: Avoid contention on wb-&gt;list_lock when switching inodes (bsc#1237776). - commit a591614 - bpftool: Fix JSON writer resource leak in version command (git-fixes). - commit d19e155 - EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller (git-fixes). - commit 45a7726 - sched/rt: Fix race in push_rt_task (CVE-2025-38234 bsc#1246057) - commit 36ede09 - sched/core: Prevent rescheduling when interrupts are disabled (CVE-2024-58090 bsc#1240324) - commit 5da028c - xfs: do not propagate ENODATA disk errors into xattr code (bsc#1250025 CVE-2025-39835). - commit 78d977d - ocfs2: fix recursive semaphore deadlock in fiemap call (bsc#1250407 CVE-2025-39885). - ocfs2: prevent release journal inode after journal shutdown (bsc#1250267 CVE-2025-39842). - commit 3a5de55 - mm/smaps: fix race between smaps_hugetlb_range and migration (CVE-2025-39754 bsc#1249524). - commit 313ab7a - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast (git-fixes). - commit fb88d9d - tty: hvc_console: Call hvc_kick in hvc_write unconditionally (bsc#1230062). - commit 3702f36 - afs: Fix potential null pointer dereference in afs_put_server (git-fixes). - commit 3a230bf - net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() (CVE-2025-39857 bsc#1250251) - commit 7481e31 - selftests/cpufreq: Fix cpufreq basic read and update testcases (bsc#1250344). - commit 83a7790 - drm/ast: Use msleep instead of mdelay for edid read (bsc#1250530). - commit 2fd5794 - net/sched: ets: use old 'nbands' while purging unused classes (CVE-2025-38684 bsc#1249156). - commit e0501b7 - KVM: x86: use array_index_nospec with indices that come from guest (CVE-2025-39823 bsc#1250002). - commit ecf3611 - tee: fix NULL pointer dereference in tee_shm_put (CVE-2025-39865 bsc#1250294). - commit 3708eb2 - cpufreq: Initialize cpufreq-based invariance before subsys (git-fixes). - commit 9618c74 - cpufreq: tegra186: Share policy per cluster (stable-fixes). - commit dac2616 - x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper (CVE-2025-39681 bsc#1249303). - commit 5bc51ab - coresight: Fix memory leak in acpi_buffer-&gt;pointer (CVE-2023-53261 bsc#1249770). - commit 7cf7512 - soc: qcom: mdt_loader: Deal with zero e_shentsize (CVE-2025-39787 bsc#1249545). - soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() (CVE-2025-39787 bsc#1249545). - commit 3946900 - i2c: riic: Allow setting frequencies lower than 50KHz (git-fixes). - soc: qcom: mdt_loader: Ensure we don't read past the ELF header (CVE-2025-39787 bsc#1249545). - commit bb8f700 - sched/isolation: Fix boot crash when maxcpus &lt; first (git-fixes) - commit f52d7e3 - sched/numa, mm: do not try to migrate memory to memoryless (git-fixes) - commit d547451 - sched/fair: Remove unused parameter from sched_asym() (git-fixes) - commit 6507dc9 - sched/fair: Take the scheduling domain into account in (git-fixes) - commit 3d3501e - sched/deadline: Collect sched_dl_entity initialization (git-fixes) - commit 73df41d - Bluetooth: MGMT: Fix possible UAFs (git-fixes). - Refresh patches.kabi/hci_dev-centralize-extra-lock.patch. - commit 358e9ae - fbcon: Fix OOB access in font allocation (git-fixes). - commit e730b01 - fbcon: fix integer overflow in fbcon_do_set_font (git-fixes). - drm/gma500: Fix null dereference in hdmi teardown (git-fixes). - can: peak_usb: fix shift-out-of-bounds issue (git-fixes). - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow (git-fixes). - Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix hci_resume_advertising_sync (git-fixes). - ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx (stable-fixes). - net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer (git-fixes). - net: phy: fix phy_uses_state_machine() (git-fixes). - wifi: wilc1000: avoid buffer overflow in WID string configuration (stable-fixes). - wifi: mac80211: increase scan_ies_len for S1G (stable-fixes). - wifi: mac80211: fix incorrect type for ret (stable-fixes). - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported (stable-fixes). - dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() (git-fixes). - commit f69acd3 - iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() (git-fixes). - commit 9b4fa49 - net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM (CVE-2025-39770 bsc#1249508). - commit 8d2822a - kabi: Restore layout of parallel_data (bsc1248343). - commit c7e8448 - padata: Fix pd UAF once and for all (CVE-2025-38584 bsc1248343). - commit 00470a2 - xfrm: xfrm_alloc_spi shouldn't use 0 as SPI (CVE-2025-39797 bsc#1249608). - commit a50d626 - xfrm: Duplicate SPI Handling (CVE-2025-39797 bsc#1249608). - commit 313a1d3 - kernel-source.spec: Depend on python3-base for build Both kernel-binary and kernel-docs already have this dependency. Adding it to kernel-source makes it possible to use python in shared build scripts. - commit 72fdedd - kernel-source: Do not list mkspec and its inputs as sources (bsc#1250522). This excludes the files from the src.rpm. The next step is to remove these files in tar-up so that they do not get uploaded to OBS either. As there is only one version of tar-up these files need to be removed from all kernels. - commit e72b8a2 - selftests: bpf: test batch lookup on array of maps with holes (git-fixes). - commit 6ee12a9 - bpf: skip non exist keys in generic_map_lookup_batch (git-fixes). - commit dcb10ca - kABI: arm64: ftrace: Restore init_module behavior (git-fixes). - commit 113b4db - arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module (git-fixes) - commit 8f9b835 - rpm: Link arch-symbols script from scripts directory. - commit 90b2abb - struct ci_hdrc: new member has_short_pkt_limit to end (git-fixes). - commit 5b5fa69 - cgroup: llist: avoid memory tears for llist_node (bsc#1247963). - commit 854319b - kabi: add struct cgroup_extra (bsc#1247963). - commit 5114e86 - cgroup/rstat: Reduce cpu_lock hold time in cgroup_rstat_flush_locked() (bsc#1247963). - commit 2f30983 - cgroup/rstat: Optimize cgroup_rstat_updated_list() (bsc#1247963). - Refresh patches.kabi/kabi-add-struct-cgroup_extra.patch. - commit 966ee8b - btrfs: do not allow relocation of partially dropped subvolumes (bsc#1249540 CVE-2025-39738). - commit 60a9a58 - crypto: qat - add shutdown handler to qat_c3xxx (git-fixes). - commit 562553d - crypto: qat - add shutdown handler to qat_c62x (git-fixes). - commit 95c669b - rcu: Fix racy re-initialization of irq_work causing hangs (git-fixes) - commit bc7d88d - rcu: Fix rcu_read_unlock() deadloop due to IRQ work (bsc#1249494 CVE-2025-39744) - commit ef20792 - rcu: Protect -&gt;defer_qs_iw_pending from data race (bsc#1249533 CVE-2025-39749) - commit 2b090f5 - use uniform permission checks for all mount propagation changes (git-fixes). - commit 4b14435 - rcu/exp: Handle RCU expedited grace period kworker allocation (git-fixes) - commit 7737606 - rcu/exp: Fix RCU expedited parallel grace period kworker (git-fixes) - commit 19ee671 - crypto: qat - add shutdown handler to qat_dh895xcc (git-fixes). - commit 7ca55c2 - usb: typec: tcpci: use GENMASK() for TCPC_ROLE_CTRL_CC[12] (git-fixes). - commit 61574e5 - rpm: Link guards script from scripts directory. - commit e19a893 - usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean (git-fixes). - commit d3067ea - usb: typec: maxim_contaminant: disable low power mode when reading comparator values (git-fixes). - commit f661b59 - usb: typec: tcpm/tcpci_maxim: fix non-contaminant CC handling (git-fixes). - commit 38cd076 - usb: typec: tcpm/tcpci_maxim: use GENMASK() for TCPC_VENDOR_CC_CTRL2 register (git-fixes). - commit 2b55585 - usb: dwc3: imx8mp: fix device leak at unbind (git-fixes). - commit 5a35982 - usb: xhci: Fix invalid pointer dereference in Etron workaround (git-fixes). - commit a8cfeaf - config.sh: Use Step repository for building Leap kernel bs-upload-kernel does not understand the Leap repository layout - commit cae4664 - usb: typec: fusb302: cache PD RX state (git-fixes). - commit 3e6c8b0 - usb: dwc3: qcom: Don't leave BCR asserted (git-fixes). - commit fdef7a6 - xhci: Fix control transfer error on Etron xHCI host (git-fixes). - commit f7d6da1 - usb: chipidea: add CI_HDRC_HAS_SHORT_PKT_LIMIT flag (git-fixes). - commit ff0fd10 - fs/nfs/io: make nfs_start_io_*() killable (git-fixes). - commit 8cf21ec - Delete patches.kabi/KVM-x86-Re-split-x2APIC-ICR-into-ICR-ICR2-for-AMD-x2.patch - commit 0a00b28 - kabi: drop kvm_x86_ops from kabi relevant symbols Since upstream commit dfc4e6ca04113 (&quot;KVM: x86: Unexport kvm_x86_ops&quot;) v5.18-rc1~139^2~153 kvm_x86_ops is no longer exported, so it can be dropped from kabi checks. - commit 4f5efb7 - kABI fix after vsock/virtio: fix `rx_bytes` accounting for stream sockets (git-fixes). - commit dd1042c - platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches (git-fixes). - commit 7941d4d - platform/mellanox: mlxbf-pmc: Validate event/enable input (git-fixes). - commit 7bd7d6e - platform/mellanox: mlxbf-pmc: Remove newline char from event name input (git-fixes). - commit e4c52ac - platform/x86: dell-wmi-sysman: Fix class device unregistration (git-fixes). - commit c3cf8fd - platform/x86: think-lmi: Fix class device unregistration (git-fixes). - commit dab00ca - netfilter: nf_reject: don't leak dst refcount for loopback packets (CVE-2025-38732 bsc#1249262). - commit e613385 - vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() (git-fixes). - commit b347e0b - vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page (git-fixes). - commit 64aa75c - vhost/vsock: Avoid allocating arbitrarily-sized SKBs (git-fixes). - commit 62a440b - vhost: fail early when __vhost_add_used() fails (git-fixes). - commit 9d77130 - vhost-scsi: Fix log flooding with target does not exist errors (git-fixes). - commit 2d6a672 - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` (git-fixes). - commit 7139f2e - vsock/virtio: fix `rx_bytes` accounting for stream sockets (git-fixes). - commit c34e345 - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions (git-fixes) - commit c2e717d - vsock: avoid timeout during connect() if the socket is closing (git-fixes). - commit 34796d2 - vhost-scsi: Return queue full for page alloc failures during copy (git-fixes). - commit 3dcf5c3 - vsock: Allow retrying on connect() failure (git-fixes). - commit 1f9e448 - 9p/xen: fix init sequence (git-fixes). - commit 22e0fa2 - btrfs: tree-checker: fix the incorrect inode ref size check (git-fixes). - commit 1a69e6a - KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active (git-fixes). - commit 97c436d - KVM: x86: Drop pending_smi vs. INIT_RECEIVED check when setting MP_STATE (git-fixes). - commit 1086ea1 - KVM: SVM: Disable interception of SPEC_CTRL iff the MSR exists for the guest (git-fixes). - commit 16aecdb - KVM: VMX: Extract checking of guest's DEBUGCTL into helper (git-fixes). - commit a89d774 - KVM: x86: avoid underflow when scaling TSC frequency (git-fixes). - commit 1dc5b36 - KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing table (git-fixes). - commit fc7a1db - KVM: VMX: Flush shadow VMCS on emergency reboot (git-fixes). - commit 75149a0 - KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs (git-fixes). - commit 221d435 - KVM: x86: Fully defer to vendor code to decide how to force immediate exit (git-fixes). - commit 9d7cfec - KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2 (git-fixes). - commit 4708423 - KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers (git-fixes). - commit 80f5d63 - btrfs: fix invalid extref key setup when replaying dentry (git-fixes). - commit d51ea66 - KVM: VMX: Handle forced exit due to preemption timer in fastpath (git-fixes). - commit 1eccc09 - KVM: VMX: Re-enter guest in fastpath for &quot;spurious&quot; preemption timer exits (git-fixes). - commit e920f78 - KVM: x86: Plumb &quot;force_immediate_exit&quot; into kvm_entry() tracepoint (git-fixes). - commit d90d7aa - KVM: arm64: vgic: fix incorrect spinlock API usage (git-fixes). - commit 972706e - ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr (bsc#1249258 CVE-2025-38701). - commit f3682c5 - fs/buffer: fix use-after-free when call bh_read() helper (bsc#1249374 CVE-2025-39691). - jbd2: prevent softlockup in jbd2_log_do_checkpoint() (bsc#1249526 CVE-2025-39782). - loop: Avoid updating block size under exclusive owner (bsc#1249199 CVE-2025-38709). - eventpoll: Fix semi-unbounded recursion (bsc#1248392 CVE-2025-38614). - commit fc4be97 - PCI: Extend isolated function probing to LoongArch (git-fixes). - commit d35f4c9 - compiler: remove __ADDRESSABLE_ASM{_STR,}() again (git-fixes). - commit bf93f6c - x86/cpu: Add model number for Intel Clearwater Forest processor (git-fixes). - commit 7c8efd9 - wifi: cfg80211: remove cfg80211_inform_single_bss_frame_data() (git-fixes). - commit a72bcdf - xen/netfront: Fix TX response spurious interrupts (git-fixes). - commit 5e0ce6f - KVM: s390: Fix incorrect usage of mmu_notifier_register() (git-fixes bsc#1250336). - commit 64b94c2 - xen/gntdev: remove struct gntdev_copy_batch from stack (git-fixes). - commit 13539ce - wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (git-fixes). - commit 5a9e007 - xenbus: Allow PVH dom0 a non-local xenstore (git-fixes). - commit 81be2ce - xen: Add support for XenServer 6.1 platform device (git-fixes). - commit a4daef0 - kabi: restore layout of struct cgroup_rstat_cpu (bsc#1247963). - commit 05abe8b - mmc: core: Use GFP_NOIO in ACMD22 (git-fixes). - commit 58bbbbb - cgroup: remove per-cpu per-subsystem locks (bsc#1247963). - cgroup: make css_rstat_updated nmi safe (bsc#1247963). - cgroup: support to enable nmi-safe css_rstat_updated (bsc#1247963). - commit 2adc7c0 - NFSv4/flexfiles: Fix layout merge mirror check (git-fixes). - commit fcad211 - SUNRPC: call xs_sock_process_cmsg for all cmsg (git-fixes). - commit 1f5dab1 - Revert &quot;SUNRPC: Don't allow waiting for exiting tasks&quot; (git-fixes). - commit f25412a - flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read (git-fixes). - commit 43ddf37 - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server (git-fixes). - commit da99754 - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set (git-fixes). - commit 0b05e92 - NFSv4: Don't clear capabilities that won't be reset (git-fixes). - commit f31092e - nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* (git-fixes). - commit 4438737 - mmc: mvsdio: Fix dma_unmap_sg() nents value (git-fixes). - crypto: af_alg - Set merge to zero early in af_alg_sendmsg (git-fixes). - ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S (git-fixes). - ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface (git-fixes). - ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed (git-fixes). - ASoC: wm8974: Correct PLL rate rounding (git-fixes). - ASoC: wm8940: Correct typo in control name (git-fixes). - ASoC: wm8940: Correct PLL rate rounding (git-fixes). - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message (git-fixes). - ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL (git-fixes). - ALSA: hda/realtek: Add ALC295 Dell TAS2781 I2C fixup (git-fixes). - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path (git-fixes). - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ (git-fixes). - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions (stable-fixes). - USB: serial: option: add Telit Cinterion FN990A w/audio compositions (stable-fixes). - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table (stable-fixes). - Input: iqs7222 - avoid enabling unused interrupts (stable-fixes). - drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time (stable-fixes). - drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages (stable-fixes). - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing (git-fixes). - compiler-clang.h: define __SANITIZE_*__ macros only when undefined (stable-fixes). - i2c: i801: Hide Intel Birch Stream SoC TCO WDT (git-fixes). - mtd: nand: raw: atmel: Fix comment in timings preparation (stable-fixes). - commit 60c59ef - Drop arm64 patches that may lead to module load failure (bsc#1250057) Deleted: patches.suse/arm64-ftrace-fix-unreachable-PLT-for-ftrace_caller-in-init.patch patches.kabi/kABI-arm64-ftrace-Restore-struct-mod_arch_specific-l.patch - commit 2621bab - xfs: rework datasync tracking and execution (bsc#1237449). - xfs: rearrange code in xfs_inode_item_precommit (bsc#1237449). - commit 730f72c - habanalabs: fix UAF in export_dmabuf() (CVE-2025-38722 bsc#1249163). - commit 5507c4a - net: bridge: fix soft lockup in br_multicast_query_expired() (CVE-2025-39773 bsc#1249504). - commit 8e6b9c2 - cgroup: remove cgroup_rstat_flush_atomic() (bsc#1247963). - commit 45cbf76 - io_uring/net: commit partial buffers on retry (CVE-2025-38730 bsc#1249172). - commit 7b5fe24 - selftests/bpf: adapt one more case in test_lru_map to the new target_free (git-fixes). - commit 951807c - Correct typos of References tags in some patches - commit 183c46e - selftests/bpf: Add asserts for netfilter link info (git-fixes). - commit 443e26f - bpf: Fix link info netfilter flags to populate defrag flag (git-fixes). - commit d659929 - bpf: Adjust free target to avoid global starvation of LRU map (git-fixes). - commit a87821b - bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure (git-fixes). - commit fc9c396 - struct l2cap_chan: shift new member rx_avail to end (git-fixes). - commit df4a4b8 - Bluetooth: compute LE flow credits based on recvbuf space (git-fixes). - Refresh patches.suse/Bluetooth-L2CAP-Fix-deadlock.patch. - Refresh patches.suse/bluetooth-l2cap-sync-sock-recv-cb-and-release.patch. - commit 89343db - drm/amd/pm: fix null pointer access (CVE-2025-38705 bsc#1249334). - commit b78844e - vsock/virtio: Validate length in packet header before skb_put() (CVE-2025-39718 bsc#1249305). - commit 8072632 - arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module (git-fixes) - commit 420c073 - Bluetooth: qca: fix wcn3991 device address check (git-fixes). - commit 9189126 - Bluetooth: qca: fix invalid device address check (git-fixes). - commit 0795907 - wifi: ath10k: shutdown driver when hardware is unreliable (CVE-2025-39746 bsc#1249516). - commit b5556c6 - cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag (stable-fixes). - commit 9a8a959 - cpufreq: Exit governor when failed to start old governor (stable-fixes). - commit 39287fb - cpufreq: Init policy-&gt;rwsem before it may be possibly used (git-fixes). - commit 04861e7 - cpufreq: Initialize cpufreq-based frequency-invariance later (git-fixes). - commit ed31199 - cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode (git-fixes). - commit 723f0f4 - cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode (git-fixes). - commit 662764f - cpufreq: cppc: Fix invalid return value in .get() callback (git-fixes). - commit 6fc7d2a - drm/amd/display: fix a Null pointer dereference vulnerability (bsc#1249295 CVE-2025-39705) - commit fd61b4f - pptp: fix pptp_xmit() error path (git-fixes). - commit 91ca931 - net, hsr: reject HSR frame if skb can't hold tag (CVE-2025-39703 bsc#1249315). - netfilter: ctnetlink: fix refcount leak on table dump (CVE-2025-38721 bsc#1249176). - pptp: ensure minimal skb length in pptp_xmit() (CVE-2025-38574 bsc#1248365). - commit a50f469 - media: venus: Fix OOB read due to missing payload bound check (CVE-2025-38679 bsc#1249202). - commit 8b1060a - platform/x86/amd/hsmp: Ensure sock-&gt;metric_tbl_addr is non-NULL (CVE-2025-39678 bsc#1249290). - commit d0b499a - drivers/base/node: rename __register_one_node() to register_one_node() (bsc#1241866). - commit 806b51c - drivers/base/node: rename register_memory_blocks_under_node() and remove context argument (bsc#1241866). - commit 9ef69ed - drivers/base/node: remove register_memory_blocks_under_node() function call from register_one_node (bsc#1241866). - commit 2f00393 - drivers/base/node: remove register_mem_block_under_node_early() (bsc#1241866). - commit 02a1a4a - drivers/base/node: optimize memory block registration to reduce boot time (bsc#1241866). - commit 3a0dd5e - cpufreq: scpi: compare kHz instead of Hz (git-fixes). - commit bd20bfa - cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() (git-fixes). - commit 7fc2c58 - cpufreq: Use the fixed and coherent frequency for scaling capacity (stable-fixes). - commit 573ea38 - power: supply: bq27xxx: restrict no-battery detection to bq27000 (git-fixes). - power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery (git-fixes). - commit 7d4436e - kABI: arm64: ftrace: Restore struct mod_arch_specific layout (git-fixes). - commit 7f84dae - arm64: dts: rockchip: Add vcc-supply to SPI flash on (git-fixes) - commit 06d6c63 - arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul (git-fixes) - commit d3f6628 - arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics (git-fixes) - commit faa58e2 - arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off (git-fixes) - commit 775e3f7 - arm64: Mark kernel as tainted on SAE and SError panic (git-fixes) - commit 833fcf1 - arm64: Handle KCOV __init vs inline mismatches (git-fixes) - commit 187b48f - arm64: dts: rockchip: use cs-gpios for spi1 on ringneck (git-fixes) - commit 8c45279 - arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou (git-fixes). - commit 5a86595 - arm64: dts: rockchip: disable unrouted USB controllers and PHY on (git-fixes) - commit 655bf48 - arm64: dts: rockchip: fix internal USB hub instability on RK3399 Puma (git-fixes) - commit d929ee1 - i2c: tegra: Use internal reset when reset property is not available (bsc#1249143) - commit 7b11853 - tls: fix handling of zero-length records on the rx_list (CVE-2025-39682 bsc#1249284). - commit 409e98c - kABI workaround for &quot;drm/dp: Add an EDID quirk for the DPCD register access probe&quot; (bsc#1248121). - commit 6cdcefb - drm/amd/display: Disable DPCD Probe Quirk (bsc#1248121). - commit 617e84a - drm/dp: Add an EDID quirk for the DPCD register access probe (bsc#1248121). - Refresh patches.suse/drm-Add-kabi-placeholders-to-commonly-used-structs.patch. - commit db9d8ac - drm/edid: Add support for quirks visible to DRM core and drivers (bsc#1248121). - drm/edid: Define the quirks in an enum list (bsc#1248121). - commit bc5a858 - drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET (bsc#1248121). - commit 36a72f9 - Update patches.suse/drm-dp-Change-AUX-DPCD-probe-address-from-DPCD_REV-t.patch (bsc#1248121) Move to the cherry-picked 6.16-rc patch, to be applied earlier - commit 49f20a1 - netfilter: nf_tables: reject duplicate device on updates (CVE-2025-38678 bsc#1249126). - commit 8b40732 - Limit patch filenames to 100 characters (bsc#1249604). - commit 8a17cff - iommu/amd: Avoid stack buffer overflow from kernel cmdline (CVE-2025-38676 bsc#1248775). - commit eddb6c4 - phy: ti-pipe3: fix device leak at unbind (git-fixes). - phy: tegra: xusb: fix device and OF node leak at probe (git-fixes). - dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate (git-fixes). - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map (git-fixes). - dmaengine: idxd: Fix double free in idxd_setup_wqs() (git-fixes). - dmaengine: idxd: Fix refcount underflow on module unload (git-fixes). - dmaengine: idxd: Remove improper idxd_free (git-fixes). - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees (git-fixes). - serial: sc16is7xx: fix bug in flow control levels init (git-fixes). - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels (git-fixes). - xhci: fix memory leak regression when freeing xhci vdev devices depth first (git-fixes). - xhci: dbc: Fix full DbC transfer ring after several reconnects (git-fixes). - commit 517a9a9 - regulator: sy7636a: fix lifecycle of power good gpio (git-fixes). - commit 519b81c - struct cdc_ncm_ctx: hide new member filtering_supported (git-fixes). - commit 1152814 - drm/amdgpu: fix a memory leak in fence cleanup when unloading (git-fixes). - drm/i915/power: fix size for for_each_set_bit() in abox iteration (git-fixes). - commit 48c87c2 - drm/mediatek: fix potential OF node use-after-free (git-fixes). - drm/amd/display: use udelay rather than fsleep (git-fixes). - commit 9e6eea4 - net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions (git-fixes). - net: usb: cdc-ncm: check for filtering capability (git-fixes). - commit ce04178 - cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (bsc#1241166). - commit 414381b - s390/vfio-ap: Fix no AP queue sharing allowed message written to kernel log (git-fixes bsc#1249488). - commit e007691 - s390/cpum_cf: Deny all sampling events by counter PMU (git-fixes bsc#1249481). - s390/pai: Deny all events not handled by this PMU (git-fixes bsc#1249482). - commit 85f3e91 - mtd: rawnand: stm32_fmc2: fix ECC overwrite (git-fixes). - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer (git-fixes). - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB (git-fixes). - can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails (git-fixes). - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed (git-fixes). - can: j1939: implement NETDEV_UNREGISTER notification handler (git-fixes). - commit ab68e9b - net/mlx5e: Remove skb secpath if xfrm state is not found (CVE-2025-38590 bsc#1248360) - commit ed11350 - rcu-tasks: Maintain real-time response in (bsc#1246298) - commit 1fbb6ff - rcu-tasks: Eliminate deadlocks involving do_exit() and RCU (bsc#1246298) - commit 61288e7 - smb: client: fix use-after-free in cifs_oplock_break (bsc#1248199, CVE-2025-38527). - commit 4692a87 - supported.conf: mark hyperv_drm as external - net: hv_netvsc: fix loss of early receive events from host during channel open (git-fixes). - hv_netvsc: Fix panic during namespace deletion with VF (bsc#1248111). - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent IPv6 addrconf (git-fixes). - commit 2985c60 - Drop PCI patches that broke kdump capture boot (bsc#1246509) Deleted: patches.suse/PCI-Explicitly-put-devices-into-D0-when-initializing.patch patches.suse/PCI-PM-Set-up-runtime-PM-even-for-devices-without-PC.patch Refreshed: patches.suse/PCI-Support-Immediate-Readiness-on-devices-without-PM.patch - commit 70a44f4 - netfilter: nf_tables: split async and sync catchall in two functions (git-fixes). - Refresh patches.kabi/kABI-make-nft_trans_gc_catchall-public-again.patch. - commit b907ff6 - netfilter: nf_tables: Fix entries val in rule reset audit log (git-fixes). - commit a8ae150 - platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list (stable-fixes). - drm/amdgpu: drop hw access in non-DC audio fini (stable-fixes). - drm/amd/display: Don't warn when missing DCE encoder caps (stable-fixes). - commit 2aad2ce - ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model (stable-fixes). - ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY (stable-fixes). - ALSA: usb-audio: Add mute TLV for playback volumes on some devices (stable-fixes). - cpupower: Fix a bug where the -t option of the set subcommand was not working (stable-fixes). - cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN (stable-fixes). - Bluetooth: hci_sync: Avoid adding default advertising on startup (stable-fixes). - commit 3580eab - ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup (stable-fixes). - commit 0d08638 - ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA (stable-fixes). - commit 33271d8 - bpf, bpftool: Fix incorrect disasm pc (git-fixes). - commit 4188abf - bpf: bpftool: Setting error code in do_loader() (git-fixes). - commit 6283bbf - bpftool: Fix readlink usage in get_fd_type (git-fixes). - commit ae9652c - bpftool: fix potential NULL pointer dereferencing in prog_dump() (git-fixes). - commit 171c943 - bpftool: Mount bpffs when pinmaps path not under the bpffs (git-fixes). - commit fb91e0e - x86/amd_nb: Restrict init function to AMD-based systems (git-fixes). - commit f7e4409 - x86/rdrand: Disable RDSEED on AMD Cyan Skillfish (git-fixes). - commit a5e740f - x86/fpu: Delay instruction pointer fixup until after warning (git-fixes). - commit 6c7016a - x86/microcode/AMD: Handle the case of no BIOS microcode (git-fixes). - commit 8f2342d - kernel-subpackage-build: Decompress ghost file when compressed version exists (bsc#1249346) - commit 40606b5 - kABI workaround for RCU tasks exit tracking (bsc#1246298). - commit 90e8606 - btrfs: always update fstrim_range on failure in FITRIM ioctl (git-fixes). - commit 8b0d717 - netfilter: nf_tables: remove catchall element in GC sync path (git-fixes). - Refresh patches.kabi/kABI-make-nft_trans_gc_catchall-public-again.patch. - commit 6c470e7 - netfilter: nf_tables: revert do not remove elements if set backend implements .abort (git-fixes). - commit 54e2e34 - netfilter: nf_tables: Unbreak audit log reset (git-fixes). - commit 1d98f3d - net/mlx5: Check device memory pointer before usage (CVE-2025-38645 bsc#1248626). - commit 1353943 - x86/Kconfig: Always enable ARCH_SPARSEMEM_ENABLE (git-fixes). - commit 74f5e8a - ceph: validate snapdirname option length when mounting (git-fixes). - commit 3370873 - ceph: fix possible integer overflow in ceph_zero_objects() (git-fixes). - commit 096933b - x86/CPU/AMD: WARN when setting EFER.AUTOIBRS if and only if the WRMSR fails (git-fixes). - commit 1d1b06c - btrfs: add cancellation points to trim loops (git-fixes). - btrfs: split remaining space to discard in chunks (git-fixes). - btrfs: use SECTOR_SHIFT to convert physical offset to LBA (git-fixes). - commit 6bf77bf - mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn (git-fixes). - commit 6e9d9d9 - mm/hwpoison: do not send SIGBUS to processes with recovered clean pages (git-fixes). - commit 34ad618 - xen: fix UAF in dmabuf_exp_from_pages() (CVE-2025-38595 bsc#1248380). - commit 00fd621 - selftests/bpf: Add test cases with CONST_PTR_TO_MAP null checks (git-fixes). - selftests/bpf: Add cmp_map_pointer_with_const test (git-fixes). - bpf: Make reg_not_null() true for CONST_PTR_TO_MAP (git-fixes). - commit d187572 - PCI: pnv_php: Fix surprise plug detection and recovery (CVE-2025-38623 bsc#1248610). - commit e872ea6 - file: add take_fd() cleanup helper (CVE-2025-38595 bsc#1248380). - commit 7ffa1d7 - drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port (CVE-2025-38597 bsc#1248378). - commit 7f132df - bpf: Disable migration in nf_hook_run_bpf() (bsc#1248622 CVE-2025-38640). - commit b485f08 - btrfs: avoid load/store tearing races when checking if an inode was logged (git-fixes). - commit 60df77c - btrfs: fix race between setting last_dir_index_offset and inode logging (git-fixes). - commit 9120538 - btrfs: fix race between logging inode and checking if it was logged before (git-fixes). - commit 84758cf - btrfs: always abort transaction on failure to add block group to free space tree (git-fixes). - commit 55788e0 - btrfs: move transaction aborts to the error site in add_block_group_free_space() (git-fixes). - commit 1bba414 - btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() (git-fixes). - commit 47cbfed - isolcpus: add missing hunk back (bsc#1236897 bsc#1249206). Update patches.suse/blk-mq-use-hk-cpus-only-when-isolcpus-managed_irq-is.patch (bsc#1236897 bsc#1249206). - commit d06c033 - btrfs: qgroup: fix race between quota disable and quota rescan ioctl (git-fixes). - commit 6ecd72c - btrfs: abort transaction during log replay if walk_log_tree() failed (git-fixes). - commit 9ed0531 - netfilter: nf_tables: bogus ENOENT when destroying element which does not exist (git-fixes). - commit 1720cdf - netfilter: nf_conntrack_bridge: initialize err to 0 (git-fixes). - commit 37ed3f8 - netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses (git-fixes). - commit dc55ccf - netfilter: xt_recent: fix (increase) ipv6 literal buffer length (git-fixes). - commit 9b71437 - netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx (git-fixes). - commit 1837d60 - netfilter: nf_tables: nft_obj_filter fits into cb-&gt;ctx (git-fixes). - commit 7ebf747 - netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx (git-fixes). - commit 94eb28c - netfilter: nf_tables: A better name for nft_obj_filter (git-fixes). - commit 4e97e28 - netfilter: nf_tables: Unconditionally allocate nft_obj_filter (git-fixes). - commit 71527ef - netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj (git-fixes). - commit 457aebd - netfilter: nf_tables: Introduce nf_tables_getrule_single() (git-fixes). - commit 1f75537 - netfilter: xt_nfacct: don't assume acct name is null-terminated (CVE-2025-38639 bsc#1248674) - commit e51b72e - netfilter: nf_tables: Open-code audit log call in nf_tables_getrule() (git-fixes). - commit 05444c9 - netfilter: nft_set_rbtree: prefer sync gc to async worker (git-fixes). - commit 3892bab - netfilter: nft_set_rbtree: rename gc deactivate+erase function (git-fixes). - commit ee5de41 - netfilter: nf_tables: Drop pointless memset when dumping rules (git-fixes). - commit 9da7ab8 - kABI: netfilter flowtable move gc operation to bottom (git-fixes). - commit 81690ca - netfilter: flowtable: GC pushes back packets to classic path (git-fixes). - commit 6e4c347 - Update config files. (bsc#1249186) Plain run_oldconfig after Kconfig update. - commit 9d7abe4 - Refresh patches.suse/kernel-add-product-identifying-information-to-kernel-build.patch. (bsc#1249186) - commit 99400d5 - x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() (git-fixes). - commit 79df6a3 - mm: introduce and use {pgd,p4d}_populate_kernel() (git-fixes). - commit b0342dd - netfilter: nf_tables: audit log object reset once per table (git-fixes). - commit fd6322c - netfilter: nft_payload: fix wrong mac header matching (git-fixes). - commit d699ba5 - netfilter: nfnetlink_log: silence bogus compiler warning (git-fixes). - commit f57923e - mm: move page table sync declarations to linux/pgtable.h (git-fixes). - commit 1222abb - netfilter: nf_tables: do not remove elements if set backend implements .abort (git-fixes). - commit 19ebcee - netfilter: nf_tables: Deduplicate nft_register_obj audit logs (git-fixes). - commit 649bcef - kABI workaround for bluetooth discovery_state change (CVE-2025-38593 bsc#1248357). - commit a2afff6 - Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' (CVE-2025-38593 bsc#1248357). - Refresh patches.kabi/bluetooth-hci_dev-kabi-workaround.patch. - commit c998281 - nouveau: fix disabling the nonstall irq due to storm code (git-fixes). - commit 476894d - spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort (git-fixes). - spi: spi-fsl-lpspi: Set correct chip-select polarity bit (git-fixes). - spi: spi-fsl-lpspi: Fix transmissions when using CONT (git-fixes). - ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() (git-fixes). - hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM (git-fixes). - drm/amd/amdgpu: Fix missing error return on kzalloc failure (git-fixes). - drm/bridge: ti-sn65dsi86: fix REFCLK setting (git-fixes). - pcmcia: Add error handling for add_interval() in do_validate_mem() (git-fixes). - pcmcia: omap: Add missing check for platform_get_resource (git-fixes). - pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() (git-fixes). - commit 2aa7ff8 - erofs: fix atomic context detection when !CONFIG_DEBUG_LOCK_ALLOC (git-fixes). - commit 8bbba66 - net: drop UFO packets in udp_rcv_segment() (CVE-2025-38622 bsc#1248619). - commit b74a30a - kABI: adjust new field on ip_ct_sctp struct (git-fixes). - commit b932c6f - netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp (git-fixes). - commit 935c934 - smb: client: fix use-after-free in crypt_message when using async crypto (bsc#1247239, CVE-2025-38488). - commit 4fd2db6 - HID: input: report battery status changes immediately (git-fixes). - HID: input: rename hidinput_set_battery_charge_status() (stable-fixes). - commit c8518b5 - wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() (CVE-2025-38605 bsc#1248334). - regulator: core: fix NULL dereference on unbind due to stale coupling data (CVE-2025-38668 bsc#1248647). - commit 684e871 - wifi: ath11k: fix group data packet drops during rekey (git-fixes). - commit 8f7f429 - ax25: properly unshare skbs in ax25_kiss_rcv() (git-fixes). - wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (git-fixes). - wifi: libertas: cap SSID len in lbs_associate() (git-fixes). - wifi: cw1200: cap SSID length in cw1200_do_join() (git-fixes). - batman-adv: fix OOB read/write in network-coding decode (git-fixes). - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() (git-fixes). - Bluetooth: vhci: Prevent use-after-free by removing debugfs files early (git-fixes). - mISDN: Fix memory leak in dsp_hwec_enable() (git-fixes). - xirc2ps_cs: fix register access when enabling FullDuplex (git-fixes). - wifi: iwlwifi: uefi: check DSM item validity (git-fixes). - wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() (git-fixes). - wifi: mwifiex: Initialize the chan_stats array to zero (git-fixes). - wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work (git-fixes). - wifi: cfg80211: fix use-after-free in cmp_bss() (git-fixes). - HID: quirks: add support for Legion Go dual dinput modes (stable-fixes). - HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() (stable-fixes). - HID: wacom: Add a new Art Pen 2 (stable-fixes). - Revert &quot;drm/amdgpu: fix incorrect vm flags to map bo&quot; (stable-fixes). - net: rose: fix a typo in rose_clear_routes() (git-fixes). - net: rose: include node references in rose_neigh refcount (git-fixes). - net: rose: convert 'use' field to refcount_t (git-fixes). - net: rose: split remove and free operations in rose_remove_neigh() (stable-fixes). - dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted (stable-fixes). - ASoC: codecs: tx-macro: correct tx_macro_component_drv name (stable-fixes). - ACPI: EC: Add device to acpi_ec_no_wakeup[] qurik list (stable-fixes). - HID: mcp2221: Handle reads greater than 60 bytes (stable-fixes). - HID: mcp2221: Don't set bus speed on every transfer (stable-fixes). - commit c45df83 - perf: Revert to requiring CAP_SYS_ADMIN for uprobes (bsc#1247442 CVE-2025-38466). - commit 6200f52 - bpf: Properly test iter/task tid filtering (git-fixes). - commit 7cae248 - bpf: Fix iter/task tid filtering (git-fixes). - commit 51eef98 - wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() (CVE-2025-38643 bsc#1248681) - commit 913bce0 - netfilter: conntrack: fix extension size table (git-fixes). - commit 3a3ec96 - netfilter: nf_tables: disallow element removal on anonymous sets (git-fixes). - commit ed5fdf4 - netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration (git-fixes). - commit 1044906 - netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails (git-fixes). - commit 102d93f - kABI: make nft_trans_gc_catchall() public again (git-fixes). - commit a176bb1 - netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC (git-fixes). - commit d64bf79 - kABI fix for &quot;netfilter: nf_tables: Audit log rule reset&quot; (git-fixes). - commit 5173417 - netfilter: nf_tables: Audit log rule reset (git-fixes). - commit f27562f - [ceph] parse_longname(): strrchr() expects NUL-terminated string (bsc#1248634 CVE-2025-38660). - commit cc1fe76 - s390/sclp: Fix SCCB present check (git-fixes bsc#1249123). - s390/time: Use monotonic clock in get_cycles() (git-fixes bsc#1249125). - s390/stp: Remove udelay from stp_sync_clock() (git-fixes bsc#1249124). - hypfs_create_cpu_files(): add missing check for hypfs_mkdir() failure (git-fixes bsc#1249122). - commit a699d99 - Refresh patches.kabi/kabi-s390-ism-fix-concurrency-management-in-ism_cmd.patch. - commit e8175f3 - ext4: remove writable userspace mappings before truncating page cache (bsc#1247223). - commit afc4afd - rpm: Configure KABI checkingness macro (bsc#1249186) The value of the config should match presence of KABI reference data. If it mismatches: - !CONFIG &amp; reference -&gt; this is bug, immediate fail - CONFIG &amp; no reference -&gt; OK temporarily, must be resolved eventually - commit 23c1536 - Kconfig.suse: Add KABI checkiness macro (config) (bsc#1249186) The motivation: there are patches.kabi/ patches that restore KABI and they check validity of the approach with static_assert()s to prevent accidental KABI breakage. These asserts are invoked on each arch-flavor and they may signal false negatives -- that is KABI restoration patch could break KABI but the given arch-flavor defines no KABI. The intended use is to disable the compile time checks in patches.kabi/ (but not to be confused with __GENKSYMS__ that affects how reference is calculated). The name is chosen so that it mimics HAVE_* macros that are not configured manually (but is selected by an arch). In our case it's (un)selected by build script depending on whether KABI reference is defined for given arch-flavor and whether check is really requested by the user. Default value is 'n' so that people building merely via Makefile (not RPM with KABI checking) obtain consistent config. - commit 5e4e9c5 - s390/pci: Allow automatic recovery with minimal driver support (git-fixes bsc#1248734 LTC#214880). - commit 3fdd470 - btrfs: fix data overwriting bug during buffered write when block size &lt; page size (git-fixes). - commit d006c37 - btrfs: make found_logical_ret parameter mandatory for function queue_scrub_stripe() (git-fixes). - commit da7f7f5 - btrfs: scrub: fix grouping of read IO (git-fixes). - commit bd555d2 - btrfs: scrub: avoid unnecessary csum tree search preparing stripes (git-fixes). - commit d485678 - btrfs: scrub: avoid unnecessary extent tree search preparing stripes (git-fixes). - commit a00c933 - btrfs: scrub: remove scrub_ctx::csum_list member (git-fixes). - commit fa7dbad - gfs2: No more self recovery (bsc#1248639 CVE-2025-38659). - gfs2: Get rid of gfs2_glock_queue_put in signal_our_withdraw (bsc#1248639 CVE-2025-38659). - commit bdb1b5c - s390/ism: fix concurrency management in ism_cmd() (git-fixes bsc#1248735). - commit 1005186 - usb: xhci: Apply the link chain quirk on NEC isoc endpoints (CVE-2025-22022 bsc#1241292). - commit 8a5182c - usb: xhci: move link chain bit quirk checks into one helper function (CVE-2025-22022 bsc#1241292). - commit 4cca94b - nvme-pci: try function level reset on init failure (git-fixes). - commit 1ee35d9 - ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (CVE-2025-38664 bsc#1248628). - commit 7e27b08 - s390/hypfs: Enable limited access during lockdown (git-fixes bsc#1248733 LTC#214881). - s390/hypfs: Avoid unnecessary ioctl registration in debugfs (git-fixes bsc#1248733 LTC#214881). - commit 97ff25b - HID: core: Harden s32ton() against conversion to 0 bits (CVE-2025-38556 bsc#1248296) - commit 1097818 - rxrpc: Fix bug due to prealloc collision (CVE-2025-38544 bsc#1248225) - commit bc50a3d - net: libwx: fix the using of Rx buffer DMA (CVE-2025-38533 bsc#1248200) - commit 8863383 - ice: add NULL check in eswitch lag check (CVE-2025-38526 bsc#1248192) - commit 7ad8c40 - rxrpc: Fix oops due to non-existence of prealloc backlog struct (CVE-2025-38514 bsc#1248202) - commit 4ea1963 - idpf: return 0 size for RSS key if not supported (CVE-2025-38402 bsc#1247262) - commit 1ca20ce - remoteproc: core: Release rproc-&gt;clean_table after rproc_attach() fails (CVE-2025-38418 bsc#1247137) - commit 14c64f1 - remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() (CVE-2025-38419 bsc#1247136) - commit 7e69a49 - genirq/irq_sim: Initialize work context pointers properly (CVE-2025-38408 bsc#1247126) - commit a8d685c - ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() (CVE-2025-38456 bsc#1247099) - commit 8a59cf2 - bcache: fix NULL pointer in cache_set_flush() (CVE-2025-38263 bsc#1246248) - commit d6d8f29 - Update reference in patches.suse/lib-group_cpus-fix-NULL-pointer-dereference-from-gro.patch (CVE-2025-38255 bsc#1246190 bsc#1236897) - commit 0bab045 - staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() (CVE-2025-38585 bsc#1248355). - commit f7d8b23 - vsock: Do not allow binding to VMADDR_PORT_ANY (bsc#1248511 CVE-2025-38618). - commit 0256bd0 - RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (git-fixes) - commit 5289b12 - RDMA/core: reduce stack using in nldev_stat_get_doit() (git-fixes) - commit 1ff622a - KVM: Allow CPU to reschedule while setting per-page memory attributes (bsc#1248186 CVE-2025-38506). - commit a7f8a41 - slab: Decouple slab_debug and no_hash_pointers (bsc#1249022). - commit 41f928f - RAS/AMD/FMPM: Use atl internal.h for INVALID_SPA (bsc#1242034). - commit ac5d9dc - RAS/AMD/FMPM: Get masked address (bsc#1242034). - commit 4171987 - RAS/AMD/ATL: Include row bit in row retirement (bsc#1242034). - commit fa3fcbb - Update patches.suse/Bluetooth-btnxpuart-Resolve-TX-timeout-error-in-powe.patch (bsc#1230557 CVE-2024-58238 bsc#1242754). - Update patches.suse/HID-quirks-Add-quirk-for-2-Chicony-Electronics-HP-5M.patch (stable-fixes CVE-2025-38540 bsc#1248208). - Update patches.suse/PCI-pnv_php-Clean-up-allocated-IRQs-on-unplug.patch (bsc#1215199 CVE-2025-38624 bsc#1248617). - Update patches.suse/PM-devfreq-Check-governor-before-using-governor-name.patch (git-fixes CVE-2025-38609 bsc#1248337). - Update patches.suse/RDMA-hns-Fix-double-destruction-of-rsv_qp.patch (git-fixes CVE-2025-38582 bsc#1248349). - Update patches.suse/arm64-entry-Mask-DAIF-in-cpu_switch_to-call_on_irq_stack.patch (git-fixes CVE-2025-38670 bsc#1248655). - Update patches.suse/btrfs-fix-assertion-when-building-free-space-tree.patch (git-fixes CVE-2025-38503 bsc#1248183). - Update patches.suse/can-netlink-can_changelink-fix-NULL-pointer-deref-of.patch (git-fixes CVE-2025-38665 bsc#1248648). - Update patches.suse/clk-davinci-Add-NULL-check-in-davinci_lpsc_clk_regis.patch (git-fixes CVE-2025-38635 bsc#1248573). - Update patches.suse/clk-xilinx-vcu-unregister-pll_post-only-if-registere.patch (git-fixes CVE-2025-38583 bsc#1248350). - Update patches.suse/comedi-aio_iiro_16-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38529 bsc#1248196). - Update patches.suse/comedi-pcl812-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38530 bsc#1248206). - Update patches.suse/crypto-ccp-Fix-crash-when-rebind-ccp-device-for-ccp..patch (git-fixes CVE-2025-38581 bsc#1248345). - Update patches.suse/dmaengine-nbpfaxi-Fix-memory-corruption-in-probe.patch (git-fixes CVE-2025-38538 bsc#1248213). - Update patches.suse/drm-amd-display-Fix-vs-typos.patch (git-fixes CVE-2024-26661 bsc#1222323). - Update patches.suse/drm-sched-Increment-job-count-before-swapping-tail-s.patch (git-fixes CVE-2025-38515 bsc#1248212). - Update patches.suse/drm-tegra-nvdec-Fix-dma_alloc_coherent-error-check.patch (git-fixes CVE-2025-38543 bsc#1248214). - Update patches.suse/fbdev-imxfb-Check-fb_add_videomode-to-prevent-null-p.patch (git-fixes CVE-2025-38630 bsc#1248575). - Update patches.suse/hfsplus-remove-mutex_lock-check-in-hfsplus_free_extents.patch (git-fixes CVE-2025-38650 bsc#1248746). - Update patches.suse/hwmon-corsair-cpro-Validate-the-size-of-the-received.patch (git-fixes CVE-2025-38548 bsc#1248228). - Update patches.suse/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch (git-fixes CVE-2025-38671 bsc#1248652). - Update patches.suse/ipv6-fix-possible-infinite-loop-in-fib6_info_uses_de.patch (git-fixes CVE-2025-38587 bsc#1248361). - Update patches.suse/ipv6-mcast-Delay-put-pmc-idev-in-mld_del_delrec.patch (git-fixes CVE-2025-38550 bsc#1248227). - Update patches.suse/ipv6-prevent-infinite-loop-in-rt6_nlmsg_size.patch (git-fixes CVE-2025-38588 bsc#1248368). - Update patches.suse/ipv6-reject-malicious-packets-in-ipv6_gso_segment.patch (git-fixes CVE-2025-38572 bsc#1248399). - Update patches.suse/iwlwifi-Add-missing-check-for-alloc_ordered_workqueu.patch (git-fixes CVE-2025-38602 bsc#1248341). - Update patches.suse/kasan-remove-kasan_find_vm_area-to-prevent-possible-.patch (git-fixes CVE-2025-38510 bsc#1248166). - Update patches.suse/ksmbd-fix-out-of-bounds-read-in-smb2_sess_setup.patch (bsc#1012628 bsc#1213545 CVE-2023-3867). - Update patches.suse/ksmbd-fix-wrong-next-length-validation-of-ea-b.patch (bsc#1012628 CVE-2023-4130 bsc#1248164). - Update patches.suse/ksmbd-validate-command-request-size.patch (bsc#1012628 CVE-2023-4515 bsc#1248180). - Update patches.suse/md-make-rdev_addable-usable-for-rcu-mode.patch (git-fixes CVE-2025-38621 bsc#1248609). - Update patches.suse/net-packet-fix-a-race-in-packet_set_ring-and-packet_.patch (git-fixes CVE-2025-38617 bsc#1248621). - Update patches.suse/net-phy-Don-t-register-LEDs-for-genphy.patch (git-fixes CVE-2025-38537 bsc#1248229). - Update patches.suse/net-sched-Restrict-conditions-for-adding-duplicating.patch (git-fixes CVE-2025-38553 bsc#1248255). - Update patches.suse/net-sched-mqprio-fix-stack-out-of-bounds-write-in-tc.patch (git-fixes CVE-2025-38568 bsc#1248386). - Update patches.suse/nilfs2-reject-invalid-file-types-when-reading-inodes.patch (git-fixes CVE-2025-38663 bsc#1248636). - Update patches.suse/perf-core-Exit-early-on-perf_mmap-fail.patch (CVE-2025-38563 bsc#1248306 dependency CVE-2025-38565 bsc#1248377). - Update patches.suse/phy-tegra-xusb-Fix-unbalanced-regulator-disable-in-U.patch (git-fixes CVE-2025-38535 bsc#1248240). - Update patches.suse/pinctrl-qcom-msm-mark-certain-pins-as-invalid-for-in.patch (git-fixes CVE-2025-38516 bsc#1248209). - Update patches.suse/pinmux-fix-race-causing-mux_owner-NULL-with-active-m.patch (git-fixes CVE-2025-38632 bsc#1248669). - Update patches.suse/power-supply-cpcap-charger-Fix-null-check-for-power_.patch (git-fixes CVE-2025-38634 bsc#1248666). - Update patches.suse/powercap-dtpm_cpu-Fix-NULL-pointer-dereference-in-ge.patch (git-fixes CVE-2025-38610 bsc#1248395). - Update patches.suse/powerpc-eeh-Make-EEH-driver-device-hotplug-safe.patch (bsc#1215199 CVE-2025-38576 bsc#1248354). - Update patches.suse/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch (git-fixes CVE-2025-38612 bsc#1248390). - Update patches.suse/sunrpc-fix-client-side-handling-of-tls-alerts.patch (git-fixes CVE-2025-38571 bsc#1248401). - Update patches.suse/sunrpc-fix-handling-of-server-side-tls-alerts.patch (git-fixes CVE-2025-38566 bsc#1248374). - Update patches.suse/tls-stop-recv-if-initial-process_rx_list-gave-us-non.patch (bsc#1221858 CVE-2024-58239 bsc#1248614). - Update patches.suse/usb-gadget-fix-use-after-free-in-composite_dev_clean.patch (git-fixes CVE-2025-38555 bsc#1248297). - Update patches.suse/wifi-ath11k-clear-initialized-flag-for-deinit-ed-srn.patch (git-fixes CVE-2025-38601 bsc#1248340). - Update patches.suse/wifi-iwlwifi-Fix-error-code-in-iwl_op_mode_dvm_start.patch (git-fixes CVE-2025-38656 bsc#1248643). - Update patches.suse/wifi-mac80211-reject-TDLS-operations-when-station-is.patch (git-fixes CVE-2025-38644 bsc#1248748). - Update patches.suse/wifi-mt76-mt7925-Fix-null-ptr-deref-in-mt7925_therma.patch (git-fixes CVE-2025-38541 bsc#1248216). - Update patches.suse/wifi-prevent-A-MSDU-attacks-in-mesh-networks.patch (stable-fixes CVE-2025-38512 bsc#1248178). - Update patches.suse/wifi-rtl818x-Kill-URBs-before-clearing-tx-status-que.patch (git-fixes CVE-2025-38604 bsc#1248333). - Update patches.suse/wifi-rtw89-avoid-NULL-dereference-when-RX-problemati.patch (git-fixes CVE-2025-38646 bsc#1248577). - Update patches.suse/wifi-zd1211rw-Fix-potential-NULL-pointer-dereference.patch (git-fixes CVE-2025-38513 bsc#1248179). - commit efc5ee0 - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (git-fixes). - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (git-fixes). - drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv (git-fixes). - drm/msm/kms: move snapshot init earlier in KMS init (git-fixes). - drm/msm: Defer fd_install in SUBMIT ioctl (git-fixes). - drm/nouveau: remove unused memory target test (git-fixes). - drm/nouveau: remove unused increment in gm200_flcn_pio_imem_wr (git-fixes). - drm/nouveau: fix error path in nvkm_gsp_fwsec_v2 (git-fixes). - drm/nouveau/disp: Always accept linear modifier (git-fixes). - mISDN: hfcpci: Fix warning when deleting uninitialized timer (git-fixes). - Bluetooth: hci_sync: fix set_local_name race condition (git-fixes). - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced (git-fixes). - Bluetooth: hci_event: Mark connection as closed during suspend disconnect (git-fixes). - Bluetooth: hci_event: Treat UNKNOWN_CONN_ID on disconnect as success (git-fixes). - commit f54cbc7 - clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (CVE-2025-38160 bsc#1245780) - commit f8670f7 - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (CVE-2025-38184 bsc#1245956) - commit 263759a - drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 (CVE-2025-38205 bsc#1246005) - commit e09f72d - smb: client: add NULL check in automount_fullpath (CVE-2025-38208 bsc#1245815) - commit 04d79fb - net: stmmac: make sure that ptp_rate is not 0 before configuring EST (CVE-2025-38125 bsc#1245710) - commit 0fcfa4f - pNFS: Fix disk addr range check in block/scsi layout (git-fixes). - commit c36ff17 - pNFS: Fix stripe mapping in block/scsi layout (git-fixes). - commit 5bf6a36 - pNFS: Handle RPC size limit for layoutcommits (git-fixes). - commit 36dee9f - pNFS: Fix uninited ptr deref in block/scsi layout (git-fixes). - commit 8d7a7ee - jfs: truncate good inode pages when hard link is 0 (git-fixes). - commit 7e762b7 - jfs: Regular file corruption check (git-fixes). - commit 4f3d801 - jfs: upper bound check of tree index in dbAllocAG (git-fixes). - commit 997ac87 - hfs: fix slab-out-of-bounds in hfs_bnode_read() (git-fixes). - commit 1ea8ac2 - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (git-fixes). - commit 34d35cb - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (git-fixes). - commit 07b3674 - hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() (git-fixes). - commit edddb1c - hfs: fix not erasing deleted b-tree node issue (git-fixes). - commit 9b06f84 - fs/orangefs: use snprintf() instead of sprintf() (git-fixes). - commit 9e05c62 - exfat: add cluster chain loop check for dir (git-fixes). - commit 50f0877 - drm/amdkfd: Don't call mmput from MMU notifier callback (bsc#1248217 CVE-2025-38520) - commit c848230 - kernel-binary: Another installation ordering fix (bsc#1241353). - commit fe14ab5 - drm/amdgpu: fix task hang from failed job submission during process kill (git-fixes). - commit 6aefbfc - usb: dwc3: Remove WARN_ON for device endpoint command timeouts (stable-fixes). - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles (stable-fixes). - usb: dwc3: pci: add support for the Intel Wildcat Lake (stable-fixes). - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera (stable-fixes). - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive (stable-fixes). - rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 (stable-fixes). - rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe (stable-fixes). - watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition (stable-fixes). - watchdog: dw_wdt: Fix default timeout (stable-fixes). - watchdog: iTCO_wdt: Report error if timeout configuration fails (stable-fixes). - soundwire: amd: serialize amd manager resume sequence during pm_prepare (stable-fixes). - power: supply: qcom_battmgr: Add lithium-polymer entry (stable-fixes). - pwm: mediatek: Fix duty and period setting (git-fixes). - pwm: mediatek: Handle hardware enable and clock enable separately (stable-fixes). - wifi: ath12k: Correct tid cleanup when tid setup fails (stable-fixes). - wifi: ath12k: Add memset and update default rate value in wmi tx completion (stable-fixes). - wifi: cfg80211: reject HTC bit for management frames (stable-fixes). - wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB (stable-fixes). - wifi: rtw89: Fix rtw89_mac_power_switch() for USB (stable-fixes). - wifi: rtw89: Disable deep power saving for USB/SDIO (stable-fixes). - wifi: iwlwifi: mvm: set gtk id also in older FWs (stable-fixes). - wifi: iwlwifi: mvm: fix scan request validation (stable-fixes). - wifi: cfg80211: Fix interface type validation (stable-fixes). - wifi: mac80211: don't complete management TX on SAE commit (stable-fixes). - wifi: mac80211: fix rx link assignment for non-MLO stations (stable-fixes). - wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch (stable-fixes). - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() (stable-fixes). - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` (stable-fixes). - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() (stable-fixes). - wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 (stable-fixes). - wifi: ath12k: Decrement TID on RX peer frag setup error handling (stable-fixes). - wifi: mac80211: update radar_required in channel context after channel switch (stable-fixes). - wifi: iwlegacy: Check rate_idx range after addition (stable-fixes). - reset: brcmstb: Enable reset drivers for ARCH_BCM2835 (stable-fixes). - usb: xhci: print xhci-&gt;xhc_state when queue_command failed (stable-fixes). - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default (stable-fixes). - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command (stable-fixes). - usb: xhci: Avoid showing warnings for dying controller (stable-fixes). - usb: xhci: Avoid showing errors during surprise removal (stable-fixes). - usb: core: config: Prevent OOB read in SS endpoint companion parsing (stable-fixes). - usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present (stable-fixes). - usb: core: usb_submit_urb: downgrade type check (stable-fixes). - thermal: sysfs: Return ENODATA instead of EAGAIN for reads (stable-fixes). - thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required (stable-fixes). - pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() (stable-fixes). - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() (stable-fixes). - PM: sleep: console: Fix the black screen issue (stable-fixes). - PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() (stable-fixes). - commit 3e165bb - net: phy: smsc: add proper reset flags for LAN8710A (stable-fixes). - pinctrl: stm32: Manage irq affinity settings (stable-fixes). - phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal (stable-fixes). - media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control (stable-fixes). - media: tc358743: Return an appropriate colorspace from tc358743_set_fmt (stable-fixes). - media: tc358743: Check I2C succeeded during probe (stable-fixes). - media: tc358743: Increase FIFO trigger level to 374 (stable-fixes). - media: usb: hdpvr: disable zero-length read messages (stable-fixes). - net: phy: micrel: Add ksz9131_resume() (stable-fixes). - net: thunderbolt: Enable end-to-end flow control also in transmit (stable-fixes). - net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() (stable-fixes). - mmc: sdhci-msm: Ensure SD card power isn't ON when card removed (stable-fixes). - mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() (stable-fixes). - mei: bus: Check for still connected devices in mei_cl_bus_dev_release() (stable-fixes). - platform/chrome: cros_ec_typec: Defer probe on missing EC parent (stable-fixes). - platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list (stable-fixes). - commit 49985d1 - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() (git-fixes). - ipmi: Use dev_warn_ratelimited() for incorrect message warnings (stable-fixes). - ipmi: Fix strcpy source and destination the same (stable-fixes). - i2c: Force DLL0945 touchpad i2c freq to 100khz (stable-fixes). - i3c: don't fail if GETHDRCAP is unsupported (stable-fixes). - i3c: master: Initialize ret in i3c_i2c_notifier_call() (stable-fixes). - hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state (stable-fixes). - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (stable-fixes). - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (stable-fixes). - media: uvcvideo: Fix bandwidth issue for Alcor camera (stable-fixes). - leds: leds-lp50xx: Handle reg to get correct multi_index (stable-fixes). - iio: adc: ad_sigma_delta: don't overallocate scan buffer (stable-fixes). - iio: imu: inv_icm42600: use = { } instead of memset() (stable-fixes). - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement (stable-fixes). - gpio: wcd934x: check the return value of regmap_update_bits() (stable-fixes). - gpio: tps65912: check the return value of regmap_update_bits() (stable-fixes). - iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 (stable-fixes). - commit cf6f726 - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 (stable-fixes). - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs (stable-fixes). - drm/amd/display: Avoid a NULL pointer dereference (stable-fixes). - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq (stable-fixes). - drm/amd/display: Add primary plane to commits for correct VRR handling (stable-fixes). - drm/amdgpu: update mmhub 3.0.1 client id mappings (stable-fixes). - drm/amd: Restore cached power limit during resume (stable-fixes). - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit (stable-fixes). - fbdev: fix potential buffer overflow in do_register_framebuffer() (stable-fixes). - drm/amd/display: Only finalize atomic_obj if it was initialized (stable-fixes). - drm/amd/display: Avoid configuring PSR granularity if PSR-SU not supported (stable-fixes). - drm/amdgpu: Avoid extra evict-restore process (stable-fixes). - crypto: hisilicon/hpre - fix dma unmap sequence (stable-fixes). - crypto: jitter - fix intermediary handling (stable-fixes). - crypto: qat - lower priority for skcipher and aead algorithms (stable-fixes). - crypto: octeontx2 - add timeout for load_fvc completion poll (stable-fixes). - drm/msm: use trylock for debugfs (stable-fixes). - drm/amd/display: Separate set_gsl from set_gsl_source_select (stable-fixes). - drm/amd/display: Fix 'failed to blank crtc!' (stable-fixes). - drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual (stable-fixes). - drm/amd/display: Avoid trying AUX transactions on disconnected ports (stable-fixes). - drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS (stable-fixes). - drm/ttm: Should to return the evict error (stable-fixes). - drm/ttm: Respect the shrinker core free target (stable-fixes). - et131x: Add missing check after DMA map (stable-fixes). - comedi: fix race between polling and detaching (git-fixes). - char: misc: Fix improper and inaccurate error code returned by misc_init() (stable-fixes). - commit adab316 - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 (stable-fixes). - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X (stable-fixes). - ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks (stable-fixes). - ASoC: Intel: avs: Fix uninitialized pointer error in probe() (stable-fixes). - Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() (stable-fixes). - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed (stable-fixes). - ASoC: hdac_hdmi: Rate limit logging on connection and disconnection (stable-fixes). - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (stable-fixes). - ASoC: codecs: rt5640: Retry DEVICE_ID verification (stable-fixes). - commit c1f1889 - ALSA: hda: Handle the jack polling always via a work (stable-fixes). - ALSA: hda: Disable jack polling at shutdown (stable-fixes). - ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 (stable-fixes). - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (stable-fixes). - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop (stable-fixes). - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros (stable-fixes). - ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered (stable-fixes). - ACPI: processor: fix acpi_object initialization (stable-fixes). - commit d6d6e01 - xfrm: interface: fix use-after-free after changing collect_md xfrm interface (CVE-2025-38500 bsc#1248088). - rxrpc: Fix recv-recv race of completed call (CVE-2025-38524 bsc#1248194). - atm: clip: Fix memory leak of struct clip_vcc (CVE-2025-38546 bsc#1248223). - commit 57cffb2 - x86/sev: Evict cache lines during SNP memory validation (CVE-2025-38560 bsc#1248312). - commit 0d489ec - hid: hide cleanup of hid_descriptor (CVE-2025-38103 bsc#1245663). - commit 58f3abc - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (CVE-2025-38103 bsc#1245663). - blacklist.conf: removed erroneous entry - commit 5f4ef22 - rpm/config.sh: Update Leap project - commit 20eb23b - selftests/perf_events: Add a mmap() correctness test (CVE-2025-38563 bsc#1248306 selftest). - commit 919a844 - bpf: fix kfunc btf caching for modules (git-fixes). - commit 5ae4aa5 - perf/core: Prevent VMA split of buffer mappings (CVE-2025-38563 bsc#1248306). - commit d1daec3 - perf/core: Exit early on perf_mmap() fail (CVE-2025-38563 bsc#1248306 dependency). - commit 4deadd8 - perf/core: Don't leak AUX buffer refcount on allocation failure (CVE-2025-38563 bsc#1248306 dependency). - commit d26658d - bpf: use kvzmalloc to allocate BPF verifier environment (git-fixes). - commit fd28e75 - selftests/bpf: Verify that sync_linked_regs preserves subreg_def (bsc#1234156 CVE-2024-53125). - commit cee135e - samples/bpf: Fix compilation errors with cf-protection option (git-fixes). - commit 388c9e8 - selftests/bpf: fexit_sleep: Fix stack allocation for arm64 (git-fixes). - commit 2d627c6 - Update config files. No functional change, this is only refresh to have configs in sync with Kconfig. - commit 1943697 - Refresh patches.kabi/bpf-bpf_link-and-bpf_link_ops-kABI-workaround.patch. - Refresh patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch. - Refresh patches.kabi/kabi-restore-layout-of-struct-mem_control.patch. - Refresh patches.kabi/kabi-restore-layout-of-struct-page_counter.patch. - Refresh patches.kabi/kabi-s390-ism-fix-concurrency-management-in-ism_cmd.patch - Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch. Manual adjustment of guards in KABI workaround patches -- we do not need specific conditioning thanks to new macro that is engaged iff needed. - commit f47a39f - build_bug.h: Add KABI assert (bsc#1249186). - commit 7ab6a56 - iio: common: st_sensors: Fix use of uninitialize device structs (CVE-2025-38531 bsc#1248205). - commit 2739cf9 - usb: xhci: Fix slot_id resource race conflict (git-fixes). - commit 40d11e8 - usb: dwc3: fix fault at system suspend if device was already runtime suspended (git-fixes). - commit 03244f6 - usb: dwc3: core: Fix system suspend on TI AM62 platforms (git-fixes). - commit ae2a72e - pinctrl: STMFX: add missing HAS_IOMEM dependency (git-fixes). - most: core: Drop device reference after usage in get_channel() (git-fixes). - usb: storage: realtek_cr: Use correct byte order for bcs-&gt;Residue (git-fixes). - usb: dwc3: Ignore late xferNotReady event to prevent halt timeout (git-fixes). - usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test (git-fixes). - usb: renesas-xhci: Fix External ROM access timeouts (git-fixes). - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency (git-fixes). - commit f954d9b - iio: proximity: isl29501: fix buffered read on big-endian systems (git-fixes). - comedi: Make insn_rw_emulate_bits() do insn-&gt;n samples (git-fixes). - comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() (git-fixes). - comedi: pcl726: Prevent invalid irq number (git-fixes). - cdx: Fix off-by-one error in cdx_rpmsg_probe() (git-fixes). - drm/hisilicon/hibmc: fix the hibmc loaded failed bug (git-fixes). - iosys-map: Fix undefined behavior in iosys_map_clear() (git-fixes). - drm/nouveau: fix typos in comments (git-fixes). - drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor() (git-fixes). - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 (git-fixes). - drm/amd/display: Adjust DCE 8-10 clock, don't overclock by 15% (git-fixes). - drm/amd/display: Don't overclock DCE 6 by 15% (git-fixes). - drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() (git-fixes). - memstick: Fix deadlock by moving removing flag earlier (git-fixes). - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation (git-fixes). - ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (git-fixes). - ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 (git-fixes). - ALSA: usb-audio: Fix size validation in convert_chmap_v3() (git-fixes). - commit 0a99e72 - bpf: Reject narrower access to pointer ctx fields (bsc#1248363 CVE-2025-38591). - commit 2a67c58 - md: make rdev_addable usable for rcu mode (git-fixes). - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately (git-fixes). - scsi: Revert &quot;scsi: iscsi: Fix HW conn removal use after free&quot; (git-fixes). - scsi: mpt3sas: Fix a fw_event memory leak (git-fixes). - scsi: isci: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mvsas: Fix dma_unmap_sg() nents value (git-fixes). - scsi: elx: efct: Fix dma_unmap_sg() nents value (git-fixes). - scsi: core: Fix kernel doc for scsi_track_queue_full() (git-fixes). - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value (git-fixes). - scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems (git-fixes). - scsi: mpi3mr: Fix race between config read submit and interrupt completion (git-fixes). - scsi: mpi3mr: Fix kernel-doc issues in mpi3mr_app.c (git-fixes). - sunvdc: Balance device refcount in vdc_port_mpgroup_check (git-fixes). - md: allow removing faulty rdev during resync (git-fixes). - block: mtip32xx: Fix usage of dma_map_sg() (git-fixes). - ublk: use vmalloc for ublk_device's __queues (git-fixes). - loop: use kiocb helpers to fix lockdep warning (git-fixes). - block: fix kobject leak in blk_unregister_queue (git-fixes). - md/raid1,raid10: strip REQ_NOWAIT from member bios (git-fixes). - ublk: sanity check add_dev input for underflow (git-fixes). - aoe: defer rexmit timer downdev work to workqueue (git-fixes). - commit e0823df - clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (CVE-2025-38499 bsc#1247976) - commit a7416f7 - atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (CVE-2025-38458 bsc#1247116) - commit 17419dc - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister() (CVE-2025-38245 bsc#1246193) - commit c9503c1 - btrfs: fix adding block group to a reclaim list and the unused list during reclaim (git-fixes). - btrfs: retry block group reclaim without infinite loop (git-fixes). - commit 0a86fac - btrfs: fix bitmap leak when loading free space cache on duplicate entry (git-fixes). - commit 72cd329 - btrfs: run delayed iputs when flushing delalloc (git-fixes). - btrfs: update target inode's ctime on unlink (git-fixes). - commit 8eb6c44 - btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents() (git-fixes). - commit 04c28bf - squashfs: fix memory leak in squashfs_fill_super (git-fixes). - commit 7c9f4fd - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling (git-fixes). - commit 0d7a95c - btrfs: correctly escape subvol in btrfs_show_options() (git-fixes). - commit 8ae9b3b - atm: Revert atm_account_tx() if copy_from_iter_full() fails (CVE-2025-38190 bsc#1245973) - commit ee168d7 - atm: atmtcp: Free invalid length skb in atmtcp_c_send() (CVE-2025-38185 bsc#1246012) - commit 3034c5a - md/raid1: Fix stack memory use after return in raid1_reshape (CVE-2025-38445 bsc#1247229) - commit c07b722 - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (bsc#1248338 CVE-2025-38608). - commit 70a5de5 - RDMA/hns: Fix dip entries leak on devices newer than hip09 (git-fixes) - commit b03653b - RDMA/bnxt_re: Fix to initialize the PBL array (git-fixes) - commit 99342e6 - RDMA/bnxt_re: Fix a possible memory leak in the driver (git-fixes) - commit d8fc453 - RDMA/bnxt_re: Fix to remove workload check in SRQ limit path (git-fixes) - commit d6073c4 - RDMA/bnxt_re: Fix to do SRQ armena by default (git-fixes) - commit 43a4c91 - RDMA/erdma: Fix ignored return value of init_kernel_qp (git-fixes) - commit 184f89d - atm: clip: Fix infinite recursive call of clip_push() (CVE-2025-38459 bsc#1247119) - commit cace503 - atm: clip: prevent NULL deref in clip_push() (CVE-2025-38251 bsc#1246181) - commit 955d194 - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (CVE-2025-38439 bsc#1247155) - commit fad3d81 - ACPI: pfr_update: Fix the driver update version check (git-fixes). - net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization (git-fixes). - Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() (git-fixes). - Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established (git-fixes). - commit 5ef3e7e - raid10: cleanup memleak at raid10_make_request (CVE-2025-38444 bsc#1247162) - commit 08daebe - net: openvswitch: Fix the dead loop of MPLS parse (CVE-2025-38146 bsc#1245767). - commit 2d16fb7 - Update patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch. Perform the build time check that struct mptcp_sock layout only when CONFIG_SUSE_KERNEL_SUPPORTED is enabled. Some kernel-debug builds do not have the hole we rely on in the kabi hack. (But those do not have to preserve kABI so that we can simply disable the check.) - commit 21df537 - kabi: hide new member fallback_lock in struct mptcp_sock (CVE-2025-38491 bsc#1247280). - mptcp: make fallback action and fallback decision atomic (CVE-2025-38491 bsc#1247280). - mptcp: safety check before fallback (CVE-2025-38491 bsc#1247280). - mptcp: reset when MPTCP opts are dropped after join (git-fixes). - mptcp: fallback when MPTCP opts are dropped after 1st data (git-fixes). - commit 7bb090d - tipc: Fix use-after-free in tipc_conn_close() (CVE-2025-38464 bsc#1247112). - commit 7a2a262 - x86/vmscape: Warn when STIBP is disabled with SMT (bsc#1247483 CVE-2025-40300). - commit 25dd084 - x86/bugs: Move cpu_bugs_smt_update() down (bsc#1247483 CVE-2025-40300). - commit 4b9a38a - x86/vmscape: Enable the mitigation (bsc#1247483 CVE-2025-40300). - Update config files. - commit 2ae4103 - bpf: Reject %p% format string in bprintf-like helpers (bsc#1248198 CVE-2025-38528). - commit b8830ae - md/md-cluster: handle REMOVE message earlier (bsc#1247057). - commit b9c1ff5 - scsi: target: iscsi: Fix timeout on deleted connection (CVE-2025-38075 bsc#1244734) - commit 9bfd228 - net: mctp: Don't access ifa_index when missing (CVE-2025-38006 bsc#1244930) - commit d0d056e - netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX (CVE-2025-38201 bsc#1245977). - commit 2f63881 - netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() (CVE-2025-38441 bsc#1247167). - commit 0a2f320 - netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (CVE-2025-38472 bsc#1247313). - commit 1779cac - x86/vmscape: Add conditional IBPB mitigation (bsc#1247483 CVE-2025-40300). - commit 80ca68e - x86/vmscape: Enumerate VMSCAPE bug (bsc#1247483 CVE-2025-40300). - commit ed3190c - Documentation/hw-vuln: Add VMSCAPE documentation (bsc#1247483 CVE-2025-40300). - commit 9b7d62a - powerpc/kernel: Fix ppc_save_regs inclusion in build (bsc#1215199). - powerpc: do not build ppc_save_regs.o always (bsc#1215199). - commit 3402e7e - powerpc/eeh: Make EEH driver device hotplug safe (bsc#1215199). - powerpc/eeh: Export eeh_unfreeze_pe() (bsc#1215199). - PCI: pnv_php: Work around switches with broken presence detection (bsc#1215199). - PCI: pnv_php: Clean up allocated IRQs on unplug (bsc#1215199). - arch/powerpc: Remove .interp section in vmlinux (bsc#1215199). - powerpc/eeh: Rely on dev-&gt;link_active_reporting (bsc#1215199). - commit 0bddfac - ata: libata-scsi: Fix CDL control (git-fixes). - commit c04f51b - drm/amdgpu: fix incorrect vm flags to map bo (git-fixes). - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (git-fixes). - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (git-fixes). - gpio: mlxbf3: use platform_get_irq_optional() (git-fixes). - Revert &quot;gpio: mlxbf3: only get IRQ for device instance 0&quot; (git-fixes). - soc/tegra: pmc: Ensure power-domains are in a known state (git-fixes). - phy: mscc: Fix parsing of unicast frames (git-fixes). - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() (git-fixes). - selftests: rtnetlink.sh: remove esp4_offload after test (git-fixes). - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano (stable-fixes). - kselftest/arm64: Fix check for setting new VLs in sve-ptrace (git-fixes). - selftests: Fix errno checking in syscall_user_dispatch test (git-fixes). - selftests/tracing: Fix false failure of subsystem event test (git-fixes). - USB: serial: option: add Foxconn T99W709 (stable-fixes). - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx (stable-fixes). - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx (stable-fixes). - ASoC: Intel: fix SND_SOC_SOF dependencies (stable-fixes). - ASoC: amd: yc: add DMI quirk for ASUS M6501RM (stable-fixes). - commit 19adc9d - net: usb: asix_devices: add phy_mask for ax88772 mdio bus (git-fixes). - commit 206e9eb - ACPI: processor: perflib: Move problematic pr-&gt;performance check (git-fixes). - commit 742e4e7 - btrfs: fix the length of reserved qgroup to free (bsc#1240708) - commit e3e4e05 - btrfs: fix qgroup reserve leaks in cow_file_range (CVE-2024-46733 bsc#1230708) - commit 20ff141 - Move pesign-obs-integration requirement from kernel-syms to kernel devel subpackage (bsc#1248108). - commit e707e41 - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (git-fixes) - commit bf13671 - arm64: dts: imx8mm-venice-gw7904: Increase HS400 USDHC clock speed (git-fixes) - commit 246a69b - arm64: dts: imx8mm-venice-gw7903: Increase HS400 USDHC clock speed (git-fixes) - commit 4fac981 - arm64: dts: imx8mn-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - commit 9beeb6d - arm64: dts: imx8mm-venice-gw7902: Increase HS400 USDHC clock speed (git-fixes) - commit 173d0a1 - PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining (git-fixes). - PCI: rockchip: Use standard PCIe definitions (git-fixes). - PCI: imx6: Delay link start until configfs 'start' written (git-fixes). - PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset (git-fixes). - PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features (git-fixes). - PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge (git-fixes). - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - kABI: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports (git-fixes). - PCI: Support Immediate Readiness on devices without PM capabilities (git-fixes). - PCI: apple: Fix missing OF node reference in apple_pcie_setup_port (git-fixes). - PCI: Add ACS quirk for Loongson PCIe (git-fixes). - commit e24dcd6 - arm64: dts: imx8mm-venice-gw7901: Increase HS400 USDHC clock speed (git-fixes) - commit 271991a - arm64: dts: imx8mm-venice-gw700x: Increase HS400 USDHC clock speed (git-fixes) - commit b77d1e0 - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed (git-fixes) - commit 3cbe1cf - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed (git-fixes) - commit 6d0adbc - arm64: dts: rockchip: fix endpoint dtc warning for PX30 ISP (git-fixes) - commit d8b8e5c - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() (git-fixes) - commit 81dc70d - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on (git-fixes) - commit a30082d - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented (git-fixes) - commit d67b39d - arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename (git-fixes) - commit 3ecd022 - arm64: Restrict pagetable teardown to avoid false warning (git-fixes) - commit c34ecbe - arm64: dts: rockchip: Update eMMC for NanoPi R5 series (git-fixes) - commit b37cb41 - arm64: dts: imx8mp-beacon: Fix RTC capacitive load (git-fixes) - commit 32c56dd - arm64: dts: imx8mn-beacon: Fix RTC capacitive load (git-fixes) - commit ee84ff9 - arm64: dts: imx8mm-beacon: Fix RTC capacitive load (git-fixes) - commit 7b505c9 - arm64: tegra: Drop remaining serial clock-names and reset-names (git-fixes) - commit 2981841 - arm64: Add support for HIP09 Spectre-BHB mitigation (git-fixes) - commit 4ad8521 - arm64: zynqmp: add clock-output-names property in clock nodes (git-fixes) - commit ba1bbf1 - arm64: tegra: p2597: Fix gpio for vdd-1v8-dis regulator (git-fixes) - commit 356d85f - arm64/mm: Check PUD_TYPE_TABLE in pud_bad() (git-fixes) - commit 1ad9e93 - arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 (git-fixes) - commit 54de7d8 - serial: 8250: fix panic due to PSLVERR (git-fixes). - commit c91d52e - drm/amd/display: Add more checks for DSC / HUBP ONO guarantees (bsc#1247078 CVE-2025-38360) - commit 9101a0c - net: libwx: remove duplicate page_pool_put_full_page() (CVE-2025-38490 bsc#1247243). - commit f305524 - sunrpc: fix handling of server side tls alerts (git-fixes). - commit 40fb7b3 - cifs: Fix buffer overflow when parsing NFS reparse points (CVE-2024-49996 bsc#1232089). - commit 50adb2e - smb: client: fix parsing of device numbers (git-fixes). - commit 45992a6 - ice, irdma: fix an off by one in error handling code (bsc#1247712). - irdma: free iwdev-&gt;rf after removing MSI-X (bsc#1247712). - ice: Fix signedness bug in ice_init_interrupt_scheme() (bsc#1247712). - commit 46ad237 - ice: init flow director before RDMA (bsc#1247712). - ice: simplify VF MSI-X managing (bsc#1247712). - ice: enable_rdma devlink param (bsc#1247712). - ice: treat dyn_allowed only as suggestion (bsc#1247712). - ice, irdma: move interrupts code to irdma (bsc#1247712). - ice: get rid of num_lan_msix field (bsc#1247712). - ice: remove splitting MSI-X between features (bsc#1247712). - ice: devlink PF MSI-X max and min parameter (bsc#1247712). - ice: count combined queues using Rx/Tx count (bsc#1247712). - commit 383df22 - smb3: move server check earlier when setting channel sequence number (git-fixes). - commit df2adca - ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() (git-fixes). - commit 890fc59 - module: Restore the moduleparam prefix length check (git-fixes). - commit ad2fc48 - module: Remove unnecessary +1 from last_unloaded_module::name size (git-fixes). - commit 3efc8ab - audit,module: restore audit logging in load failure case (git-fixes). - kABI: Fix the module::name type in audit_context (git-fixes). - commit 7e23359 - module: Fix memory deallocation on error path in move_module() (git-fixes). - commit bb37d39 - SMB3: rename macro CIFS_SERVER_IS_CHAN to avoid confusion (git-fixes). - Refresh patches.suse/smb-client-fix-use-after-free-of-signing-key.patch. - commit ee8ada8 - smb: client: fix potential deadlock when reconnecting channels (bsc#1246183, CVE-2025-38244). - commit fcf601a - cifs: reconnect helper should set reconnect for the right channel (git-fixes). - commit ae3173e - [SMB3] send channel sequence number in SMB3 requests after reconnects (git-fixes). - commit baa81e9 - net: mana: Add debug logs in MANA network driver (bsc#1246212). - Refresh patches.suse/msft-hv-3280-net-mana-Add-support-for-Multi-Vports-on-Bare-metal.patch. - commit 1b4ad82 - netlink: avoid infinite retry looping in netlink_unicast() (CVE-2025-38465 bsc#1247118). - net: mana: Set tx_packets to post gso processing packet count (bsc#1245731). - net: mana: Allocate MSI-X vectors dynamically (bsc#1245457). - net: mana: Allow irq_setup() to skip cpus for affinity (bsc#1245457). - net: mana: explain irq_setup() algorithm (bsc#1245457). - PCI: hv: Allow dynamic MSI-X vector allocation (bsc#1245457). - PCI/MSI: Export pci_msix_prepare_desc() for dynamic MSI-X allocations (bsc#1245457). - net: mana: Add handler for hardware servicing events (bsc#1245730). - net: mana: Expose additional hardware counters for drop and TC via ethtool (bsc#1245729). - hv_netvsc: Use VF's tso_max_size value when data path is VF (bsc#1246203). - net: mana: Allow tso_max_size to go up-to GSO_MAX_SIZE (bsc#1246203). - commit bdd7f41 - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (git-fixes). - commit 80e576f - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (git-fixes). - commit 3754627 - drm/amdgpu: Add basic validation for RAS header (bsc#1247252 CVE-2025-38426) - commit 5d23e74 - NFS: Fix the setting of capabilities when automounting a new filesystem (git-fixes). - commit fabe208 - sunrpc: fix client side handling of tls alerts (git-fixes). - commit 4c093f3 - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY (git-fixes). - commit fd58755 - NFSv4.2: another fix for listxattr (git-fixes). - commit 5a2e576 - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (git-fixes). - commit 094541e - pNFS/flexfiles: don't attempt pnfs on fatal DS errors (git-fixes). - commit ec1d884 - gpio: mlxbf2: use platform_get_irq_optional() (git-fixes). - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() (git-fixes). - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() (git-fixes). - commit 1750f05 - posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1246911 CVE-2025-38352). - commit ab7e2c1 - tls: always refresh the queue when reading sock (CVE-2025-38471 bsc#1247450). - ext4: only dirty folios when data journaling regular files (CVE-2025-38220 bsc#1245966). - commit 4468ab0 - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing (git-fixes). - commit 87e34c3 - net/packet: fix a race in packet_set_ring() and packet_notifier() (git-fixes). - commit caa5d02 - net/sched: taprio: enforce minimum value for picos_per_byte (git-fixes). - commit d33d37f - ipv6: reject malicious packets in ipv6_gso_segment() (git-fixes). - commit e120573 - netpoll: prevent hanging NAPI when netcons gets enabled (git-fixes). - commit d8e3fe4 - tracing/kprobes: Fix to free objects when failed to copy a symbol (git-fixes). - commit a2d3373 - tracing/kprobe: Make trace_kprobe's module callback called after jump_label update (git-fixes). - commit 34ee7ea - kABI fix for net: vlan: fix VLAN 0 refcount imbalance of toggling (CVE-2025-38470 bsc#1247288). - commit 00f8e79 - net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (CVE-2025-38470 bsc#1247288). - net/sched: Abort __tc_modify_qdisc if parent class does not exist (CVE-2025-38457 bsc#1247098). - atm: clip: Fix potential null-ptr-deref in to_atmarpd() (CVE-2025-38460 bsc#1247143). - idpf: convert control queue mutex to a spinlock (CVE-2025-38392 bsc#1247169). - commit 4f53008 - drm/amd/display: Don't overwrite dce60_clk_mgr (git-fixes). - Revert &quot;vgacon: Add check for vc_origin address range in vgacon_scroll()&quot; (stable-fixes). - commit 6cc69eb - exfat: fdatasync flag should be same like generic_write_sync() (git-fixes). - commit ec3f01f - do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498 bsc#1247374) - commit 545afad - vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() (CVE-2024-56742 bsc#1235613) - commit ff30550 - scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (CVE-2025-38399 bsc#1247097). - commit e689eaa - RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages (git-fixes) - commit 39fb4df - drm/v3d: Disable interrupts before resetting the GPU (CVE-2025-38371 bsc#1247178). - commit 4160ac6 - btrfs: fix log tree replay failure due to file with 0 links and extents (git-fixes). - commit fd0c9dd - fs/mnt_idmapping.c: Return -EINVAL when no map is written (bsc#1233120) - commit 1ef0d72 - netlink: make sure we allow at least one dump skb (CVE-2025-38465 bsc#1247118). - netlink: Fix rmem check in netlink_broadcast_deliver() (CVE-2025-38465 bsc#1247118). - netlink: Fix wraparounds of sk-&gt;sk_rmem_alloc (CVE-2025-38465 bsc#1247118). - commit b3ac9f0 - btrfs: return accurate error code on open failure in open_fs_devices() (bsc#1233120) - commit 53ce95e - Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch. Drop the static_assert() kABI checks temporarily until we have a proper solution to signal kABI verification. - commit d4817c8 - af_unix: Add a prompt to CONFIG_AF_UNIX_OOB (bsc#1246093). - commit 9dcc611 - integrity/platform_certs: Allow loading of keys in the static key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc/secvar: Expose secvars relevant to the key management mode (jsc#PED-13345 jsc#PED-13343). - powerpc/pseries: Correct secvar format representation for static key management (jsc#PED-13345 jsc#PED-13343). - commit f654d9a - net: usbnet: Fix the wrong netif_carrier_on() call (git-fixes). - commit 3ed80f8 - kABI: restore layout of struct msi_desc (CVE-2025-38062 bsc#1245216). - genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie (CVE-2025-38062 bsc#1245216). - commit 19502f4 - Delete patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch. - commit e99b1bb - Update config files. (CVE-2025-38236 bsc#1246093) Disable CONFIG_AF_UNIX_OOB as the implementation is ridden with security bugs whose fixes would be hard to backport and the feature has no known users. - commit f8cd607 - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - Refresh patches.suse/x86-its-Add-vmexit-option-to-skip-mitigation-on-some-CPUs.patch. Fix affected model steppings. - commit 115d04b - KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#1242960 CVE-2025-37885). - commit b463fcd - enabled CONFIG_X86_INTEL_TSX_MODE_AUTO This is a response to bsc#1246695. As result of TAA vulnerability (CVE-2019-11135) we have aimed to follow the upstream default for TSX but due to a mistake we have ended up using CONFIG_X86_INTEL_TSX_MODE_ON rather than CONFIG_X86_INTEL_TSX_MODE_OFF. This has been noticed later on and fixed to align with upstream. Which has made some users unhappy because they have lost a default TSX functionality even on HW that is not susceptible to CVE-2019-11135. We have discussed different ways to deal with that but the likely most straightforward turned out to be to go with CONFIG_X86_INTEL_TSX_MODE_AUTO which disables TSX only on CVE-2019-11135 affected HW. We are still diverging from the upstream here but there are some positive indications that no new TSX based side channels have been discovered since. - commit 395c9dd - tcp: call tcp_measure_rcv_mss() for ooo packets (git-fixes). - commit 54261d2 - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (git-fixes). - commit cdfb027 - Refresh patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch. Print message upon disabled use. - commit 31d5690 - Refresh patches.suse/virtio-blk-scsi-use-block-layer-helpers-to-calculate.patch. - commit 773f5a0 - Rename to patches.suse/scsi-use-block-layer-helpers-to-calculate-num-of-que.patch. - commit dd839b8 - Refresh patches.suse/nvme-pci-use-block-layer-helpers-to-calculate-num-of.patch. - commit e114e47 - Refresh patches.suse/blk-mq-add-number-of-queue-calc-helper.patch. - commit db4fa45 - Rename to patches.suse/lib-group_cpus-Let-group_cpu_evenly-return-the-numbe.patch. Refresh: - patches.kabi/kabi-fix-group-cpus-evenly.patch - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch - commit ca07a82 - btrfs: tests: fix chunk map leak after failure to add it to the tree (git-fixes). - commit 4c3fd9d - lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() (bsc#1236897). - lib/group_cpus.c: avoid acquiring cpu hotplug lock in group_cpus_evenly (bsc#1236897). - commit 749ceff - btrfs: fix ssd_spread overallocation (git-fixes). - commit 760f402 - btrfs: use btrfs_record_snapshot_destroy() during rmdir (git-fixes). - commit 05219d1 - btrfs: propagate last_unlink_trans earlier when doing a rmdir (git-fixes). - btrfs: rename err to ret in btrfs_rmdir() (git-fixes). - commit 6fea6c3 - btrfs: don't skip remaining extrefs if dir not found during log replay (git-fixes). - commit ae66e11 - btrfs: don't ignore inode missing when replaying log tree (git-fixes). - commit 87671c8 - KVM: x86: Reset IRTE to host control if *new* route isn't postable (bsc#242960 CVE-2025-37885). - commit 1396afc - btrfs: fix inode lookup error handling during log replay (git-fixes). - commit a89d2a6 - nvmet-tcp: fix callback lock for TLS handshake (git-fixes). - nvme: fix misaccounting of nvme-mpath inflight I/O (git-fixes). - nvme: fix endianness of command word prints in nvme_log_err_passthru() (git-fixes). - nvme: fix inconsistent RCU list manipulation in nvme_ns_add_to_ctrl_list() (git-fixes). - commit bbf2481 - RDMA/core: Rate limit GID cache warning messages (git-fixes) - commit fd0e41a - kernel-syms.spec: Drop old rpm release number hack (bsc#1247172). - commit b4fa2d1 - rtc: rv3028: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: pcf85063: fix incorrect maximum clock rate handling (git-fixes). - rtc: nct3018y: fix incorrect maximum clock rate handling (git-fixes). - rtc: hym8563: fix incorrect maximum clock rate handling (git-fixes). - rtc: ds1307: fix incorrect maximum clock rate handling (git-fixes). - ucount: fix atomic_long_inc_below() argument type (git-fixes). - i3c: fix module_i3c_i2c_driver() with I3C=n (git-fixes). - commit e466472 - pinmux: fix race causing mux_owner NULL with active mux_usecount (git-fixes). - pinctrl: sunxi: Fix memory leak on krealloc failure (git-fixes). - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref (git-fixes). - firewire: ohci: correct code comments about bus_reset tasklet (git-fixes). - commit fd1a6ae - PCI: rockchip-host: Fix &quot;Unexpected Completion&quot; log message (git-fixes). - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute (git-fixes). - PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails (git-fixes). - PCI: endpoint: Fix configfs group removal on driver teardown (git-fixes). - PCI: endpoint: Fix configfs group list head handling (git-fixes). - watchdog: ziirave_wdt: check record length in ziirave_firm_verify() (git-fixes). - dmaengine: nbpfaxi: Add missing check after DMA map (git-fixes). - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap (git-fixes). - dmaengine: qcom: gpi: Drop unused gpi_write_reg_field() (git-fixes). - dmaengine: dw-edma: Drop unused dchan2dev() and chan2dev() (git-fixes). - ASoC: fsl_xcvr: get channel status data when PHY is not exists (git-fixes). - soundwire: stream: restore params when prepare ports fail (git-fixes). - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set (git-fixes). - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name (git-fixes). - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx (stable-fixes). - can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode (git-fixes). - ALSA: hda: Add missing NVIDIA HDA codec IDs (stable-fixes). - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach (git-fixes). - usb: typec: tcpm: allow switching to mode accessory to mux properly (stable-fixes). - usb: typec: tcpm: allow to use sink in accessory mode (stable-fixes). - ALSA: hda/tegra: Add Tegra264 support (stable-fixes). - can: dev: can_restart(): move debug message and stats after successful restart (stable-fixes). - can: dev: can_restart(): reverse logic to remove need for goto (stable-fixes). - commit 0f0c0d9 - btrfs: don't silently ignore unexpected extent type when replaying log (git-fixes). - commit e423498 - btrfs: fix invalid inode pointer dereferences during log replay (git-fixes). - commit 78cbba9 - btrfs: return a btrfs_inode from read_one_inode() (git-fixes). - commit b3a9472 - iommu/arm-smmu-qcom: Add SM6115 MDSS compatible (git-fixes). - iommu/amd: Fix geometry.aperture_end for V2 tables (git-fixes). - commit f8c05a9 - btrfs: return a btrfs_inode from btrfs_iget_logging() (git-fixes). - commit 88ed97b - btrfs: use NOFS context when getting inodes during logging and log replay (git-fixes). - commit 88eb1d5 - virtio-net: ensure the received length does not exceed allocated size (CVE-2025-38375 bsc#1247177). - commit 2adf745 - btrfs: update superblock's device bytes_used when dropping chunk (git-fixes). - commit e33076b - Update patches.suse/0001-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch (bsc#1245431 CVE-2025-38085 bsc#1245499). - Update patches.suse/0001-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch (bsc#1245431 CVE-2025-38084 bsc#1245498). - Update patches.suse/ACPI-CPPC-Fix-NULL-pointer-dereference-when-nosmp-is.patch (git-fixes CVE-2025-38113 bsc#1245683). - Update patches.suse/ACPICA-Refuse-to-evaluate-a-method-if-arguments-are-.patch (stable-fixes CVE-2025-38386 bsc#1247138). - Update patches.suse/ACPICA-fix-acpi-operand-cache-leak-in-dswstate.c.patch (stable-fixes CVE-2025-38345 bsc#1246337). - Update patches.suse/ACPICA-fix-acpi-parse-and-parseext-cache-leaks.patch (stable-fixes CVE-2025-38344 bsc#1246334). - Update patches.suse/ALSA-usb-audio-Fix-out-of-bounds-read-in-snd_usb_get.patch (git-fixes CVE-2025-38249 bsc#1246171). - Update patches.suse/ASoC-Intel-avs-Verify-content-returned-by-parse_int_.patch (git-fixes CVE-2025-38307 bsc#1246364). - Update patches.suse/ASoC-codecs-wcd9335-Fix-missing-free-of-regulator-su.patch (git-fixes CVE-2025-38259 bsc#1246220). - Update patches.suse/Bluetooth-Fix-NULL-pointer-deference-on-eir_get_serv.patch (git-fixes CVE-2025-38304 bsc#1246240). - Update patches.suse/Bluetooth-Fix-null-ptr-deref-in-l2cap_sock_resume_cb.patch (git-fixes CVE-2025-38473 bsc#1247289). - Update patches.suse/Bluetooth-MGMT-Fix-UAF-on-mgmt_remove_adv_monitor_co.patch (git-fixes CVE-2025-38118 bsc#1245670). - Update patches.suse/HID-core-do-not-bypass-hid_hw_raw_request.patch (stable-fixes CVE-2025-38494 bsc#1247349). - Update patches.suse/HID-core-ensure-the-allocated-report-buffer-can-cont.patch (stable-fixes CVE-2025-38495 bsc#1247348). - Update patches.suse/IB-mlx5-Fix-potential-deadlock-in-MR-deregistration.patch (git-fixes CVE-2025-38373 bsc#1247033). - Update patches.suse/Input-ims-pcu-check-record-size-in-ims_pcu_flash_fir.patch (git-fixes CVE-2025-38428 bsc#1247150). - Update patches.suse/NFC-nci-uart-Set-tty-disc_data-only-in-success-path.patch (git-fixes CVE-2025-38416 bsc#1247151). - Update patches.suse/NFSv4-pNFS-Fix-a-race-to-wake-on-NFS_LAYOUT_DRAIN.patch (git-fixes CVE-2025-38393 bsc#1247170). - Update patches.suse/RDMA-cma-Fix-hang-when-cma_netevent_callback-fails-t.patch (git-fixes CVE-2025-38151 bsc#1245745). - Update patches.suse/RDMA-iwcm-Fix-use-after-free-of-work-objects-after-c.patch (git-fixes CVE-2025-38211 bsc#1246008). - Update patches.suse/RDMA-mlx5-Fix-error-flow-upon-firmware-failure-for-R.patch (git-fixes CVE-2025-38161 bsc#1245777). - Update patches.suse/RDMA-mlx5-Initialize-obj_event-obj_sub_list-before-x.patch (git-fixes CVE-2025-38387 bsc#1247154). - Update patches.suse/Squashfs-check-return-result-of-sb_min_blocksize.patch (git-fixes CVE-2025-38415 bsc#1247147). - Update patches.suse/VMCI-fix-race-between-vmci_host_setup_notify-and-vmc.patch (git-fixes CVE-2025-38102 bsc#1245669). - Update patches.suse/aoe-clean-device-rq_list-in-aoedev_downdev.patch (git-fixes CVE-2025-38326 bsc#1246490). - Update patches.suse/ata-pata_via-Force-PIO-for-ATAPI-devices-on-VT6415-V.patch (stable-fixes CVE-2025-38336 bsc#1246370). - Update patches.suse/backlight-pm8941-Add-NULL-check-in-wled_configure.patch (git-fixes CVE-2025-38143 bsc#1245714). - Update patches.suse/bnxt-properly-flush-XDP-redirect-lists.patch (git-fixes CVE-2025-38246 bsc#1246195). - Update patches.suse/bpf-sockmap-Fix-panic-when-calling-skb_linearize.patch (bsc#1245749 CVE-2025-38154 CVE-2025-38165 bsc#1245757). - Update patches.suse/bus-fsl-mc-fix-double-free-on-mc_dev.patch (git-fixes CVE-2025-38313 bsc#1246342). - Update patches.suse/calipso-Fix-null-ptr-deref-in-calipso_req_-set-del-a.patch (git-fixes CVE-2025-38181 bsc#1246000). - Update patches.suse/comedi-Fail-COMEDI_INSNLIST-ioctl-if-n_insns-is-too-.patch (git-fixes CVE-2025-38481 bsc#1247276). - Update patches.suse/comedi-Fix-initialization-of-data-for-instructions-t.patch (git-fixes CVE-2025-38478 bsc#1247273). - Update patches.suse/comedi-Fix-use-of-uninitialized-data-in-insn_rw_emul.patch (git-fixes CVE-2025-38480 bsc#1247274). - Update patches.suse/comedi-das16m1-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38483 bsc#1247278). - Update patches.suse/comedi-das6402-Fix-bit-shift-out-of-bounds.patch (git-fixes CVE-2025-38482 bsc#1247277). - Update patches.suse/crypto-marvell-cesa-Handle-zero-length-skcipher-requ.patch (git-fixes CVE-2025-38173 bsc#1245769). - Update patches.suse/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch (git-fixes CVE-2025-38300 bsc#1246349). - Update patches.suse/dm-bufio-fix-sched-in-atomic-context.patch (git-fixes CVE-2025-38496 bsc#1247284). - Update patches.suse/dma-buf-insert-memory-barrier-before-updating-num_fe.patch (git-fixes CVE-2025-38095 bsc#1245658). - Update patches.suse/dmaengine-idxd-Check-availability-of-workqueue-alloc.patch (stable-fixes CVE-2025-38369 bsc#1247209). - Update patches.suse/dmaengine-ti-Add-NULL-check-in-udma_probe.patch (git-fixes CVE-2025-38138 bsc#1245719). - Update patches.suse/drivers-rapidio-rio_cm.c-prevent-possible-heap-overw.patch (stable-fixes CVE-2025-38090 bsc#1245510). - Update patches.suse/drm-amd-display-Add-null-pointer-check-for-get_first.patch (git-fixes CVE-2025-38362 bsc#1247089). - Update patches.suse/drm-amd-pp-Fix-potential-NULL-pointer-dereference-in.patch (git-fixes CVE-2025-38319 bsc#1246243). - Update patches.suse/drm-exynos-exynos7_drm_decon-add-vblank-check-in-IRQ.patch (git-fixes CVE-2025-38467 bsc#1247146). - Update patches.suse/drm-gem-Acquire-references-on-GEM-handles-for-frameb.patch (stable-fixes CVE-2025-38449 bsc#1247255). - Update patches.suse/drm-i915-gt-Fix-timeline-left-held-on-VMA-alloc-erro.patch (git-fixes CVE-2025-38389 bsc#1247153). - Update patches.suse/drm-msm-Fix-a-fence-leak-in-submit-error-path.patch (stable-fixes CVE-2025-38410 bsc#1247128). - Update patches.suse/drm-msm-Fix-another-leak-in-the-submit-error-path.patch (stable-fixes CVE-2025-38409 bsc#1247285). - Update patches.suse/drm-msm-gpu-Fix-crash-when-throttling-GPU-immediatel.patch (git-fixes CVE-2025-38354 bsc#1247061). - Update patches.suse/drm-scheduler-signal-scheduled-fence-when-kill-job.patch (stable-fixes CVE-2025-38436 bsc#1247227). - Update patches.suse/drm-tegra-Fix-a-possible-null-pointer-dereference.patch (git-fixes CVE-2025-38363 bsc#1247018). - Update patches.suse/fbcon-Make-sure-modelist-not-set-on-unregistered-con.patch (stable-fixes CVE-2025-38198 bsc#1245952). - Update patches.suse/fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch (git-fixes CVE-2025-38215 bsc#1246109). - Update patches.suse/fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch (git-fixes CVE-2025-38214 bsc#1246042). - Update patches.suse/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch (git-fixes CVE-2025-38312 bsc#1246386). - Update patches.suse/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch (git-fixes CVE-2025-38338 bsc#1246258). - Update patches.suse/gve-add-missing-NULL-check-for-gve_alloc_pending_pac.patch (git-fixes CVE-2025-38122 bsc#1245746). - Update patches.suse/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch (git-fixes CVE-2025-38142 bsc#1245713). - Update patches.suse/hwmon-ftsteutates-Fix-TOCTOU-race-in-fts_read.patch (git-fixes CVE-2025-38217 bsc#1246002). - Update patches.suse/i2c-designware-Fix-an-initialization-issue.patch (git-fixes CVE-2025-38380 bsc#1247028). - Update patches.suse/i2c-tegra-check-msg-length-in-SMBUS-block-read.patch (bsc#1242086 CVE-2025-38425 bsc#1247251). - Update patches.suse/ice-fix-Tx-scheduler-error-handling-in-XDP-callback.patch (git-fixes CVE-2025-38127 bsc#1245705). - Update patches.suse/iio-accel-fxls8962af-Fix-use-after-free-in-fxls8962a.patch (git-fixes CVE-2025-38485 bsc#1247236). - Update patches.suse/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch (git-fixes CVE-2025-38328 bsc#1246249). - Update patches.suse/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch (git-fixes CVE-2025-38194 bsc#1245957). - Update patches.suse/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch (git-fixes CVE-2025-38229 bsc#1246049). - Update patches.suse/media-imx-jpeg-Cleanup-after-an-allocation-error.patch (git-fixes CVE-2025-38225 bsc#1246041). - Update patches.suse/media-vidtv-Terminating-the-subsequent-process-of-in.patch (git-fixes CVE-2025-38227 bsc#1246031). - Update patches.suse/media-vivid-Change-the-siize-of-the-composing.patch (git-fixes CVE-2025-38226 bsc#1246050). - Update patches.suse/mtd-nand-ecc-mxic-Fix-use-of-uninitialized-variable-.patch (git-fixes CVE-2025-38277 bsc#1246246). - Update patches.suse/mtd-spinand-fix-memory-leak-of-ECC-engine-conf.patch (stable-fixes CVE-2025-38384 bsc#1247035). - Update patches.suse/mtk-sd-Prevent-memory-corruption-from-DMA-map-failur.patch (git-fixes CVE-2025-38401 bsc#1247125). - Update patches.suse/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch (git-fixes CVE-2025-38443 bsc#1247164). - Update patches.suse/net-Fix-TOCTOU-issue-in-sk_is_readable.patch (git-fixes CVE-2025-38112 bsc#1245668). - Update patches.suse/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch (git-fixes CVE-2025-38124 bsc#1245690). - Update patches.suse/net-mdiobus-Fix-potential-out-of-bounds-clause-45-re.patch (git-fixes CVE-2025-38110 bsc#1245665). - Update patches.suse/net-mdiobus-Fix-potential-out-of-bounds-read-write-a.patch (git-fixes CVE-2025-38111 bsc#1245666). - Update patches.suse/net-mlx5-Fix-ECVF-vports-unload-on-shutdown-flow.patch (git-fixes CVE-2025-38109 bsc#1245684). - Update patches.suse/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch (git-fixes CVE-2025-38149 bsc#1245737). - Update patches.suse/net-phy-mscc-Fix-memory-leak-when-using-one-step-tim.patch (git-fixes CVE-2025-38148 bsc#1245735). - Update patches.suse/net-sched-Return-NULL-when-htb_lookup_leaf-encounter.patch (git-fixes CVE-2025-38468 bsc#1247437). - Update patches.suse/net-sched-fix-use-after-free-in-taprio_dev_notifier.patch (git-fixes CVE-2025-38087 bsc#1245504). - Update patches.suse/net-sched-sch_qfq-Fix-race-condition-on-qfq_aggregat.patch (git-fixes CVE-2025-38477 bsc#1247314). - Update patches.suse/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch (CVE-2025-38052 bsc#1244749 CVE-2025-38273 bsc#1246266). - Update patches.suse/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch (git-fixes CVE-2025-38153 bsc#1245744). - Update patches.suse/net-usb-lan78xx-fix-WARN-in-__netif_napi_del_locked-.patch (git-fixes CVE-2025-38385 bsc#1247149). - Update patches.suse/net-wwan-t7xx-Fix-napi-rx-poll-issue.patch (git-fixes CVE-2025-38123 bsc#1245688). - Update patches.suse/net_sched-ets-fix-a-race-in-ets_qdisc_change.patch (git-fixes CVE-2025-38107 bsc#1245676). - Update patches.suse/net_sched-red-fix-a-race-in-__red_change.patch (git-fixes CVE-2025-38108 bsc#1245675). - Update patches.suse/net_sched-sch_sfq-reject-invalid-perturb-period.patch (git-fixes CVE-2025-38193 bsc#1245945). - Update patches.suse/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch (git-fixes CVE-2024-57947 bsc#1236333 CVE-2025-38120 bsc#1245711). - Update patches.suse/nfs-Clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_init-fails.patch (git-fixes CVE-2025-38400 bsc#1247123). - Update patches.suse/nfsd-Initialize-ssc-before-laundromat_work-to-prevent-NULL-dereference.patch (git-fixes CVE-2025-38231 bsc#1246055). - Update patches.suse/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch (git-fixes CVE-2025-38430 bsc#1247160). - Update patches.suse/page_pool-Fix-use-after-free-in-page_pool_recycle_in.patch (git-fixes CVE-2025-38129 bsc#1245723). - Update patches.suse/perf-Fix-sample-vs-do_exit.patch (bsc#1246547 CVE-2025-38424 bsc#1247293). - Update patches.suse/phy-qcom-qmp-usb-Fix-an-NULL-vs-IS_ERR-bug.patch (git-fixes CVE-2025-38275 bsc#1246236). - Update patches.suse/pinctrl-at91-Fix-possible-out-of-boundary-access.patch (git-fixes CVE-2025-38286 bsc#1246283). - Update patches.suse/platform-x86-dell-wmi-sysman-Fix-WMI-data-block-retr.patch (git-fixes CVE-2025-38412 bsc#1247132). - Update patches.suse/platform-x86-dell_rbu-Fix-list-usage.patch (git-fixes CVE-2025-38197 bsc#1246047). - Update patches.suse/powerpc-powernv-memtrace-Fix-out-of-bounds-issue-in-.patch (bsc#1244309 ltc#213790 CVE-2025-38088 bsc#1245506). - Update patches.suse/ptp-remove-ptp-n_vclocks-check-logic-in-ptp_vclock_i.patch (git-fixes CVE-2025-38305 bsc#1246358). - Update patches.suse/regulator-gpio-Fix-the-out-of-bounds-access-to-drvda.patch (git-fixes CVE-2025-38395 bsc#1247171). - Update patches.suse/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch (git-fixes CVE-2025-38377 bsc#1247174). - Update patches.suse/rpl-Fix-use-after-free-in-rpl_do_srh_inline.patch (git-fixes CVE-2025-38476 bsc#1247317). - Update patches.suse/s390-bpf-Fix-bpf_arch_text_poke-with-new_addr-NULL-again.patch (git-fixes bsc#1246870 CVE-2025-38489 bsc#1247241). - Update patches.suse/s390-pkey-Prevent-overflow-in-size-calculation-for-memdup_.patch (git-fixes bsc#1245598 CVE-2025-38257 bsc#1246186). - Update patches.suse/sch_hfsc-make-hfsc_qlen_notify-idempotent.patch (CVE-2025-37798 bsc#1242414 CVE-2025-38177 bsc#1245986). - Update patches.suse/scsi-lpfc-Avoid-potential-ndlp-use-after-free-in-dev.patch (bsc#1242993 CVE-2025-38289 bsc#1246287). - Update patches.suse/scsi-lpfc-Use-memcpy-for-BIOS-version.patch (bsc#1240966 CVE-2025-38332 bsc#1246375). - Update patches.suse/serial-Fix-potential-null-ptr-deref-in-mlb_usio_prob.patch (git-fixes CVE-2025-38135 bsc#1246023). - Update patches.suse/soc-aspeed-Add-NULL-check-in-aspeed_lpc_enable_snoop.patch (git-fixes CVE-2025-38145 bsc#1245765). - Update patches.suse/soc-aspeed-lpc-snoop-Don-t-disable-channels-that-are.patch (git-fixes CVE-2025-38487 bsc#1247238). - Update patches.suse/software-node-Correct-a-OOB-check-in-software_node_g.patch (stable-fixes CVE-2025-38342 bsc#1246453). - Update patches.suse/sunrpc-handle-SVC_GARBAGE-during-svc-auth-processing-as-auth-error.patch (git-fixes CVE-2025-38089 bsc#1245508). - Update patches.suse/thunderbolt-Do-not-double-dequeue-a-configuration-re.patch (stable-fixes CVE-2025-38174 bsc#1245781). - Update patches.suse/usb-chipidea-udc-disconnect-reconnect-from-host-when.patch (git-fixes CVE-2025-38376 bsc#1247176). - Update patches.suse/usb-gadget-u_serial-Fix-race-condition-in-TTY-wakeup.patch (git-fixes CVE-2025-38448 bsc#1247233). - Update patches.suse/usb-net-sierra-check-for-no-status-endpoint.patch (git-fixes CVE-2025-38474 bsc#1247311). - Update patches.suse/usb-renesas_usbhs-Reorder-clock-handling-and-power-m.patch (git-fixes CVE-2025-38136 bsc#1245691). - Update patches.suse/usb-typec-altmodes-displayport-do-not-index-invalid-.patch (git-fixes CVE-2025-38391 bsc#1247181). - Update patches.suse/usb-typec-displayport-Fix-potential-deadlock.patch (git-fixes CVE-2025-38404 bsc#1247271). - Update patches.suse/vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch (git-fixes CVE-2025-38213 bsc#1246037). - Update patches.suse/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch (git-fixes CVE-2025-38293 bsc#1246292). - Update patches.suse/wifi-ath12k-fix-invalid-access-to-memory.patch (git-fixes CVE-2025-38292 bsc#1246295). - Update patches.suse/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch (git-fixes CVE-2025-38290 bsc#1246293). - Update patches.suse/wifi-ath6kl-remove-WARN-on-bad-firmware-input.patch (stable-fixes CVE-2025-38406 bsc#1247210). - Update patches.suse/wifi-ath9k_htc-Abort-software-beacon-handling-if-dis.patch (git-fixes CVE-2025-38157 bsc#1245747). - Update patches.suse/wifi-carl9170-do-not-ping-device-which-has-failed-to.patch (git-fixes CVE-2025-38420 bsc#1247279). - Update patches.suse/wifi-mt76-mt7915-Fix-null-ptr-deref-in-mt7915_mmio_w.patch (git-fixes CVE-2025-38155 bsc#1245748). - Update patches.suse/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch (stable-fixes CVE-2025-38343 bsc#1246438). - Update patches.suse/wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_re.patch (git-fixes CVE-2025-38348 bsc#1246262). - Update patches.suse/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch (git-fixes CVE-2025-38159 bsc#1245751). - commit de345c9 - Revert &quot;cgroup_freezer: cgroup_freezing: Check if not frozen&quot; (bsc#1219338). - sched,freezer: Remove unnecessary warning in __thaw_task (bsc#1219338). - commit 108588a - ipv6: fix possible infinite loop in fib6_info_uses_dev() (git-fixes). - commit 16f1f6e - ipv6: prevent infinite loop in rt6_nlmsg_size() (git-fixes). - commit cb535e8 - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (git-fixes). - commit 6fae648 - Refresh patches.suse/af_unix-Disable-MSG_OOB-for-unprivileged-users.patch. Add cmdline override. - commit 4b6e594 - af_unix: Disable MSG_OOB for unprivileged users (CVE-2025-38236 bsc#1246093). - commit 6110a63 - fs/orangefs: Allow 2 more characters in do_c_string() (git-fixes). - commit 642fa26 - jfs: fix metapage reference count leak in dbAllocCtl (git-fixes). - commit 58c926b - x86/mce/amd: Fix threshold limit reset (git-fixes). - commit 468e2ae - bus: mhi: ep: Update read pointer only after buffer is written (CVE-2025-38429 bsc#1247253). - commit 3341565 - x86/mce: Don't remove sysfs if thresholding sysfs init fails (git-fixes). - commit 3d8385a - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel (git-fixes). - commit fe9eb0f - x86/mce/amd: Add default names for MCA banks and blocks (git-fixes). - commit 27f7700 - x86/traps: Initialize DR6 by writing its architectural reset value (git-fixes). - commit 80ddfd8 - media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - commit 1212a93 - x86/cpu/amd: Fix workaround for erratum 1054 (git-fixes). - commit 2d80ddf - mtd: rawnand: atmel: set pmecc data setup time (git-fixes). - mtd: spinand: propagate spinand_wait() errors from spinand_write_page() (git-fixes). - mtd: rawnand: fsmc: Add missing check after DMA map (git-fixes). - mtd: rawnand: rockchip: Add missing check after DMA map (git-fixes). - mtd: rawnand: atmel: Fix dma_mapping_error() address (git-fixes). - mtd: rawnand: renesas: Add missing check after DMA map (git-fixes). - mtd: spi-nor: Fix spi_nor_try_unlock_all() (git-fixes). - mtd: fix possible integer overflow in erase_xfer() (git-fixes). - clk: sunxi-ng: v3s: Fix de clock definition (git-fixes). - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq (git-fixes). - clk: xilinx: vcu: unregister pll_post only if registered correctly (git-fixes). - clk: davinci: Add NULL check in davinci_lpsc_clk_register() (git-fixes). - hwmon: (gsc-hwmon) fix fan pwm setpoint show functions (git-fixes). - pwm: imx-tpm: Reset counter if CMOD is 0 (git-fixes). - media: uvcvideo: Do not mark valid metadata as invalid (git-fixes). - media: ov2659: Fix memory leaks in ov2659_probe() (git-fixes). - media: hi556: correct the test pattern configuration (git-fixes). - media: vivid: fix wrong pixel_array control size (git-fixes). - media: venus: hfi: explicitly release IRQ during teardown (git-fixes). - media: venus: Add a check for packet size after reading from shared memory (git-fixes). - media: venus: protect against spurious interrupts during probe (git-fixes). - media: venus: venc: Clamp param smaller than 1fps and bigger than 240 (git-fixes). - media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() (git-fixes). - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check (git-fixes). - media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() (git-fixes). - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (git-fixes). - media: gspca: Add bounds checking to firmware parser (git-fixes). - media: usbtv: Lock resolution while streaming (git-fixes). - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (git-fixes). - crypto: qat - fix seq_file position update in adf_ring_next() (git-fixes). - crypto: qat - fix DMA direction for compression on GEN2 devices (git-fixes). - crypto: qat - flush misc workqueue during device shutdown (git-fixes). - crypto: qat - disable ZUC-256 capability for QAT GEN5 (git-fixes). - crypto: img-hash - Fix dma_unmap_sg() nents value (git-fixes). - crypto: keembay - Fix dma_unmap_sg() nents value (git-fixes). - hwrng: mtk - handle devm_pm_runtime_enable errors (git-fixes). - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (git-fixes). - crypto: inside-secure - Fix `dma_unmap_sg()` nents value (git-fixes). - crypto: ccp - Fix locking on alloc failure handling (git-fixes). - crypto: arm/aes-neonbs - work around gcc-15 warning (git-fixes). - crypto: qat - fix state restore for banks with exceptions (git-fixes). - crypto: qat - allow enabling VFs in the absence of IOMMU (git-fixes). - crypto: marvell/cesa - Fix engine load inaccuracy (git-fixes). - crypto: qat - use unmanaged allocation for dc_data (git-fixes). - crypto: sun8i-ce - fix nents passed to dma_unmap_sg() (git-fixes). - commit 8f3fb2a - Move upstreamed SCSI and ACPI patches into sorted section - commit 09d9d7c - RDMA/uverbs: Add empty rdma_uattrs_has_raw_cap() declaration (git-fixes) - commit ced3c6d - Update config files. run_oldconfig, no functional change. - commit 0b6044b - RDMA/mlx5: Fix compilation warning when USER_ACCESS isn't set (git-fixes) - commit dce79bd - RDMA/hns: Fix -Wframe-larger-than issue (git-fixes) - commit 90a067b - RDMA/hns: Drop GFP_NOWARN (git-fixes) - commit 927f6d6 - RDMA/hns: Fix accessing uninitialized resources (git-fixes) - commit c1be2f8 - RDMA/hns: Get message length of ack_req from FW (git-fixes) - commit 2e9a431 - RDMA/hns: Fix HW configurations not cleared in error flow (git-fixes) - commit ba6e757 - RDMA/hns: Fix double destruction of rsv_qp (git-fixes) - commit 0d7fee3 - Fix dma_unmap_sg() nents value (git-fixes) - commit 89d1cb0 - RDMA/counter: Check CAP_NET_RAW check in user namespace for RDMA counters (git-fixes) - commit c5238e7 - RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify (git-fixes) - commit 0d7ab5b - RDMA/mlx5: Check CAP_NET_RAW in user namespace for devx create (git-fixes) - commit c162c8c - RDMA/uverbs: Check CAP_NET_RAW in user namespace for RAW QP create (git-fixes) - commit 3292115 - RDMA/uverbs: Check CAP_NET_RAW in user namespace for QP create (git-fixes) - commit 90f88d3 - RDMA/mlx5: Check CAP_NET_RAW in user namespace for anchor create (git-fixes) - commit a812e80 - RDMA/mlx5: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - commit 9dcd5e1 - RDMA/uverbs: Check CAP_NET_RAW in user namespace for flow create (git-fixes) - commit eaff4b0 - vsock: Fix transport_{g2h,h2g} TOCTOU (CVE-2025-38462 bsc#1247104). - commit f5da768 - tcp: Correct signedness in skb remaining space calculation (CVE-2025-38463 bsc#1247113). - net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350 bsc#1246781). - maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() (CVE-2025-38364 bsc#1247091). - commit 7390872 - x86: UV RTC: Add parameter to disable RTC clocksource (bsc#1241345). - commit 79ccdce - clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin (bsc#1241345 bsc#1244457). - commit 09911af - clocksource: Scale the watchdog read retries automatically (bsc#1241345 bsc#1244457). - Refresh patches.suse/clocksource-Fix-brown-bag-boolean-thinko-in-cs_watch.patch. - Refresh patches.suse/clocksource-Make-watchdog-and-suspend-timing-multipl.patch. - commit fdf040b - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() (git-fixes). - wifi: iwlwifi: return ERR_PTR from opmode start() (stable-fixes). - commit bb4c593 - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value (git-fixes). - fbcon: Fix outdated registered_fb reference in comment (git-fixes). - drm/msm/dpu: Fill in min_prefill_lines for SC8180X (git-fixes). - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel (git-fixes). - drm/panfrost: Fix panfrost device variable name in devfreq (git-fixes). - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed (git-fixes). - can: peak_usb: fix USB FD devices potential malfunction (git-fixes). - net: phy: micrel: fix KSZ8081/KSZ8091 cable test (git-fixes). - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event (git-fixes). - can: kvaser_usb: Assign netdev.dev_port based on device channel index (git-fixes). - can: kvaser_pciefd: Store device channel index (git-fixes). - Bluetooth: hci_event: Mask data status from LE ext adv reports (git-fixes). - wifi: ath12k: fix endianness handling while accessing wmi service bit (git-fixes). - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath12k: fix source ring-buffer corruption (git-fixes). - wifi: ath12k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption when ring is full (git-fixes). - wifi: ath11k: fix source ring-buffer corruption (git-fixes). - wifi: ath11k: fix dest ring-buffer corruption (git-fixes). - wifi: ath11k: fix suspend use-after-free after probe failure (git-fixes). - wifi: ath11k: clear initialized flag for deinit-ed srng lists (git-fixes). - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE (git-fixes). - Reapply &quot;wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()&quot; (git-fixes). - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() (git-fixes). - wifi: mac80211: Don't call fq_flow_idx() for management frames (git-fixes). - wifi: mac80211: Do not schedule stopped TXQs (git-fixes). - wifi: plfxlc: Fix error handling in usb driver probe (git-fixes). - wifi: mac80211: reject TDLS operations when station is not associated (git-fixes). - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() (git-fixes). - mwl8k: Add missing check after DMA map (git-fixes). - iwlwifi: Add missing check for alloc_ordered_workqueue (git-fixes). - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() (git-fixes). - wifi: rtl818x: Kill URBs before clearing tx status queue (git-fixes). - wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band (git-fixes). - commit 338f129 - usb: gadget: configfs: Fix OOB read on empty string write (CVE-2025-38497 bsc#1247347). - commit 96c22e3 - fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (CVE-2025-38396 bsc#1247156). - commit 281f5f1 - wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (CVE-2025-38414 bsc#1247145). - commit be37365 - Docs/ABI: Fix sysfs-kernel-address_bits path (git-fixes). - soc: qcom: pmic_glink: fix OF node leak (git-fixes). - soc: qcom: fix endianness for QMI header (git-fixes). - soc: qcom: QMI encoding/decoding for big endian (git-fixes). - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS (git-fixes). - usb: musb: omap2430: fix device leak at unbind (git-fixes). - usb: gadget: udc: renesas_usb3: fix device leak at unbind (git-fixes). - usb: dwc3: meson-g12a: fix device leaks at unbind (git-fixes). - usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() (git-fixes). - thunderbolt: Fix copy+paste error in match_service_id() (git-fixes). - usb: typec: ucsi: Update power_supply on power role change (git-fixes). - usb: gadget : fix use-after-free in composite_dev_cleanup() (git-fixes). - cdc-acm: fix race between initial clearing halt and open (git-fixes). - usb: early: xhci-dbc: Fix early_ioremap leak (git-fixes). - usb: misc: apple-mfi-fastcharge: Make power supply names unique (git-fixes). - Documentation: usb: gadget: Wrap remaining usage snippets in literal code block (git-fixes). - usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() (git-fixes). - vt: defkeymap: Map keycodes above 127 to K_HOLE (git-fixes). - vt: keyboard: Don't process Unicode characters in K_OFF mode (git-fixes). - staging: axis-fifo: remove sysfs interface (git-fixes). - staging: nvec: Fix incorrect null termination of battery manufacturer (git-fixes). - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (git-fixes). - iio: adc: ad_sigma_delta: change to buffer predisable (git-fixes). - iio: imu: bno055: fix OOB access of hw_xlate array (git-fixes). - bus: mhi: host: Detect events pointing to unexpected TREs (git-fixes). - misc: rtsx: usb: Ensure mmc child device is active when card is present (git-fixes). - vmci: Prevent the dispatching of uninitialized payloads (git-fixes). - samples: mei: Fix building on musl libc (git-fixes). - platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() (git-fixes). - gpio: virtio: Fix config space reading (git-fixes). - ASoC: ops: dynamically allocate struct snd_ctl_elem_value (git-fixes). - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() (git-fixes). - Documentation: ACPI: Fix parent device references (git-fixes). - ACPI: LPSS: Remove AudioDSP related ID (git-fixes). - ACPI: processor: perflib: Fix initial _PPC limit application (git-fixes). - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() (git-fixes). - PM / devfreq: Check governor before using governor-&gt;name (git-fixes). - commit fbd21ae - apple-mfi-fastcharge: protect first device name (git-fixes). - commit 903dc58 - vsock/vmci: Clear the vmci transport packet properly when initializing it (CVE-2025-38403 bsc#1247141). - commit 6379963 - KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (CVE-2025-38455 bsc#1247101). - commit ca76701 - vsock: Fix transport_* TOCTOU (CVE-2025-38461 bsc#1247103). - commit 916fdd6 - eventpoll: don't decrement ep refcount while still holding the ep mutex (bsc#1246777 CVE-2025-38349). - commit 6c5e857 - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (bsc#1246253 CVE-2025-38337). - commit 4cfb834 - ext4: inline: fix len overflow in ext4_prepare_inline_data (bsc#1245976 CVE-2025-38222). - commit bdddb2f - ublk: santizize the arguments from userspace when adding a device (bsc#1245937 CVE-2025-38182). - commit c70260e - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (bsc#1245151 CVE-2025-38058). - commit 5d79b46 - xfs: remove unused trace event xfs_reflink_cow_enospc (git-fixes). - commit 43f2e3c - xfs: only create event xfs_file_compat_ioctl when CONFIG_COMPAT is configure (git-fixes). - commit 90cf0ff - xfs: remove usused xfs_end_io_direct events (git-fixes). - commit 973d0e0 - xfs: remove unused event xfs_pagecache_inval (git-fixes). - commit 92f5436 - xfs: remove unused event xfs_alloc_near_nominleft (git-fixes). - commit cce777b - xfs: remove unused event xfs_alloc_near_error (git-fixes). - commit 5b572bf - xfs: remove unused event xfs_attr_node_removename (git-fixes). - commit 4753b23 - xfs: remove unused xfs_attr events (git-fixes). - commit 1b0cc0c - xfs: remove unused trace event xfs_attr_rmtval_set (git-fixes). - commit d855e56 - xfs: remove unused xfs_reflink_compare_extents events (git-fixes). - commit a7afc4b - xfs: remove unused event xfs_ioctl_clone (git-fixes). - commit b5dfc1b - xfs: remove unused event xlog_iclog_want_sync (git-fixes). - commit 217c9f9 - xfs: remove unused trace event xfs_attr_remove_iter_return (git-fixes). - commit 70b1bc5 - NFSD: detect mismatch of file handle and delegation stateid in OPEN op (git-fixes). - commit 00b51c6 - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (git-fixes). - commit b0cf612 - hfsplus: remove mutex_lock check in hfsplus_free_extents (git-fixes). - commit e14f374 - s390/entry: Fix last breaking event handling in case of stack corruption (git-fixes bsc#1243806). - commit d31e65a - hfs: make splice write available again (git-fixes). - commit 96498bf - hfsplus: make splice write available again (git-fixes). - commit 5121068 - Refresh patches.suse/btrfs-always-fallback-to-buffered-write-if-the-inode.patch. To remove an incorrectly generated file which is not utilized at all. - commit 8e57a15 - btrfs: fix non-empty delayed iputs list on unmount due to async workers (git-fixes). - commit 285c1f5 - btrfs: fix assertion when building free space tree (git-fixes). - commit a3fd65f - btrfs: fix iteration of extrefs during log replay (bsc#1247031 CVE-2025-38382). - commit 5e64fe6 - btrfs: fix missing error handling when searching for inode refs during log replay (git-fixes). - commit a8205e6 - rcu-tasks: Maintain lists to eliminate RCU-tasks/do_exit() (bsc#1246298) - commit 51bf729 - i2c: qup: jump out of the loop in case of timeout (git-fixes). - i2c: virtio: Avoid hang by using interruptible completion wait (git-fixes). - i2c: tegra: Fix reset error handling with ACPI (git-fixes). - commit 5a2e6c7 - btrfs: fix a race between renames and directory logging (bsc#1247023 CVE-2025-38365). - commit 322c28e - supported.conf: move nvme-apple to optional again - commit a3e3a0c - llist: add interface to check if a node is on a list (CVE-2025-38264 bsc#1246387). - commit f06e99c - nvme-tcp: sanitize request list handling (CVE-2025-38264 bsc#1246387). - commit 33933f9 - supported.conf: sort entries again - commit 2db834f - supported.conf: add missing entries for armv7hl - commit 3fcf489 - nilfs2: reject invalid file types when reading inodes (git-fixes). - commit b094111 - resource: fix false warning in __request_region() (git-fixes). - bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() (git-fixes). - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition (stable-fixes). - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI (stable-fixes). - USB: serial: option: add Foxconn T99W640 (stable-fixes). - iio: adc: max1363: Reorder mode_list[] entries (stable-fixes). - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] (stable-fixes). - ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS (stable-fixes). - HID: core: do not bypass hid_hw_raw_request (stable-fixes). - HID: core: ensure the allocated report buffer can contain the reserved report ID (stable-fixes). - regulator: pwm-regulator: Calculate the output voltage for disabled PWMs (stable-fixes). - commit 829a426 - rpm/kernel-subpackage-spec: Skip brp-strip-debug to avoid file truncation (bsc#1246879) Put the same workaround to avoid file truncation of vmlinux and co in kernel-default-base package, too. - commit 2329734 - iommu/vt-d: Fix possible circular locking dependency (git-fixes). - commit 0774c7d - drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() (git-fixes). - drm/sched: Remove optimization that causes hang when killing dependent jobs (git-fixes). - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots (git-fixes). - commit 0083a37 - iommu/vt-d: Fix system hang on reboot -f (git-fixes). - commit 034e69f - rpm/kernel-binary.spec.in: Ignore return code from ksymtypes compare When using suse-kabi-tools, the RPM build invokes 'ksymvers compare' to compare the resulting symbol CRCs with the reference data. If the values differ, it then invokes 'ksymtypes compare' to provide a detailed report explaining why the symbols differ. The build expects the latter 'ksymtypes compare' command to always return zero, even if the two compared kABI corpuses are different. This is currently the case for 'ksymtypes compare'. However, I plan to update the command to return a non-zero code when the comparison detects any differences. This should ensure consistent behavior with 'ksymvers compare'. Since the build uses 'ksymtypes compare' only for more detailed diagnostics, ignore its return code. - commit 5ac1381 - net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180 bsc#1245970). - net: atm: add lec_mutex (CVE-2025-38323 bsc#1246473). - commit 1698a7c - KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (bsc#1239061 CVE-2025-21839). - commit fe1f630 - net: dsa: b53: do not enable EEE on bcm63xx (CVE-2025-38272 bsc#1246268). - commit ee16b59 - Refresh patches.suse/selftests-bpf-Clean-up-open-coded-gettid-syscall-inv.patch. Fix following BPF selftests compilation error due to missing dependency. /home/runner/work/libbpf/libbpf/.kernel/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c: In function ‘test_current_pid_tgid’: /home/runner/work/libbpf/libbpf/.kernel/tools/testing/selftests/bpf/prog_tests/ns_current_pid_tgid.c:31:9: error: invalid type argument of unary ‘*’ (have ‘pid_t’ {aka ‘int’}) 31 | *pid = sys_gettid(); | ^~~~ - commit d85d5ff - Delete patches.suse/selftests-bpf-Add-tests-for-sdiv-smod-overflow-cases.patch. The __arch_x86_64 macro is not yet supported in BPF selftests (depends on c64d2f72bf2e &quot;selftests/bpf: *_arch** macro to limit test cases to specific archs&quot;), so drop tests that uses it. - commit 55e800e - Bluetooth: hci_sync: Fix UAF on create_le_conn_complete (git-fixes). - commit 7a089da - hci_dev centralize extra lock (CVE-2025-38117 bsc#1245695). - commit 892de21 - Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CVE-2025-38117 bsc#1245695). - commit e0d8b29 - Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once (CVE-2025-38117 bsc#1245695). - commit c86dd9a - Bluetooth: hci_core: Make hci_is_le_conn_scanning public (CVE-2025-38117 bsc#1245695). - Refresh patches.suse/Bluetooth-hci_sync-Use-QoS-to-determine-which-PHY-to.patch. - commit 566b348 - Bluetooth: hci_sync: Fix handling of HCI_OP_CREATE_CONN_CANCEL (git-fixes). - commit 79fc3de - gpiolib: of: Add polarity quirk for s5m8767 (stable-fixes). - gpio: vf610: add locking to gpio direction functions (git-fixes). - gpio: pca953x: log an error when failing to get the reset GPIO (git-fixes). - gpiolib: cdev: Ignore reconfiguration without direction (git-fixes). - gpiolib: acpi: Fix failed in acpi_gpiochip_find() by adding parent node match (bsc#1233300). - gpiolib: Fix debug messaging in gpiod_find_and_request() (git-fixes). - gpiolib: Handle no pin_ranges in gpiochip_generic_config() (git-fixes). - gpio: sim: include a missing header (git-fixes). - gpiolib: acpi: Don't use GPIO chip fwnode in acpi_gpiochip_find() (bsc#1233300). - commit 75afc01 - Bluetooth: MGMT: convert timeouts to secs_to_jiffies() (CVE-2025-38117 bsc#1245695). - commit 3e2758a - bluetooth: mgmt: convert timeouts to secs_to_jiffies() (CVE-2025-38117 bsc#1245695). - commit b8976eb - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again (git-fixes bsc#1246870). - commit 8e4fb25 - Fix build warning Refresh patches.suse/mm-hugetlb-fix-DEBUG_LOCKS_WARN_ON-1-when-dissolve_f.patch. - commit ccb6e90 - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT (git-fixes). - Refresh patches.suse/Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch. - commit 6f743e7 - Bluetooth: hci_sync: Attempt to dequeue connection attempt (git-fixes). - Refresh patches.suse/Bluetooth-L2CAP-Fix-slab-use-after-free-Read-in-l2ca.patch. - Refresh patches.suse/Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch. - Refresh patches.suse/Bluetooth-hci_sync-Fix-UAF-in-hci_acl_create_conn_sy.patch. - commit 22a7d25 - Bluetooth: hci_conn: Fix sending BT_HCI_CMD_LE_CREATE_CONN_CANCEL (git-fixes). - commit defb49e - Bluetooth: mgmt: remove NULL check in add_ext_adv_params_complete() (CVE-2025-38117 bsc#1245695). - Bluetooth: mgmt: remove NULL check in mgmt_set_connectable_complete() (CVE-2025-38117 bsc#1245695). - commit 3217653 - rcu-tasks: Initialize data to eliminate RCU-tasks/do_exit() (bsc#1246298) - commit 8136da5 - bluetooth: restore le_scan_restart in struct hci_dev (CVE-2025-38117 bsc#1245695). - commit 7e7eb69 - Bluetooth: hci_core: Remove le_restart_scan work (CVE-2025-38117 bsc#1245695). - commit 9530108 - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT (CVE-2025-38335 bsc#1246250). - commit 4b421f0 - rcu-tasks: Initialize callback lists at rcu_init() time (bsc#1246298) - commit d73116a - rcu-tasks: Add data to eliminate RCU-tasks/do_exit() (bsc#1246298) - commit ee26238 - Correctly put RDMA kabi patch into patches.kabi instead of patches.suse - commit 0433d1f - kABI workaround for bluetooth hci_dev changes (CVE-2025-38250 bsc#1246182). - commit 2bfeee5 - Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250 bsc#1246182). - commit 45dea35 - selftests/bpf: Support more socket types in create_pair() (bsc#1239470 CVE-2025-21854). - selftests/bpf: Refactor out helper functions for a few tests (bsc#1239470 CVE-2025-21854). - commit 21d7fea - mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() (bsc#1225707 CVE-2024-36028). - commit ce47e5b - Delete patches.suse/selftest-bpf-Add-test-for-af_vsock-poll.patch. It requires the &quot;bpf_program__attach_sockmap&quot; API in libbpf, which isn't backported. - Refresh patches.suse/selftest-bpf-Add-vsock-test-for-sockmap-rejecting-un.patch - commit a7dddad - i2c: stm32: fix the device used for the DMA map (git-fixes). - usb: hub: Don't try to recover devices lost during warm reset (git-fixes). - usb: musb: fix gadget state on disconnect (git-fixes). - thunderbolt: Fix bit masking in tb_dp_port_set_hops() (git-fixes). - thunderbolt: Fix wake on connect at runtime (git-fixes). - pch_uart: Fix dma_sync_sg_for_device() nents value (git-fixes). - comedi: Fix initialization of data for instructions that write to subdevice (git-fixes). - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (git-fixes). - comedi: das6402: Fix bit shift out of bounds (git-fixes). - comedi: aio_iiro_16: Fix bit shift out of bounds (git-fixes). - comedi: pcl812: Fix bit shift out of bounds (git-fixes). - comedi: das16m1: Fix bit shift out of bounds (git-fixes). - comedi: Fix some signed shift left operations (git-fixes). - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (git-fixes). - iio: adc: ad7949: use spi_is_bpw_supported() (git-fixes). - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush (git-fixes). - iio: adc: stm32-adc: Fix race in installing chained IRQ handler (git-fixes). - regmap: fix potential memory leak of regmap_bus (git-fixes). - Input: xpad - set correct controller type for Acer NGR200 (git-fixes). - commit 08dfa63 - jfs: Fix null-ptr-deref in jfs_ioc_trim (bsc#1246044 CVE-2025-38203). - commit e88ea13 - hwmon: (corsair-cpro) Validate the size of the received input buffer (git-fixes). - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume (git-fixes). - soundwire: amd: fix for clearing command status register (git-fixes). - dmaengine: nbpfaxi: Fix memory corruption in probe() (git-fixes). - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (git-fixes). - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() (git-fixes). - mmc: bcm2835: Fix dma_unmap_sg() nents value (git-fixes). - mmc: sdhci_am654: Workaround for Errata i2312 (git-fixes). - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models (git-fixes). - commit 0d9aae2 - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (git-fixes). - commit fb42307 - ipv6: mcast: Delay put pmc-&gt;idev in mld_del_delrec() (git-fixes). - commit 505c14c - rpl: Fix use-after-free in rpl_do_srh_inline() (git-fixes). - commit 3342938 - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() (git-fixes). - commit 877c186 - net/sched: sch_qfq: Fix race condition on qfq_aggregate (git-fixes). - commit 2e8a829 - kABI workaround for struct drm_framebuffer changes (git-fixes). - commit 7b3cefa - drm/framebuffer: Acquire internal references on GEM handles (git-fixes). - commit 736ff8d - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU (git-fixes). - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant without board ID (git-fixes). - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout (git-fixes). - Bluetooth: SMP: If an unallowed command is received consider it a failure (git-fixes). - Bluetooth: hci_sync: fix connectable extended advertising when using static random address (git-fixes). - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (git-fixes). - usb: net: sierra: check for no status endpoint (git-fixes). - net: phy: Don't register LEDs for genphy (git-fixes). - drm/gem: Fix race in drm_gem_handle_create_tail() (stable-fixes). - wifi: prevent A-MSDU attacks in mesh networks (stable-fixes). - Revert &quot;ACPI: battery: negate current when discharging&quot; (stable-fixes). - usb: cdnsp: Fix issue with CV Bad Descriptor test (git-fixes). - drm/gem: Acquire references on GEM handles for framebuffers (stable-fixes). - vt: add missing notification when switching back to text mode (stable-fixes). - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic (stable-fixes). - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 (stable-fixes). - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 (stable-fixes). - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY (stable-fixes). - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (stable-fixes). - net: usb: qmi_wwan: add SIMCom 8230C composition (stable-fixes). - usb: cdnsp: Replace snprintf() with the safer scnprintf() variant (stable-fixes). - usb:cdnsp: remove TRB_FLUSH_ENDPOINT command (stable-fixes). - commit b8ce602 - Refresh patches.suse/selftests-bpf-Add-tests-for-iter-next-method-returni.patch. Fix BPF selftests build failure in progs/iters_testmod.c due to missing definition of 'struct bpf_iter_task_vma' and 'bpf_iter_task_vma()'. - commit ca03a47 - ptp: fix breakage after ptp_vclock_in_use() rework (bsc#1246506). - commit 001cddf - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (git-fixes). - commit 9c296c1 - soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled (git-fixes). - soc: aspeed: lpc-snoop: Cleanup resources in stack-order (git-fixes). - HID: core: ensure __hid_request reserves the report ID as the first byte (git-fixes). - commit 5cd5cd3 - drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (CVE-2025-38188 bsc#1246098). - drm/msm/a6xx+: Insert a fence wait before SMMU table update (CVE-2025-38188 bsc#1246098). - commit e22ddaf - x86/iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100 bsc#1245650). - commit 143bbc6 - Bluetooth: eir: Fix possible crashes on eir_create_adv_data (CVE-2025-38303 bsc#1246354). - commit 89447f6 - btrfs: explicitly ref count block_group on new_bgs list (bsc#1243068) - commit 8647d2c - btrfs: make btrfs_discard_workfn() block_group ref explicit (bsc#1243068) - commit 32e19f5 - btrfs: harden block_group::bg_list against list_del() races (CVE-2025-37856 bsc#1243068) - commit 3333359 - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (CVE-2025-38034 bsc#1244792) - commit 55c0ec4 - btrfs: do not BUG_ON() when freeing tree block after error (CVE-2024-44963 1230216) - commit d292416 - scsi: megaraid_sas: Fix invalid node index (CVE-2025-38239 bsc#1246178). - seg6: Fix validation of nexthop addresses (CVE-2025-38310 bsc#1246361). - x86/sgx: Prevent attempts to reclaim poisoned pages (CVE-2025-38334 bsc#1246384). - commit 740f6c2 - selftests/bpf: Add tests with stack ptr register in conditional jmp (bsc#1246264 CVE-2025-38279). - bpf: Do not include stack ptr register in precision backtracking bookkeeping (bsc#1246264 CVE-2025-38279). - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch - commit ccc2c5b - bridge: mcast: Fix use-after-free during router port configuration (CVE-2025-38248 bsc#1246173). - net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping (CVE-2025-38126 bsc#1245708). - bpf: fix ktls panic with sockmap (CVE-2025-38166 bsc#1245758). - commit 01133bb - iommu/amd: Set the pgsize_bitmap correctly (git-fixes). - commit 8746ec5 - scsi: core: Enforce unlimited max_segment_size when virt_boundary_mask is set (git-fixes). - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() (git-fixes). - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() (git-fixes). - scsi: megaraid_sas: Fix invalid node index (git-fixes). - aoe: clean device rq_list in aoedev_downdev() (git-fixes). - md/md-bitmap: fix dm-raid max_write_behind setting (git-fixes). - commit 2e07501 - dm-bufio: fix sched in atomic context (git-fixes). - commit c664ddf - Update patches.suse/nvme-pci-fix-queue-unquiesce-check-on-slot_reset.patch (git-fixes bsc#1240885). - commit 08c0025 - perf: Fix sample vs do_exit() (bsc#1246547). - commit 5327721 - nvme-pci: refresh visible attrs after being checked (git-fixes). - nvme: Fix incorrect cdw15 value in passthru error logging (git-fixes). - commit c5d3460 - scsi: lpfc: Copyright updates for 14.4.0.10 patches (bsc#1245260 bsc#1243100 bsc#1246125). - commit 58f7c6e - scsi: lpfc: Update lpfc version to 14.4.0.10 (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Modify end-of-life adapters' model descriptions (bsc#1245260 bsc#1243100 bsc#1246125 bsc#1204142). - scsi: lpfc: Revise CQ_CREATE_SET mailbox bitfield definitions (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Move clearing of HBA_SETUP flag to before lpfc_sli4_queue_unset (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in dev_loss_tmo_callbk (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Relocate clearing initial phba flags from link up to link down hdlr (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Simplify error handling for failed lpfc_get_sli4_parameters cmd (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Early return out of FDMI cmpl for locally rejected statuses (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Skip RSCN processing when FC_UNLOADING flag is set (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Update debugfs trace ring initialization messages (bsc#1245260 bsc#1243100 bsc#1246125). - scsi: lpfc: Revise logging format for failed CT MIB requests (bsc#1245260 bsc#1243100 bsc#1246125). - commit 14dcfed - Update patches.suse/net-clear-the-dst-when-changing-skb-protocol.patch (bsc#1245954 CVE-2025-38192). Fix incorrect CVE reference. - commit 288e8f6 - drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() (bsc#1245951 CVE-2025-38187) - commit 62c6956 - bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() (bsc#1245980 CVE-2025-38202). - commit 630834e - selftest/bpf/benchs: Add benchmark for sockmap usage (bsc#1245749 CVE-2025-38154). - commit ac96089 - bpf, sockmap: Avoid using sk_socket after free when sending (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix panic when calling skb_linearize (bsc#1245749 CVE-2025-38154). - bpf, sockmap: fix duplicated data transmission (bsc#1245749 CVE-2025-38154). - bpf, sockmap: Fix data lost during EAGAIN retries (bsc#1245749 CVE-2025-38154). - commit bc1361f - bpf: Fix memory leak in bpf_core_apply (git-fixes). - commit 44b4ba3 - bpf/selftests: Check errno when percpu map value size exceeds (git-fixes). - bpf: Check percpu map value size first (git-fixes). - commit 81feacb - bpftool: Fix undefined behavior caused by shifting into the sign bit (git-fixes). - commit 9363920 - ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212 bsc#1246029). - commit 9ff5b2e - calipso: unlock rcu before returning -EAFNOSUPPORT (CVE-2025-38147 bsc#1245768). - calipso: Don't call calipso functions for AF_INET sk (CVE-2025-38147 bsc#1245768). - commit 74ee184 - ucsi_operations: add stubs for all operations (git-fixes). - commit 1e9baf6 - drm/amd/display: Don't treat wb connector as physical in (bsc#1245654 CVE-2025-38098) - commit 277f764 - selftests/bpf: Add tests for iter next method returning valid pointer (git-fixes). - bpf: Make the pointer returned by iter next method valid (git-fixes). - commit fcdc4ee - hisi_acc_vfio_pci: bugfix live migration function without VF device driver (CVE-2025-38283 bsc#1246273). - configfs-tsm-report: Fix NULL dereference of tsm_ops (CVE-2025-38210 bsc#1246020). - commit eef28a4 - kasan: remove kasan_find_vm_area() to prevent possible deadlock (git-fixes). - maple_tree: fix mt_destroy_walk() on root leaf node (git-fixes). - commit aaacc92 - drm/tegra: nvdec: Fix dma_alloc_coherent error check (git-fixes). - nbd: fix uaf in nbd_genl_connect() error path (git-fixes). - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level (git-fixes). - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx (git-fixes). - wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() (git-fixes). - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan (git-fixes). - wifi: mt76: mt7925: fix the wrong config for tx interrupt (git-fixes). - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (git-fixes). - commit 067b949 - xfs: fix off-by-one error in fsmap's end_daddr usage (bsc#1235837). - commit 919d943 - hisi_acc_vfio_pci: fix XQE dma address error (CVE-2025-38158 bsc#1245750). - commit 373ef61 - i40e: fix MMIO write access to an invalid page in i40e_clear_hw (CVE-2025-38200 bsc#1246045). - net: cadence: macb: Fix a possible deadlock in macb_halt_tx (CVE-2025-38094 bsc#1245649). - commit 45301b8 - platform/x86: think-lmi: Create ksets consecutively (stable-fixes). - Refresh patches.suse/platform-x86-think-lmi-Fix-kobject-cleanup.patch. - commit 5072bed - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX (git-fixes). - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap (git-fixes). - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected (git-fixes). - Bluetooth: hci_sync: Fix not disabling advertising instance (git-fixes). - usb: xhci: quirk for data loss in ISOC transfers (stable-fixes). - Logitech C-270 even more broken (stable-fixes). - Input: xpad - support Acer NGR 200 Controller (stable-fixes). - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 (stable-fixes). - mmc: sdhci: Add a helper function for dump register in dynamic debug mode (stable-fixes). - ACPICA: Refuse to evaluate a method if arguments are missing (stable-fixes). - mtd: spinand: fix memory leak of ECC engine conf (stable-fixes). - ASoC: amd: yc: update quirk data for HP Victus (stable-fixes). - ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic (stable-fixes). - ALSA: sb: Force to disable DMAs once when DMA mode is changed (stable-fixes). - ALSA: sb: Don't allow changing the DMA mode during operations (stable-fixes). - drm/msm: Fix another leak in the submit error path (stable-fixes). - drm/msm: Fix a fence leak in submit error path (stable-fixes). - regulator: fan53555: add enable_time support and soft-start times (stable-fixes). - wifi: ath6kl: remove WARN on bad firmware input (stable-fixes). - wifi: mac80211: drop invalid source address OCB frames (stable-fixes). - ata: pata_cs5536: fix build on 32-bit UML (stable-fixes). - platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042 quirks list (stable-fixes). - Revert &quot;drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1&quot; (stable-fixes). - wifi: mac80211: Add link iteration macro for link data (stable-fixes). - wifi: mac80211: chan: chandef is non-NULL for reserved (stable-fixes). - commit 66a4a55 - net: clear the dst when changing skb protocol (bsc#1245954 CVE-2024-49861). - commit eed1284 - usb: typec: ucsi: Set orientation as none when connector is unplugged (git-fixes). - commit 9b64a84 - usb: typec: ucsi: glink: fix off-by-one in connector_status (git-fixes). - commit 63d64a6 - coresight: prevent deactivate active config while enabling the config (CVE-2025-38131 bsc#1245677). - coresight: holding cscfg_csdev_lock while removing cscfg from csdev (CVE-2025-38132 bsc#1245679). - commit f8db328 - ACPI: PRM: Reduce unnecessary printing to avoid user confusion (bsc#1246122). - commit f060328 - usb: typec: ucsi: Fix busy loop on ASUS VivoBooks (git-fixes). - usb: typec: ucsi: Fix the partner PD revision (git-fixes). - commit cb5cfe6 - restore UCSI_CONNECTOR_RESET_HARD definition (git-fixes). - commit 3a50af7 - usb: typec: ucsi: Add DATA_RESET option of Connector Reset command (git-fixes). - commit ebc917a - pinctrl: amd: Clear GPIO debounce for suspend (git-fixes). - pinctrl: qcom: msm: mark certain pins as invalid for interrupts (git-fixes). - commit 7a0a421 - efi/mokvar-table: Avoid repeated map/unmap of the same page (bsc#1240323 CVE-2025-21872). - commit a16e799 - usb: typec: ucsi: move ucsi_acknowledge() from ucsi_read_error() (git-fixes). - commit 9793505 - kabi: restore encap_sk in struct xfrm_state (CVE-2025-38097 bsc#1245660). - espintcp: remove encap socket caching to avoid reference leak (CVE-2025-38097 bsc#1245660). - commit 94f2735 - net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() (CVE-2025-38183 bsc#1246006). - commit 0eb12cd - net_sched: sch_sfq: fix a potential crash on gso_skb handling (CVE-2025-38115 bsc#1245689). - commit 6a4ffd3 - usb: typec: ucsi_acpi: Add LG Gram quirk (git-fixes). - commit da7fb49 - usb: typec: ucsi: don't retrieve PDOs if not supported (git-fixes). - commit d303a5e - usb: typec: ucsi: Delay alternate mode discovery (git-fixes). - commit b7ba22d - usb: typec: Update sysfs when setting ops (git-fixes). - commit b336d78 - usb: typec: ucsi: glink: increase max ports for x1e80100 (git-fixes). - commit 31de9c9 - ucsi_ops: adapt update_connector to kABI consistency (git-fixes). - usb: typec: ucsi: add update_connector callback (git-fixes). - blacklist.conf: needed for infrastructure. kABI fix added - Refresh patches.kabi/struct-ucsi_operations-use-padding-for-new-operation.patch. - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit a70b9ee - ALSA: usb-audio: Kill timer properly at removal (CVE-2025-38105 bsc#1245682). - commit 2bf6099 - x86/process: Move the buffer clearing before MONITOR (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit 9303368 - usb: typec: ucsi: glink: use typec_set_orientation (git-fixes). - Refresh patches.suse/soc-qcom-pmic_glink-Fix-race-during-initialization.patch. - Refresh patches.suse/usb-typec-ucsi-glink-fix-child-node-release-in-probe.patch. - commit b105e3e - KVM: SVM: Advertise TSA CPUID bits to guests (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - commit 67b316f - Bluetooth: btusb: Fix regression in the initialization of fake Bluetooth controllers (CVE-2025-38099 bsc#1245671). - Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken (CVE-2025-38099 bsc#1245671). - Bluetooth: Add quirk for broken READ_PAGE_SCAN_TYPE (CVE-2025-38099 bsc#1245671). - Bluetooth: Add quirk for broken READ_VOICE_SETTING (CVE-2025-38099 bsc#1245671). - commit 254e65a - jfs: fix array-index-out-of-bounds read in add_missing_indices (bsc#1245983 CVE-2025-38204). - commit 65d9d7f - usb: typec: ucsi_glink: drop NO_PARTNER_PDOS quirk for sm8550 / sm8650 (git-fixes). - commit 380eca4 - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk on qcm6490 (git-fixes). - commit 3de42d7 - usb: typec: ucsi_glink: enable the UCSI_DELAY_DEVICE_PDOS quirk (git-fixes). - commit 2a3ce34 - usb: typec: ucsi_glink: rework quirks implementation (git-fixes). - commit b78f907 - usb: typec: ucsi: support delaying GET_PDOS for device (git-fixes). - Refresh patches.kabi/struct-usci-hide-additional-member.patch. - commit 95f3b03 - rpm/mkspec: Fix missing kernel-syms-rt creation (bsc#1244337) - commit 630f139 - usb: typec: ucsi: extract code to read PD caps (git-fixes). - commit ebc6c46 - usb: typec: ucsi: properly register partner's PD device (git-fixes). - commit 7b95fc1 - usb: typec: ucsi: fix UCSI on SM8550 &amp; SM8650 Qualcomm devices (git-fixes). - commit c40444f - usb: typec: ucsi: Add qcm6490-pmic-glink as needing PDOS quirk (git-fixes). - commit 46f5c2a - ucsi_ccg: Refine the UCSI Interrupt handling (git-fixes). - commit e97f436 - exfat: fix double free in delayed_free (bsc#1246073 CVE-2025-38206). - commit 38c1950 - usb: typec: ucsi: Get PD revision for partner (git-fixes). - commit a80ec70 - x86/bugs: Add a Transient Scheduler Attacks mitigation (bsc#1238896 CVE-2024-36350 CVE-2024-36357 CVE-2024-36348 CVE-2024-36349). - Update config files. - commit 45d6a14 - pwm: mediatek: Ensure to disable clocks in error path (git-fixes). - ASoC: cs35l56: probe() should fail if the device ID is not recognized (git-fixes). - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode (git-fixes). - commit 5b2c070 - dm-raid: fix variable in journal device check (git-fixes). - commit 7e51a3f - dm-verity: fix a memory leak if some arguments are specified multiple times (git-fixes). - commit 18c3347 - dm-mirror: fix a tiny race condition (git-fixes). - commit 6d6aef6 - dm-flakey: make corrupting read bios work (git-fixes). - commit bbf383a - dm-flakey: error all IOs when num_features is absent (git-fixes). - commit d4d758e - dm: free table mempools if not used in __bind (git-fixes). - commit 6abd700 - dm: don't change md if dm_table_set_restrictions() fails (git-fixes). - commit 0d534aa - dm: restrict dm device size to 2^63-512 bytes (git-fixes). - commit 240dadc - virtgpu: don't reset on shutdown (git-fixes). - commit 82f42df - kernel/fork: only call untrack_pfn_clear() on VMAs duplicated for fork() (git-fix for CVE-2025-22090 bsc#1241537). - commit 852f7f4 - netfilter: nft_set_pipapo: prevent overflow in lookup table allocation (CVE-2025-38162 bsc#1245752). - commit c7520cc - efi: Don't map the entire mokvar table to determine its size (bsc#1240323 CVE-2025-21872). - commit aefffb0 - ucsi-glink: adapt to kABI consistency (git-fixes). - usb: typec: ucsi: glink: move GPIO reading into connector_status callback (git-fixes). - Refresh patches.suse/usb-typec-ucsi-Move-unregister-out-of-atomic-section.patch. - commit 8ae6c79 - vhost-scsi: protect vq-&gt;log_used with vq-&gt;mutex (CVE-2025-38074 bsc#1244735). - commit 29ecfb7 - struct ucsi_operations: use padding for new operation (git-fixes). - commit 5fe6bda - crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() (CVE-2025-37984 bsc#1243669). - commit 4115893 - virtio: break and reset virtio devices on device_shutdown() (CVE-2025-38064 bsc#1245201). - commit 1ef712f - usb: typec: ucsi: add callback for connector status updates (git-fixes). - blacklist.conf: needed as infrastructure. kABI workaround following - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - Refresh patches.suse/usb-typec-ucsi-displayport-Fix-deadlock.patch. - commit de5a5b0 - struct cdns: move new member to the end (git-fixes). - commit 4384b08 - usb: cdnsp: Fix issue with resuming from L1 (git-fixes). - commit c8b7c96 - net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864 bsc#1242965). - commit d1f463e - NFSv4: Always set NLINK even if the server doesn't support it (git-fixes). - commit 84005c5 - NFSv4.2: fix listxattr to return selinux security label (git-fixes). - commit 0319baa - NFSv4: xattr handlers should check for absent nfs filehandles (git-fixes). - commit 80ac5a3 - sunrpc: don't immediately retransmit on seqno miss (git-fixes). - commit ceebf6f - fs/jfs: consolidate sanity checking in dbMount (git-fixes). - commit 5c4bc1b - objtool: Ignore end-of-section jumps for KCOV/GCOV (git-fixes). - commit e383ffb - objtool: Silence more KCOV warnings, part 2 (git-fixes). - commit ddae9d6 - netfilter: nf_set_pipapo_avx2: fix initial map fill (git-fixes CVE-2024-57947 bsc#1236333). - commit cedcb24 - usb: typec: displayport: Fix potential deadlock (git-fixes). - commit a45e2f9 - drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type (git-fixes). - ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 (stable-fixes). - Bluetooth: L2CAP: Fix L2CAP MTU negotiation (stable-fixes). - drm/amdkfd: Fix race in GWS queue scheduling (stable-fixes). - ASoC: codecs: wcd9335: Fix missing free of regulator supplies (git-fixes). - ALSA: hda: Ignore unsol events for cards being shut down (stable-fixes). - ALSA: hda: Add new pci id for AMD GPU display HD audio controller (stable-fixes). - usb: dwc2: also exit clock_gating when stopping udc while suspended (stable-fixes). - usb: potential integer overflow in usbg_make_tpg() (stable-fixes). - usb: common: usb-conn-gpio: use a unique name for usb connector device (stable-fixes). - usb: Add checks for snprintf() calls in usb_alloc_dev() (stable-fixes). - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s (stable-fixes). - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode (stable-fixes). - usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set (stable-fixes). - iio: pressure: zpa2326: Use aligned_s64 for the timestamp (stable-fixes). - iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos (stable-fixes). - drm/scheduler: signal scheduled fence when kill job (stable-fixes). - amd/amdkfd: fix a kfd_process ref leak (stable-fixes). - drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram (stable-fixes). - dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using (stable-fixes). - dmaengine: xilinx_dma: Set dma_device directions (stable-fixes). - PCI: dwc: Make link training more robust by setting PORT_LOGIC_LINK_WIDTH to one lane (stable-fixes). - leds: multicolor: Fix intensity setting while SW blinking (stable-fixes). - mfd: max14577: Fix wakeup source leaks on device unbind (stable-fixes). - hwmon: (pmbus/max34440) Fix support for max34451 (stable-fixes). - drm/bridge: ti-sn65dsi86: make use of debugfs_init callback (stable-fixes). - ASoC: codec: wcd9335: Convert to GPIO descriptors (stable-fixes). - types: Complement the aligned types with signed 64-bit one (stable-fixes). - ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() (stable-fixes). - commit 9aa1e05 - i2c/designware: Fix an initialization issue (git-fixes). - commit d80f186 - powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed (git-fixes). - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (git-fixes). - spi: spi-fsl-dspi: Clear completion counter before initiating transfer (git-fixes). - platform/x86: think-lmi: Fix sysfs group cleanup (git-fixes). - platform/x86: think-lmi: Fix kobject cleanup (git-fixes). - platform/mellanox: mlxreg-lc: Fix logic error in power state check (git-fixes). - platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks (git-fixes). - platform/mellanox: nvsw-sn2201: Fix bus number in adapter error message (git-fixes). - platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1 (git-fixes). - platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment (git-fixes). - xhci: dbc: Flush queued requests before stopping dbc (git-fixes). - xhci: dbctty: disable ECHO flag by default (git-fixes). - xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS (git-fixes). - usb: typec: altmodes/displayport: do not index invalid pin_assignments (git-fixes). - Revert &quot;usb: xhci: Implement xhci_handshake_check_state() helper&quot; (git-fixes). - usb: xhci: Skip xhci_reset in xhci_resume if xhci is being removed (git-fixes). - usb: gadget: u_serial: Fix race condition in TTY wakeup (git-fixes). - usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume (git-fixes). - usb: cdnsp: do not disable slot for disabled slot (git-fixes). - Input: iqs7222 - explicitly define number of external channels (git-fixes). - Input: xpad - adjust error handling for disconnect (git-fixes). - drm/exynos: fimd: Guard display clock control with runtime PM calls (git-fixes). - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (git-fixes). - drm/i915/gsc: mei interrupt top half should be in irq disabled context (git-fixes). - drm/i915/gt: Fix timeline left held on VMA alloc error (git-fixes). - drm/i915/selftests: Change mock_request() to return error pointers (git-fixes). - drm/sched: Increment job count before swapping tail spsc queue (git-fixes). - drm/bridge: panel: move prepare_prev_first handling to drm_panel_bridge_add_typed (git-fixes). - drm/ttm: fix error handling in ttm_buffer_object_transfer (git-fixes). - powercap: call put_device() on an error path in powercap_register_control_type() (stable-fixes). - commit d0cb71b - dm: fix unconditional IO throttle caused by REQ_PREFLUSH (CVE-2025-38063 bsc#1245202). - commit 65fa7b7 - smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051 bsc#1244750). - commit 0f203bf - cgroup,freezer: fix incomplete freezing when attaching tasks (bsc#1245789). - commit 1970df7 - cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (bsc#1241166). - commit 86012b8 - objtool: Stop UNRET validation on UD2 (git-fixes). - commit 0be0bc6 - objtool: Fix INSN_CONTEXT_SWITCH handling in validate_unret() (git-fixes). - commit f1073e2 - objtool: Properly disable uaccess validation (git-fixes). - commit b170301 - mm/memory-failure: fix handling of dissolved but not taken off from buddy pages (CVE-2024-39298 bsc#1227082). Refreshed: blacklist.conf: De-blacklist 8cf360b9d6a840700e06864236a01a883b34bbad - commit 1d1f80f - rose: fix dangling neighbour pointers in rose_rt_device_down() (git-fixes). - Bluetooth: MGMT: mesh_send: check instances prior disabling advertising (git-fixes). - Bluetooth: MGMT: set_mesh: update LE scan interval and window (git-fixes). - Bluetooth: hci_sync: revert some mesh modifications (git-fixes). - Bluetooth: Prevent unintended pause by checking if advertising is active (git-fixes). - net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (git-fixes). - commit 9d01c7e - objtool: Silence more KCOV warnings (git-fixes). - commit 246e013 - objtool: Fix error handling inconsistencies in check() (git-fixes). - commit 2b123dd - objtool: Ignore dangling jump table entries (git-fixes). - commit 694bcb3 - objtool: Fix UNWIND_HINT_{SAVE,RESTORE} across basic blocks (git-fixes). - commit 24df4fe - x86/tdx: Fix __noreturn build warning around __tdx_hypercall_failed() (git-fixes). - Refresh patches.suse/x86-virt-tdx-Define-TDX-supported-page-sizes-as-macros.patch. - commit 741a25e - objtool: Fix _THIS_IP_ detection for cold functions (git-fixes). - commit b2539b9 - nvmet-tcp: don't restore null sk_state_change (bsc#1244801 CVE-2025-38035). - commit a1cc55e - s390/pci: Fix stale function handles in error handling (git-fixes bsc#1245647). - commit 1f0ecfd - s390/pci: Do not try re-enabling load/store if device is disabled (git-fixes bsc#1245646). - commit a7a5884 - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (git-fixes). - commit cbe692c - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails (git-fixes). - commit 29c2a95 - IB/mlx5: Fix potential deadlock in MR deregistration (git-fixes) - commit a31c762 - RDMA/mlx5: Fix vport loopback for MPV device (git-fixes) - commit 50aa3ad - RDMA/mlx5: Fix CC counters query for MPV (git-fixes) - commit 6fac6aa - RDMA/mlx5: Fix HW counters query for non-representor devices (git-fixes) - commit f645a5e - RDMA/mlx5: Initialize obj_event-&gt;obj_sub_list before xa_insert (git-fixes) - commit 9bf32eb - mtk-sd: reset host-&gt;mrq on prepare_data() error (git-fixes). - commit 85b8654 - Revert &quot;mmc: sdhci: Disable SD card clock before changing parameters&quot; (git-fixes). - mtk-sd: Prevent memory corruption from DMA map failure (git-fixes). - mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data (git-fixes). - mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier (git-fixes). - commit 4977a9e - kABI workaround for xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - commit 2cbaa5f - xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920 bsc#1243479). - commit b0fed9b - bpf, sockmap: Fix sk_msg_reset_curr (git-fixes). - commit 3936762 - scsi: s390: zfcp: Ensure synchronous unit_add (git-fixes bsc#1245599). - commit 4cb28a8 - s390/pkey: Prevent overflow in size calculation for memdup_user() (git-fixes bsc#1245598). - commit 458c9d8 - s390: Add z17 elf platform (LTC#214086 bsc#1245540). - commit a338278 - rpm: Drop support for kabi/arch/ignore-flavor (bsc#1249186) It's not used in any active branches and it cannot solve contemporary problems. - commit f86a16a - net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (CVE-2025-38061 bsc#1245440). - commit 386f111 - net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38052 bsc#1244749). - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CVE-2025-38052 bsc#1244749). - commit 39309cf - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - commit 9bd4e20 - net: vlan: don't propagate flags on open (CVE-2025-23163 bsc#1242837). - commit a49d71b - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - commit d8e756f - add bug reference to existing hv_storvsc change (bsc#1245455). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - commit 1c553b0 - kernel-obs-qa: Do not depend on srchash when qemu emulation is used In this case the dependency is never fulfilled Fixes: 485ae1da2b88 (&quot;kernel-obs-qa: Use srchash for dependency as well&quot;) - commit a840f87 - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - commit 784f61d - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - commit dd145d5 - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - idpf: fix null-ptr-deref in idpf_features_check (CVE-2025-38053 bsc#1244746). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: fix vf-&gt;num_mac count with port representors (git-fixes). - devlink: fix port dump cmd type (git-fixes). - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - commit 6dccf5f - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - commit bf8eb79 - bpf: Add a possibly-zero-sized read test (git-fixes). - bpf: Simplify checking size of helper accesses (git-fixes). - commit 04f6dc5 - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - commit 652de47 - drm/amdgpu: csa unmap use uninterruptible lock (CVE-2025-38011 bsc#1244729). - commit d370e7c - selftests/bpf: Fix prog numbers in test_sockmap (git-fixes). - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer (git-fixes). - commit fadce21 - bpf: fix order of args in call to bpf_map_kvcalloc (git-fixes). - bpf: Harden __bpf_kfunc tag against linker kfunc removal (git-fixes). - compiler_types.h: Define __retain for __attribute__((__retain__)) (git-fixes). - powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH (git-fixes). - commit e32b4e5 - bpf: Fix potential integer overflow in resolve_btfids (git-fixes). - commit 7ce99c9 - selftests/bpf: Fix a few tests for GCC related warnings (git-fixes). - selftests/bpf: Change functions definitions to support GCC (git-fixes). - selftests/bpf: Add CFLAGS per source file and runner (git-fixes). - bpf: Disable some `attribute ignored' warnings in GCC (git-fixes). - bpf: Avoid __hidden__ attribute in static object (git-fixes). - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect (git-fixes). - commit 71918be - bpftool: Mount bpffs on provided dir instead of parent dir (git-fixes). - commit 1bba21b - bpftool: Remove unnecessary source files from bootstrap version (git-fixes). - bpf/lpm_trie: Inline longest_prefix_match for fastpath (git-fixes). - commit 99d4fb6 - bpftool: Fix missing pids during link show (git-fixes). - bpf: sockmap, updating the sg structure should also update curr (git-fixes). - commit 2322e0e - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - drm/i915: fix build error some more (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab-&gt;base_lock (stable-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq-&gt;read (stable-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - commit 0dc7dde - Update patches.suse/HID-uclogic-Add-NULL-check-in-uclogic_input_configur.patch (git-fixes CVE-2025-38007 bsc#1244938). - Update patches.suse/RDMA-core-Fix-KASAN-slab-use-after-free-Read-in-ib_r.patch (git-fixes CVE-2025-38022 bsc#1245003). - Update patches.suse/RDMA-rxe-Fix-slab-use-after-free-Read-in-rxe_queue_c.patch (git-fixes CVE-2025-38024 bsc#1245025). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-csu.patch (bsc#1243342 CVE-2025-38059 bsc#1244759). - Update patches.suse/btrfs-avoid-NULL-pointer-dereference-if-no-valid-ext.patch (bsc#1236208 CVE-2025-21658). - Update patches.suse/can-bcm-add-locking-for-bcm_op-runtime-updates.patch (git-fixes CVE-2025-38004 bsc#1244274). - Update patches.suse/can-bcm-add-missing-rcu-read-protection-for-procfs-c.patch (git-fixes CVE-2025-38003 bsc#1244275). - Update patches.suse/crypto-algif_hash-fix-double-free-in-hash_accept.patch (git-fixes CVE-2025-38079 bsc#1245217). - Update patches.suse/crypto-lzo-Fix-compression-buffer-overrun.patch (stable-fixes CVE-2025-38068 bsc#1245210). - Update patches.suse/dmaengine-idxd-Refactor-remove-call-with-idxd_cleanu.patch (git-fixes CVE-2025-38014 bsc#1244732). - Update patches.suse/dmaengine-idxd-fix-memory-leak-in-error-handling-pat-46a5cca.patch (git-fixes CVE-2025-38015 bsc#1244789). - Update patches.suse/dmaengine-ti-k3-udma-Add-missing-locking.patch (git-fixes CVE-2025-38005 bsc#1244727). - Update patches.suse/drm-amd-display-Increase-block_sequence-array-size.patch (stable-fixes CVE-2025-38080 bsc#1244738). - Update patches.suse/ext4-goto-right-label-out_mmap_sem-in-ext4_setattr.patch (bsc#1242556 CVE-2025-22120 bsc#1241592). - Update patches.suse/firmware-arm_ffa-Set-dma_mask-for-ffa-devices.patch (stable-fixes CVE-2025-38043 bsc#1245081). - Update patches.suse/media-cx231xx-set-device_caps-for-417.patch (stable-fixes CVE-2025-38044 bsc#1245082). - Update patches.suse/net-handshake-Fix-handshake_req_destroy_test1.patch (git-fixes CVE-2024-26831 bsc#1223008). - Update patches.suse/net-mlx5e-Disable-MACsec-offload-for-uplink-represen.patch (git-fixes CVE-2025-38020 bsc#1245001). - Update patches.suse/net_sched-prio-fix-a-race-in-prio_tune.patch (git-fixes CVE-2025-38083 bsc#1245183). - Update patches.suse/nfs-handle-failure-of-nfs_get_lock_context-in-unlock-path.patch (git-fixes CVE-2025-38023 bsc#1245004). - Update patches.suse/orangefs-Do-not-truncate-file-size.patch (git-fixes CVE-2025-38065 bsc#1244906). - Update patches.suse/padata-do-not-leak-refcount-in-reorder_work.patch (git-fixes CVE-2025-38031 bsc#1245046). - Update patches.suse/phy-tegra-xusb-Use-a-bitmask-for-UTMI-pad-power-stat.patch (git-fixes CVE-2025-38010 bsc#1244996). - Update patches.suse/platform-x86-dell-wmi-sysman-Avoid-buffer-overflow-i.patch (git-fixes CVE-2025-38077 bsc#1244736). - Update patches.suse/regulator-max20086-fix-invalid-memory-access.patch (git-fixes CVE-2025-38027 bsc#1245042). - Update patches.suse/s390-pci-Fix-duplicate-pci_dev_put-in-disable_slot-w.patch (git-fixes bsc#1244145 CVE-2025-37946 bsc#1243506). - Update patches.suse/s390-pci-fix-potential-double-remove-of-hotplug-slot.patch (bsc#1244145 CVE-2024-56699 bsc#1235490). - Update patches.suse/sched-numa-fix-memory-leak-due-to-the-overwritten-vma-numab_state.patch (git fixes (sched/numa) CVE-2024-56613 bsc#1244176). - Update patches.suse/serial-mctrl_gpio-split-disable_ms-into-sync-and-no_.patch (git-fixes CVE-2025-38040 bsc#1245078). - Update patches.suse/spi-rockchip-Fix-register-out-of-bounds-access.patch (stable-fixes CVE-2025-38081 bsc#1244739). - Update patches.suse/usb-typec-ucsi-displayport-Fix-NULL-pointer-access.patch (git-fixes CVE-2025-37994 bsc#1243823). - Update patches.suse/vhost-scsi-Fix-handling-of-multiple-calls-to-vhost_s.patch (git-fixes CVE-2025-22083 bsc#1241414). - Update patches.suse/wifi-cfg80211-fix-out-of-bounds-access-during-multi-.patch (git-fixes CVE-2025-37973 bsc#1244172). - Update patches.suse/wifi-iwlwifi-fix-debug-actions-order.patch (stable-fixes CVE-2025-38045 bsc#1245083). - Update patches.suse/wifi-mac80211-Set-n_channels-after-allocating-struct.patch (git-fixes CVE-2025-38013 bsc#1244731). - Update patches.suse/wifi-mt76-disable-napi-on-driver-removal.patch (git-fixes CVE-2025-38009 bsc#1244995). - commit fee1c31 - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - commit 8d2d6ad - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - scsi: storvsc: Don't report the host packet status as the hv status (git-fixes). - commit cde971c - Refresh patches.kabi/bpf-bpf_link-and-bpf_link_ops-kABI-workaround.patch. - Refresh patches.kabi/bpf-enum-bpf_type_flag_arg_type-workaround.patch. - Refresh patches.kabi/bpf-struct-bpf_insn_access_aux-workaround.patch. - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. - Refresh patches.kabi/kabi-fix-for-bpf-Prevent-tailcall-infinite-loop-caus.patch. - Refresh patches.kabi/kabi-fix-kabi-for-its.patch. - Refresh patches.kabi/kabi-hide-new-member-fallback_lock-in-struct-mptcp_s.patch. - Refresh patches.kabi/kabi-restore-layout-of-struct-mem_control.patch. - Refresh patches.kabi/kabi-restore-layout-of-struct-page_counter.patch. - Refresh patches.kabi/xsk-Fix-race-condition-in-AF_XDP-generic-RX-path.patch. - Refresh patches.kabi/kabi-s390-ism-fix-concurrency-management-in-ism_cmd.patch - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. Automated edit git grep -l static_assert patches.kabi/ | xargs sed -i 's/static_assert/suse_kabi_static_assert/' and manual refresh of patches.kabi/bpf-verifier-kABI-workarounds.patch. - commit cb49aa2 - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - commit 9370aa3 - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - commit 59b0f84 - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - commit b11e8b5 - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - commit e13d6e0 - ntp: Remove invalid cast in time offset math (git-fixes) - commit 92649f3 - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - commit 17fecee - ntp: Safeguard against time_constant overflow (git-fixes) - commit fb90573 - ntp: Clamp maxerror and esterror to operating range (git-fixes) - commit 947fc29 - clocksource: Fix brown-bag boolean thinko in (git-fixes) - commit f65bb99 - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - commit a87f573 - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - commit 1a57489 - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - commit dc250ae - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - commit 4e863aa - Refresh patches.kabi/kabi-restore-layout-of-struct-mem_control.patch. - commit 5049495 - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - commit 2014732 - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - commit 36dffbc - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - commit 1697414 - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - commit a8fd69f - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - commit f73056c - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - commit 23262fc - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - commit b4e63e6 - bpf: Force uprobe bpf program to always return 0 (git-fixes). - commit 90effed - uprobes: Use kzalloc to allocate xol area (git-fixes). - Refresh patches.suse/uprobes-introduce-the-global-struct-vm_special_mapping-xol_mapping.patch. - commit 30d8536 - bpf: abort verification if env-&gt;cur_state-&gt;loop_entry != NULL (CVE-2025-38060 bsc#1245155). - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. - commit c80eca0 - selftests/bpf: check states pruning for deeply nested iterator (CVE-2025-38060 bsc#1245155). - bpf: don't do clean_live_states when state-&gt;loop_entry-&gt;branches &gt; 0 (CVE-2025-38060 bsc#1245155). - commit f0d9333 - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - commit 0aa445e - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - commit 44584be - vmxnet3: update MTU after device quiesce (bsc#1244626). - commit 14400a7 - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - commit 11611ac - tracing: Fix compilation warning on arm32 (bsc#1243551). - commit bc2f48d - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923 bsc#1243551). - commit ff6a777 - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - commit 07065f3 - bpf: copy_verifier_state() should copy 'loop_entry' field (CVE-2025-38060 bsc#1245155). - Refresh patches.kabi/bpf-verifier-kABI-workarounds.patch. - commit 815fadf - selftests/bpf: test correct loop_entry update in copy_verifier_state (CVE-2025-38060 bsc#1245155). - commit b2e3449 - tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035 bsc#1241544). - commit b6d43f4 - bpf: Fix deadlock between rcu_tasks_trace and event_mutex (CVE-2025-37884 bsc#1243060). - commit 7f690ab - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - commit 84579a6 - kabi: restore layout of struct page_counter (jsc#PED-12551). - commit ef34a22 - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - commit 39cb14b - ucsi_debugfs_entry: hide signedness change (git-fixes). - commit 154816e - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - Refresh patches.suse/paddings-add-paddings-to-TypeC-stuff.patch. - commit 40f2bc3 - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - commit b5678d7 - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - commit 416e192 - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - commit 53b0cf2 - Update reference for patches.suse/net_sched-sch_sfq-use-a-temporary-work-area-for-vali.patch (bsc#1242504) - commit 8730da1 - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - commit e4f3ff4 - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - commit 7cf700b - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - Refresh patches.suse/ceph-improve-error-handling-and-short-overflow-read-.patch. - commit 04880f5 - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - commit e7c7fa7 - ceph: Fix incorrect flush end position calculation (git-fixes). - commit 626f897 - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - commit 7cc3455 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927 bsc#1243620). - commit 4916f47 - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvmet-fcloop: don't wait for lport cleanup (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - commit 20104c4 - Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today. - commit 0396c23 - Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed. - commit 19caac0 - Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place. - commit a6f21ed - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - commit 36de06b - net/tls: fix kernel panic when alloc_page failed (CVE-2025-38018 bsc#1244999). - commit 1124110 - espintcp: fix skb leaks (CVE-2025-38057 bsc#1244862). - commit dffbfd5 - nvme: fix command limits status code (git-fixes). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - commit 990928c - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - commit afe6d07 - x86/microcode/AMD: Add get_patch_level() (git-fixes). - commit 73bb23d - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - commit c818693 - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - commit 761df14 - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - commit d6c2d35 - x86/microcode: Consolidate the loader enablement checking (git-fixes). - commit d0fff01 - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - commit cbd3a76 - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - commit 871b129 - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - commit 3df7edd - libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743, CVE-2025-38072). - commit 42a394c - kabi: restore layout of struct mem_control (jsc#PED-12551). - commit e948e2e - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - commit 97c4d37 - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - commit 5798451 - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - NFC: nci: uart: Set tty-&gt;disc_data only in success path (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: don't wait when there is no vdev started (git-fixes). - wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - commit d77b71f - Update patches.suse/ALSA-pcm-Fix-race-of-buffer-access-at-PCM-OSS-layer.patch (CVE-2025-38078 bsc#1244737). - commit 9ad878b - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - commit 1a53756 - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - commit bd7e23e - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - commit c8863c2 - net_sched: tbf: fix a race in tbf_change() (git-fixes). - commit 8dd49d3 - net_sched: red: fix a race in __red_change() (git-fixes). - commit eb63704 - net_sched: prio: fix a race in prio_tune() (git-fixes). - commit 2898595 - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - commit 11af7b7 - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - commit 9bf44e9 - Update patches.suse/dlm-mask-sk_shutdown-value.patch (bsc#1241278). - Update patches.suse/dlm-use-SHUT_RDWR-for-SCTP-shutdown.patch (bsc#1241278). Original bsc number was wrong. Fix it. - commit 37c9443 - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001 bsc#1244234). - commit 6a31481 - packaging: Add support for suse-kabi-tools The current workflow to check kABI stability during the RPM build of SUSE kernels consists of the following steps: * The downstream script rpm/modversions unpacks the consolidated kABI symtypes reference data from kabi/&lt;arch&gt;/symtypes-&lt;flavor&gt; and creates individual symref files. * The build performs a regular kernel make. During this operation, genksyms is invoked for each source file. The tool determines type signatures of all exports within the file, reports any differences compared to the associated symref reference, calculates symbol CRCs from the signatures and writes new type data into a symtypes file. * The script rpm/modversions is invoked again, this time it packs all new symtypes files to a consolidated kABI file. * The downstream script rpm/kabi.pl checks symbol CRCs in the new build and compares them to a reference from kabi/&lt;arch&gt;/symvers-&lt;flavor&gt;, taking kabi/severities into account. suse-kabi-tools is a new set of tools to improve the kABI checking process. The suite includes two tools, ksymtypes and ksymvers, which replace the existing scripts rpm/modversions and rpm/kabi.pl, as well as the comparison functionality previously provided by genksyms. The tools have their own source repository and package. The tools provide faster operation and more detailed, unified output. In addition, they allow the use of the new upstream tool gendwarfksyms, which lacks any built-in comparison functionality. The updated workflow is as follows: * The build performs a regular kernel make. During this operation, genksyms (gendwarfksyms) is invoked as usual, determinining signatures and CRCs of all exports and writing the type data to symtypes files. However, genksyms no longer performs any comparison. * 'ksymtypes consolidate' packs all new symtypes files to a consolidated kABI file. * 'ksymvers compare' checks symbol CRCs in the new build and compares them to a reference from kabi/&lt;arch&gt;/symvers-&lt;flavor&gt;, taking kabi/severities into account. The tool writes its result in a human-readable form on standard output and also writes a list of all changed exports (not ignored by kabi/severities) to the changed-exports file. * 'ksymtypes compare' takes the changed-exports file, the consolidated kABI symtypes reference data from kabi/&lt;arch&gt;/symtypes-&lt;flavor&gt; and the new consolidated data. Based on this data, it produces a detailed report explaining why the symbols changed. The patch enables the use of suse-kabi-tools via rpm/config.sh, providing explicit control to each branch. To enable the support, set USE_SUSE_KABI_TOOLS=Yes in the config file. - commit a2c6f89 - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - commit 5432961 - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - commit 1373cac - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - commit 4eb007c - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - commit cc24dff - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - commit 45b89a8 - kernel-source: Remove log.sh from sources - commit 96bd779 - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - commit 8ae69e3 - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - commit 25c308f - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - commit 5b8c5a3 - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - commit c259874 - loop: add file_start_write() and file_end_write() (git-fixes). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - commit 6dba36f - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - commit d67c7bf - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - commit 67e24e5 - Bluetooth: MGMT: Fix sparse errors (git-fixes). - commit bcd5c33 - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - ptp: remove ptp-&gt;n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - commit d9ecc09 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000 bsc#1244277). - commit ffb9ab4 - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - commit 8196566 - Revert &quot;ipv6: save dontfrag in cork (git-fixes).&quot; This reverts commit d3fe600164867bd0529ed1049fbd53ca9fce2eaf. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit b9e7a4e - Revert &quot;kABI: ipv6: save dontfrag in cork (git-fixes).&quot; This reverts commit cbc81e238815721048ac709726467c90981753c9. See https://lore.kernel.org/all/aElivdUXqd1OqgMY@karahi.gladserv.com/ and https://bugzilla.suse.com/show_bug.cgi?id=1244313. - commit 38d0091 - kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (CVE-2025-22111 bsc#1241572). - commit edfd43c - page_pool: avoid infinite loop to schedule delayed worker (CVE-2025-37859 bsc#1243051). - commit b8f1dfd - tipc: fix memory leak in tipc_link_xmit (CVE-2025-37757 bsc#1242521) - commit 48e0415 - struct usci: hide additional member (git-fixes). - commit 1b8456a - net_sched: Flush gso_skb list too during -&gt;change() (CVE-2025-37992 bsc#1243698). - netfilter: ipset: fix region locking in hash types (CVE-2025-37997 bsc#1243832). - ipvs: fix uninit-value for saddr in do_output_route4 (CVE-2025-37961 bsc#1243523). - net: dsa: free routing table on probe failure (CVE-2025-37786 bsc#1242725). - net: tls: explicitly disallow disconnect (CVE-2025-37756 bsc#1242515). - net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (CVE-2025-22111 bsc#1241572). - vlan: enforce underlying device type (CVE-2025-21920 bsc#1240686). - xfrm: delete intermediate secpath entry in packet offload mode (CVE-2025-21720 bsc#1238859). - xfrm: state: fix out-of-bounds read during lookup (CVE-2024-57982 bsc#1237913). - rxrpc: Fix handling of received connection abort (CVE-2024-58053 bsc#1238982). - commit d3e755f - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). Return the correct upper limit of the allocated cpumask. modified: - patches.suse/lib-group_cpus-honor-housekeeping-config-when-grouping.patch - patches.suse/lib-group_cpus-let-group_cpu_evenly-return-number.patch - commit 092bf4a - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - commit 24d5250 - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - commit 28d162e - Revert &quot;arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - commit 9dd3301 - xen/x86: fix initial memory balloon target (git-fixes). - commit 7e938b1 - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - commit 9d209cd - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - commit e8737ac - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - commit 498a796 - Revert &quot;ALSA: usb-audio: Skip setting clock selector for single connections&quot; (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit d0138e9 - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit ee97bec - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - Refresh patches.suse/ALSA-usb-audio-Ignore-clock-selector-errors-for-sing.patch. - Refresh patches.suse/ALSA-usb-audio-Support-multiple-control-interfaces.patch. - commit 7326e0b - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - commit d4a0ce3 - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - commit 4cfebaa - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909 bsc#1243467). - vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921 bsc#1243480). - commit 788c92a - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - commit 4df631e - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - commit ba2db88 - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995 bsc#1243827) - commit 6979c9a - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - commit 7c95ae0 - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - commit ad18aba - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - commit 2d4ad48 - tracing: Verify event formats that have &quot;%*p..&quot; (CVE-2025-37938 bsc#1243544). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - commit c705d1d - fbdev/efifb: Remove PM for parent device (bsc#1244261). - Refresh patches.suse/fbdev-efifb-Register-sysfs-groups-through-driver-cor.patch. - commit 0c56458 - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - commit 7d2ce51 - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - commit bfdc372 - MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b (&quot;bs-upload-kernel: Pass limit_packages also on multibuild&quot;) - commit f4c6047 - MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed. - commit e4c2851 - MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc (&quot;MyBS: Use buildflags to set which package to build&quot;) - commit 27588c9 - bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc (&quot;MyBS: Use buildflags to set which package to build&quot;) Fixes: 747f601d4156 (&quot;bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)&quot;) - commit 8ef486c - ftrace: Avoid potential division by zero in function_stat_show() (CVE-2025-21898 bsc#1240610). - commit d476f96 - tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899 bsc#1240577). - commit 60219e4 - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - commit 647b2f4 - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - commit ca42766 - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes). - commit 153c2a2 - nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes). - commit af8b93e - NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes). - commit 91b6192 - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes). - commit 254a145 - jffs2: check that raw node were preallocated before writing summary (git-fixes). - commit 4a6701a - x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes). - commit ae818bc - x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes). - commit dcdd8b6 - x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes). - commit 65dff7c - x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes). - commit 662ffcd - x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes). - commit 15bb5b3 - blacklist.conf: Disable fineibt part of ITS mitigation - Refresh patches.suse/x86-its-Enumerate-Indirect-Target-Selection-ITS-bug.patch. - commit cedb857 - xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823 CVE-2025-21997). - commit 931fc27 - dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854). - dlm: mask sk_shutdown value (bsc#1228854). - commit 730d8cf - ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes). - ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes). - ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes). - commit 7d227ae - spi: bcm63xx-hsspi: fix shared reset (git-fixes). - spi: bcm63xx-spi: fix shared reset (git-fixes). - regulator: max14577: Add error check for max14577_read_reg() (git-fixes). - usb: usbtmc: Fix timeout value in get_stb (git-fixes). - usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes). - usb: cdnsp: Fix issue with detecting command completion event (git-fixes). - usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes). - usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes). - usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes). - thunderbolt: Fix a logic error in wake on connect (git-fixes). - usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes). - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes). - serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes). - staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes). - iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes). - iio: filter: admv8818: Support frequencies &gt;= 2^32 (git-fixes). - iio: filter: admv8818: fix range calculation (git-fixes). - iio: filter: admv8818: fix integer overflow (git-fixes). - iio: filter: admv8818: fix band 4, state 15 (git-fixes). - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes). - iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes). - iio: imu: inv_icm42600: Fix temperature calculation (git-fixes). - iio: adc: ad7606_spi: fix reg write value mask (git-fixes). - bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes). - drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes). - drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes). - commit def2214 - s390/pci: Serialize device addition and removal (bsc#1244145). - commit f1ae730 - s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145). - commit a73fcdb - s390/pci: Prevent self deletion in disable_slot() (bsc#1244145). - commit 136fe4f - s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145). - commit 9bbc219 - s390/pci: Fix potential double remove of hotplug slot (bsc#1244145). - commit 9714d95 - s390/pci: remove hotplug slot when releasing the device (bsc#1244145). - commit 1415bb1 - s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145). - commit 3430d11 - s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145). - Refresh patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch. - Refresh patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch. - commit 2644b79 - s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145). - Refresh patches.suse/s390-pci-Fix-leak-of-struct-zpci_dev-when-zpci_add_device-fails.patch. - Refresh patches.suse/s390-pci-Sort-PCI-functions-prior-to-creating-virtual-busses.patch. - Refresh patches.suse/s390-pci-Use-topology-ID-for-multi-function-devices.patch. - commit 9223df0 - media: mediatek: vcodec: Only free buffer VA that is not NULL (CVE-2023-52888 bsc#1228557). - commit 0299171 - net: fix udp gso skb_segment after pull from frag_list (git-fixes). - commit 8353437 - page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes). - commit 69ccdcd - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes). - commit d107edf - net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes). - commit 71395f7 - neighbour: Don't let neigh_forced_gc() disable preemption for long (git-fixes). - commit fea49bb - net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes). - commit eea3eab - Move upstreamed patches into sorted section - commit c9465fb - kernel-source: Do not use multiple -r in sed parameters This usage is enabled in commit b18d64d (sed: allow multiple (non-conflicting) -E/-r parameters, 2016-07-31) only available since sed 4.3 Fixes: dc2037cd8f94 (&quot;kernel-source: Also replace bin/env&quot; - commit 91ad98e - Drop AMDGPU patch that may cause regressions (bsc#1243782) Deleted: patches.suse/drm-amd-display-more-liberal-vmin-vmax-update-for-fr.patch - commit c23b99f - wifi: ath12k: Avoid memory leak while enabling statistics (CVE-2025-37743 bsc#1242163). - commit f493528 - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes). - net: wwan: t7xx: Fix napi rx poll issue (git-fixes). - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes). - Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes). - rtc: Fix offset calculation for .start_secs &lt; 0 (git-fixes). - rtc: stm32: drop unused module alias (git-fixes). - rtc: s3c: drop unused module alias (git-fixes). - rtc: pm8xxx: drop unused module alias (git-fixes). - rtc: jz4740: drop unused module alias (git-fixes). - rtc: da9063: drop unused module alias (git-fixes). - rtc: cpcap: drop unused module alias (git-fixes). - rtc: at91rm9200: drop unused module alias (git-fixes). - rtc: sh: assign correct interrupts with DT (git-fixes). - dmaengine: ti: Add NULL check in udma_probe() (git-fixes). - phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes). - commit ec23ee6 - net: usb: aqc111: debug info before sanitation (git-fixes). - commit fc18979 - openvswitch: Fix unsafe attribute parsing in output_userspace() (CVE-2025-37998 bsc#1243836) - commit 51afd13 - octeon_ep: Fix host hang issue during device reboot (CVE-2025-37933 bsc#1243628) - commit 44230dd - kABI: ipv6: save dontfrag in cork (git-fixes). Patch-up the kABI change with an #ifdef __GENKSYMS__. This change is safe (as detailed in the patch commit message) due to the struct having a 6-byte hole at the end we can use. - commit cbc81e2 - ipv6: save dontfrag in cork (git-fixes). - commit d3fe600 - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes). - commit 756fa72 - netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes). - commit e02eac4 - ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes). - commit d943643 - tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes). - commit 09561a1 - xsk: always clear DMA mapping information when unmapping the pool (git-fixes). - commit 9908bc6 - net: sched: fix erspan_opt settings in cls_flower (git-fixes). - commit fc52734 - spi: spi-imx: Add check for spi_imx_setupxfer() (CVE-2025-37801 bsc#1242850) - commit f3955e7 - ipmr: fix tables suspicious RCU usage (git-fixes). - commit d029f0f - ip6mr: fix tables suspicious RCU usage (git-fixes). - commit 79bb134 - netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes). - commit f180c62 - netdev-genl: Hold rcu_read_lock in napi_get (git-fixes). - commit 895e121 - net/neighbor: clear error in case strict check is not set (git-fixes). - commit 9eb711a - ipv4: Convert ip_route_input() to dscp_t (git-fixes). - commit 401defe - net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes). - commit a6910eb - udp: fix receiving fraglist GSO packets (git-fixes). - commit 5b87500 - net: linkwatch: use system_unbound_wq (git-fixes). - commit 34d590e - net: page_pool: fix warning code (git-fixes). - commit 0d77245 - net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes). - commit a1b1859 - tcp/dccp: complete lockless accesses to sk-&gt;sk_max_ack_backlog (git-fixes). - commit b96b4a8 - tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes). - commit afdb9bb - udp: preserve the connected status if only UDP cmsg (git-fixes). - commit 8714e3a - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes). - commit 34a2994 - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes). - commit f23f4c9 - ip_tunnel: annotate data-races around t-&gt;parms.link (git-fixes). - commit 765e083 - net: add rcu safety to rtnl_prop_list_size() (git-fixes). - commit 1e0fceb - net: ipv4: fix a memleak in ip_setup_cork (git-fixes). - commit 935ac41 - udp: annotate data-races around up-&gt;pending (git-fixes). - commit 72fda93 - ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes). - commit 011b9c9 - driver core: fix potential NULL pointer dereference in dev_uevent() (CVE-2025-37800 bsc#1242849). - driver core: introduce device_set_driver() helper (CVE-2025-37800 bsc#1242849). - commit 3aecdc2 - soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes). - commit a145886 - wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes). - wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes). - wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes). - wifi: mt76: mt7925: refine the sniffer commnad (git-fixes). - wifi: mt76: mt7925: prevent multiple scan commands (git-fixes). - wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes). - wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes). - Revert &quot;wifi: mt76: mt7996: fill txd by host driver&quot; (stable-fixes). - wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes). - wifi: ath12k: fix ring-buffer corruption (git-fixes). - wifi: ath11k: fix rx completion meta data corruption (git-fixes). - wifi: ath11k: fix ring-buffer corruption (git-fixes). - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes). - wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes). - wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes). - wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes). - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes). - wifi: rtw88: do not ignore hardware read error during DPK (git-fixes). - wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes). - wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes). - wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes). - wifi: ath12k: fix node corruption in ar-&gt;arvifs list (git-fixes). - wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes). - commit 3f5d0e4 - wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes). - commit 0de0b80 - wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes). - wifi: ath12k: fix invalid access to memory (git-fixes). - wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes). - wifi: ath12k: fix cleanup path after mhi init (git-fixes). - wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes). - wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes). - wifi: ath11k: fix node corruption in ar-&gt;arvifs list (git-fixes). - watchdog: exar: Shorten identity name to fit correctly (git-fixes). - wifi: iwlwifi: add support for Killer on MTL (stable-fixes). - wifi: mt76: mt7996: revise TXS size (stable-fixes). - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes). - wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes). - wifi: iwlwifi: fix debug actions order (stable-fixes). - wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes). - wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes). - wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes). - wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes). - wifi: ath9k: return by of_get_mac_address (stable-fixes). - wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes). - wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes). - wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes). - wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes). - wifi: mac80211: don't unconditionally call drv_mgd_complete_tx() (stable-fixes). - wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes). - commit 9963350 - vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes). - soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes). - soc: aspeed: lpc: Fix impossible judgment condition (git-fixes). - spi: sh-msiof: Fix maximum DMA transfer size (git-fixes). - spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes). - spi: tegra210-quad: remove redundant error handling code (git-fixes). - spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes). - spi: spi-sun4i: fix early activation (stable-fixes). - spi-rockchip: Fix register out of bounds access (stable-fixes). - thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes). - usb: xhci: Don't change the status of stalled TDs on failed Stop EP (stable-fixes). - serial: sh-sci: Save and restore more registers (git-fixes). - serial: sh-sci: Update the suspend/resume support (stable-fixes). - thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes). - soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes). - soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes). - spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes). - commit 38d0a8f - PM: sleep: Print PM debug messages during hibernation (git-fixes). - commit 96179c7 - PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes). - PCI: cadence: Fix runtime atomic count underflow (git-fixes). - PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes). - PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes). - PCI: Explicitly put devices into D0 when initializing (git-fixes). - PCI/DPC: Initialize aer_err_info before using it (git-fixes). - selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes). - pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes). - pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs &gt; 31 (git-fixes). - pinctrl: at91: Fix possible out-of-boundary access (git-fixes). - selftests/bpf: Fix bpf_nf selftest failure (git-fixes). - selftests/seccomp: fix syscall_restart test for arm compat (git-fixes). - PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes). - power: reset: at91-reset: Optimize at91_reset() (git-fixes). - regulator: max20086: Change enable gpio to optional (git-fixes). - regulator: max20086: Fix MAX200086 chip id (git-fixes). - platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes). - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes). - phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes). - phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes). - phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes). - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes). - pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes). - rtc: rv3032: fix EERD location (stable-fixes). - rtc: ds1307: stop disabling alarms on probe (stable-fixes). - phy: core: don't require set_mode() callback for phy_get_mode() to work (stable-fixes). - pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes). - pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes). - pinctrl: bcm281xx: Use &quot;unsigned int&quot; instead of bare &quot;unsigned&quot; (stable-fixes). - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes). - PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes). - PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes). - PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes). - PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes). - selftests/net: have `gro.sh -t` return a correct exit code (stable-fixes). - regulator: ad5398: Add device tree support (stable-fixes). - PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes). - phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes). - commit 32a9142 - tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes). - commit 2a9c7bb - mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes). - mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes). - mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes). - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes). - net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes). - net: phy: clear phydev-&gt;devlink when the link is deleted (git-fixes). - net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes). - net: usb: aqc111: fix error handling of usbnet read calls (git-fixes). - mmc: host: Wait for Vdd to settle on card power off (stable-fixes). - mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes). - commit eedda90 - mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes). - mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes). - media: uvcvideo: Fix deferred probing error (git-fixes). - media: uvcvideo: Return the number of processed controls (git-fixes). - media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes). - media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes). - media: v4l2-dev: fix error handling in __video_register_device() (git-fixes). - media: ov8856: suppress probe deferral errors (git-fixes). - media: ov5675: suppress probe deferral errors (git-fixes). - media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes). - media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes). - media: davinci: vpif: Fix memory leak in probe error path (git-fixes). - media: vivid: Change the siize of the composing (git-fixes). - media: cxusb: no longer judge rbuf when the write fails (git-fixes). - media: vidtv: Terminating the subsequent process of initialization failure (git-fixes). - media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes). - media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes). - media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes). - media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes). - media: imx-jpeg: Cleanup after an allocation error (git-fixes). - media: imx-jpeg: Reset slot data pointers when freed (git-fixes). - media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes). - media: imx-jpeg: Drop the first error frames (git-fixes). - media: venus: Fix probe error handling (git-fixes). - media: rkvdec: Fix frame size enumeration (git-fixes). - mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes). - media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes). - media: cx231xx: set device_caps for 417 (stable-fixes). - media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes). - media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes). - media: adv7180: Disable test-pattern control on adv7180 (stable-fixes). - media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes). - media: test-drivers: vivid: don't call schedule in loop (stable-fixes). - media: i2c: imx219: Correct the minimum vblanking value (stable-fixes). - media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes). - media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes). - mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes). - commit de6c9a2 - Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes). - commit e29f865 - hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes). - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes). - firmware: psci: Fix refcount leak in psci_dt_init (git-fixes). - gpiolib: Revert &quot;Don't WARN on gpiod_put() for optional GPIO&quot; (stable-fixes). - Input: xpad - add more controllers (stable-fixes). - gpio: pca953x: fix IRQ storm on system wake up (git-fixes). - HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes). - intel_th: avoid using deprecated page-&gt;mapping, index fields (stable-fixes). - ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes). - i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes). - i3c: master: svc: Fix missing STOP for master request (stable-fixes). - i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes). - i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes). - i2c: pxa: fix call balance of i2c-&gt;clk handling routines (stable-fixes). - fpga: altera-cvp: Increase credit timeout (stable-fixes). - mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes). - leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes). - firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes). - firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes). - ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes). - HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes). - hwmon: (dell-smm) Increment the number of fans (stable-fixes). - hwmon: (gpio-fan) Add missing mutex locks (stable-fixes). - hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes). - gpio: pca953x: Simplify code with cleanup helpers (stable-fixes). - gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes). - commit 50f84af - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes). - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes). - drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes). - drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes). - drm/mediatek: Fix kobject put for component sub-drivers (git-fixes). - drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes). - Revert &quot;drm/amdgpu: don't allow userspace to create a doorbell BO&quot; (stable-fixes). - drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes). - drm/tegra: Fix a possible null pointer dereference (git-fixes). - drm/tegra: rgb: Fix the unbound reference count (git-fixes). - drm/tegra: Assign plane type before registration (git-fixes). - drm/vkms: Adjust vkms_state-&gt;active_planes allocation type (git-fixes). - drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes). - drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes). - drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes). - drm/ast: Fix comment on modeset lock (git-fixes). - drm/vc4: tests: Use return instead of assert (git-fixes). - drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes). - drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes). - drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes). - drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes). - drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes). - drm/udl: Unregister device before cleaning up on disconnect (git-fixes). - drm/vmwgfx: Add seqno waiter for sync_files (git-fixes). - Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes). - Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes). - drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes). - drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes). - drm/amdgpu: Update SRIOV video codec caps (stable-fixes). - drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes). - drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes). - drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes). - drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes). - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes). - drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes). - drm/amdkfd: KFD release_work possible circular locking (stable-fixes). - drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes). - drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes). - drm/amd/display: Don't try AUX transactions on disconnected link (stable-fixes). - drm/amdgpu: reset psp-&gt;cmd to NULL after releasing the buffer (stable-fixes). - drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes). - drm/amd/display: Initial psr_version with correct setting (stable-fixes). - drm/amd/display: Increase block_sequence array size (stable-fixes). - drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes). - drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes). - drm/v3d: Add clock handling (stable-fixes). - drm/ast: Find VBIOS mode from regular display size (stable-fixes). - drm: bridge: adv7511: fill stream capabilities (stable-fixes). - drm/atomic: clarify the rules around drm_atomic_state-&gt;allow_modeset (stable-fixes). - drm/panel-edp: Add Starry 116KHD024006 (stable-fixes). - drm: Add valid clones check (stable-fixes). - fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes). - fbcon: Use correct erase colour for clearing in fbcon (stable-fixes). - fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes). - firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes). - commit 0574d41 - Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes). - crypto: marvell/cesa - Do not chain submitted requests (git-fixes). - crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes). - crypto: xts - Only add ecb if it is not already there (git-fixes). - crypto: lrw - Only add ecb if it is not already there (git-fixes). - crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes). - crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes). - crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes). - Documentation: fix typo in root= kernel parameter description (git-fixes). - dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes). - commit 8e41cce - backlight: pm8941: Add NULL check in wled_configure() (git-fixes). - bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes). - bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes). - bus: fsl-mc: fix double-free on mc_dev (git-fixes). - Revert &quot;bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first&quot; (stable-fixes). - Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes). - ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes). - ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes). - ASoC: SOF: ipc4-pcm: Adjust pipeline_list-&gt;pipelines allocation type (git-fixes). - crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes). - crypto: qat - add shutdown handler to qat_420xx (git-fixes). - crypto: qat - add shutdown handler to qat_4xxx (git-fixes). - crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes). - crypto: lzo - Fix compression buffer overrun (stable-fixes). - crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes). - can: c_can: Use of_property_present() to test existence of DT property (stable-fixes). - commit 595e083 - ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes). - ASoC: tas2764: Enable main IRQs (git-fixes). - ASoC: tas2764: Reinit cache on part reset (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes). - ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes). - ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes). - ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes). - ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes). - ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes). - ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes). - commit 255f2cb - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes). - ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes). - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes). - ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes). - ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes). - ASoC: tas2764: Power up/down amp on mute ops (stable-fixes). - ASoC: ops: Enforce platform maximum on initial value (stable-fixes). - ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes). - ASoC: rt722-sdca: Add some missing readable registers (stable-fixes). - commit ab5fcf6 - kABI workaround for hda_codec.beep_just_power_on flag (git-fixes). - commit 11aaa35 - acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes). - ACPICA: Utilities: Fix spelling mistake &quot;Incremement&quot; -&gt; &quot;Increment&quot; (git-fixes). - ACPICA: exserial: don't forget to handle FFixedHW opregions for reading (git-fixes). - ACPI: OSI: Stop advertising support for &quot;3.0 _SCP Extensions&quot; (git-fixes). - ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes). - accel/qaic: Mask out SR-IOV PCI resources (stable-fixes). - ALSA: seq: Improve data consistency at polling (stable-fixes). - ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes). - ACPI: HED: Always initialize before evged (stable-fixes). - commit 6ebe577 - net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (CVE-2025-37917 bsc#1243475). - commit 0f659f2 - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - commit bae0091 - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - commit a0506dd - usb: typec: ucsi: Only enable supported notifications (git-fixes). - commit 3a52706 - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - commit 5ca6578 - platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes). - commit 1564858 - platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes). - commit 2bfd2a7 - pstore: Change kmsg_bytes storage size to u32 (git-fixes). - commit c964f36 - orangefs: Do not truncate file size (git-fixes). - commit 9fbe3ae - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes). - commit a689f10 - NFS: Don't allow waiting for exiting tasks (git-fixes). - Refresh patches.suse/nfs-add-missing-selections-of-CONFIG_CRC32.patch. - commit 899f47c - SUNRPC: Don't allow waiting for exiting tasks (git-fixes). - commit 8b942ca - NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes). - commit 9139fd5 - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes). - commit e2112a4 - SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes). - commit f49c9db - pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes). - commit 39e7a29 - iommu: Protect against overflow in iommu_pgsize() (git-fixes). - commit 6adbec5 - ext4: define ext4_journal_destroy wrapper (CVE-2025-22113 bsc#1241617). - commit 8dddf47 - ext4: ignore xattrs past end (bsc#1242846 CVE-2025-37738). - commit 2a74454 - ext4: avoid journaling sb update on error if journal is destroying (bsc#1241617 CVE-2025-22113). - commit 0445179 - net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (CVE-2024-49568 bsc#1235728). - commit a7c2f15 - i2c: tegra: check msg length in SMBUS block read (bsc#1242086) - commit 625407a - iio: light: opt3001: fix deadlock due to concurrent flag access (CVE-2025-37968 bsc#1243571) - commit 0e5e655 - perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (CVE-2025-37936 bsc#1243537) - commit 2e13950 - net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (CVE-2025-37945 bsc#1243538) - commit efc17f3 - pds_core: Prevent possible adminq overflow/stuck condition (CVE-2025-37987 bsc#1243542) - commit ba1ea39 - SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes). - commit dc6e86f - Refresh patches.suse/nfs-ignore-SB_RDONLY-when-remounting-nfs.patch. - commit 359f356 - Refresh patches.suse/nfs-clear-SB_RDONLY-before-getting-superblock.patch. - commit 2697e51 - fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes). - commit fcf1703 - powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199). - KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199). - commit 2d2709b - Update patches.suse/nfsd-Fix-race-to-FREE_STATEID-and-cl_revoked.patch (bsc#1012628 CVE-2024-50106 bsc#1232882). - commit a87a308 - net: ngbe: fix memory leak in ngbe_probe() error path (CVE-2025-37874 bsc#1242940) - commit bc2e64d Package krb5 was updated: - Remove des3-cbc-sha1 and arcfour-hmac-md5 from permitted enctypes unless new special options &quot;allow_des3&quot; or &quot;allow_rc4&quot; are set; (CVE-2025-3576); (bsc#1241219). - Add patch 0015-CVE-2025-3576.patch Package avahi was updated: - Add avahi-CVE-2024-52615.patch: Backport 4e2e1ea from upstream, Resolve fixed source ports for wide-area DNS queries cause DNS responses be injected. (CVE-2024-52615, bsc#1233421) Package expat was updated: - Fix CVE-2025-59375 / bsc#1249584.- Add patch file: * CVE-2025-59375.patch Package gcc14 was updated: - Exclude shared objects present for link editing in the GCC specific subdirectory from provides processing via __provides_exclude_from. [bsc#1244050][bsc#1243991] - Make cross-*-gcc14-bootstrap package conflict with the non-bootstrap variant conflict with the unversioned cross-*-gcc package. - Disable build of glibc cross to loongarch64 and hppa in SLFO and SLE15. - Update to GCC 14.3 release, bb24b4c804f3d95b0ba95b7496, git11799 - Remove gcc14-pr120061.patch which is now included upstream. - Add gcc14-pr120061.patch to fix the PR108900 fix instead of reverting it. - Remove gcc14-pr108900.patch - Add gcc14-pr108900.patch to revert it, fixing libqt6webengine build. - Update to gcc-14 branch head, 3418d740b344e0ba38022f3be, git11702 * Remove gcc14-pr118780.patch now on the upstream branch - Fix build on s390x [bsc#1241549] - Make sure link editing is done against our own shared library copy rather than the installed system runtime. [bsc#1240788] - Add gcc14-pr119680.patch to fix cross-compiler builds with - -enable-host-pie. Package gnutls was updated: - Fix heap buffer overread when handling the CT SCT extension during X.509 certificate parsing [bsc#1246233, CVE-2025-32989] * Add patch gnutls-CVE-2025-32989.patch - Fix double-free due to incorrect ownership handling in the export logic of SAN entries containing an otherName [bsc#1246232, CVE-2025-32988] * Add patch gnutls-CVE-2025-32988.patch - Fix 1-byte heap buffer overflow when parsing templates with certtool [bsc#1246267, CVE-2025-32990] * Add patch gnutls-CVE-2025-32990.patch - Fix NULL pointer dereference when 2nd Client Hello omits PSK [bsc#1246299, CVE-2025-6395] * Add patch gnutls-CVE-2025-6395.patch Package libnvme was updated: - Update to version 1.8+84.g73e0811d: * tree: do not try to strdup NULL pointer (bsc#1247225) * tree: always set the host key (bsc#1246560) - Update to version 1.8+82.g9a64f8f4: * tree: free ctrl attributes when (re)configure ctrl (bsc#1243716) * tree: filter tree after scan has completed (bsc#1243716) * sysfs: minimize heap allocations of sysfs paths Package openssl-1_1 was updated: - Security fix: [bsc#1250232 CVE-2025-9230] * Fix out-of-bounds read &amp; write in RFC 3211 KEK unwrap * Add patch openssl3-CVE-2025-9230.patch - FIPS: Use the NID_X9_62_prime256v1 curve in ECDSA KAT test instead of NID_secp256k1. [bsc#1246697] * Add openssl-fips-ECDSA-KAT.patch Package openssl-3 was updated: - Security fix: [bsc#1250232 CVE-2025-9230] * Fix out-of-bounds read &amp; write in RFC 3211 KEK unwrap * Add patch openssl3-CVE-2025-9230.patch - Increase limit for CRL download [bsc#1247148, bsc#1247144] * Add openssl-3-large-CRLs.patch Package polkit was updated: - CVE-2025-7519: Fixed that a XML policy file with a large number of nested elements may lead to out-of-bounds write (bsc#1246472) added 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch Package python3 was updated: - Add CVE-2025-8194-tarfile-no-neg-offsets.patch which now validates archives to ensure member offsets are non-negative (gh#python/cpython#130577, CVE-2025-8194, bsc#1247249). - Add CVE-2025-4435-normalize-lnk-trgts-tarfile.patch Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on tarfile (bsc#1244032, bsc#1244061, bsc#1244059, bsc#1244060, bsc#1244056). The backported fixes do not contain changes for ntpath.py and related tests, because the support for symlinks and junctions were added later in Python 3.9, and it does not make sense to backport them to 3.6 here. The patch is contains the following changes: - python@42deeab fixes symlink handling for tarfile.data_filter - python@9d2c2a8 fixes handling of existing files/symlinks in tarfile - python@00af979 adds a new &quot;strict&quot; argument to realpath() - python@dd8f187 fixes mulriple CVE fixes in the tarfile module - downstream only fixes that makes the changes work and compatible with Python 3.6 - Add CVE-2025-6069-quad-complex-HTMLParser.patch to avoid worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (CVE-2025-6069, bsc#1244705). - Add python36-* provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 - Add ipaddress-update-pr60.patch from gh#phihag/ipaddress!60 to update vendored ipaddress module to 3.8 equivalent - Add gh-128840_parse-IPv6-with-emb-IPv4.patch to limit buffer size for IPv6 address parsing (gh#python/cpython#128840, bsc#1244401). - Update CVE-2025-4516-DecodeError-handler.patch not to break _PyBytes_DecodeEscape signature. - Add CVE-2025-4516-DecodeError-handler.patch fixing CVE-2025-4516 (bsc#1243273) blocking DecodeError handling vulnerability, which could lead to DoS. Package ruby2.5 was updated: - update suse.patch to 3f3682bf07fcd4f2fa875958853d3843ee7dcdb9 - fix remote DoS via YAML manifest bsc#1225905 CVE-2024-35221 - update suse.patch to c76fb820676cfded16c697a62281a3bfeb8e4bb1 - fix webrick: Ruby WEBrick read_header HTTP Request Smuggling Vulnerability bsc#1245254 CVE-2025-6442 - update suse.patch to 5d79fc609c5761864aec47e1ae4796b93db99104 - fix ruby: userinfo leakage in URI#join, URI#merge and URI#+ bsc#1237805 CVE-2025-27221 Package libsolv was updated: - add support for product-obsoletes() provides in the product autopackage generation code - bump version to 0.7.34 - improve transaction ordering by allowing more uninst-&gt;uninst edges [bsc#1243457] - implement color filtering when adding update targets - support orderwithrequires dependencies in susedata.xml - bump version to 0.7.33 Package sqlite3 was updated: - Backpatch the URLs in sqlite3.n from https to http to avoid a file conflict with the tcl package on SLE-15-GA up to SP2. In SP3 and onwards the Tcl package does not contain the sqlite extension anymore. - Sync version 3.50.2 from Factory: * CVE-2025-6965, bsc#1246597: Raise an error early if the number of aggregate terms in a query exceeds the maximum number of columns, to avoid downstream assertion faults. * Add subpackage for the lemon parser generator. + sqlite-3.49.0-fix-lemon-missing-cflags.patch + sqlite-3.6.23-lemon-system-template.patch Package libssh was updated: - Security fix: [CVE-2025-8277, bsc#1249375] * Memory Exhaustion via Repeated Key Exchange * Add patches: - libssh-CVE-2025-8277-packet-Adjust-packet-filter-to-work-wh.patch - libssh-CVE-2025-8277-Fix-memory-leak-of-unused-ephemeral-ke.patch - libssh-CVE-2025-8277-ecdh-Free-previously-allocated-pubkeys.patch - Security fix: [CVE-2025-8114, bsc#1246974] * NULL pointer dereference when calculating session ID during KEX * Add libssh-CVE-2025-8114.patch Package systemd was updated: - triggers.systemd: skip update of hwdb, journal-catalog if executed during an offline update. - systemd-repart is no more considered as experimental (jsc#PED-13213) - Import commit 130293e510ceb4d121d11823e6ebd4b1e8332ea0 (merge of v254.27) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/278fb676146e35a7b4057f52f34a7bbaf1b82369...130293e510ceb4d121d11823e6ebd4b1e8332ea0 Package libxml2 was updated: - security update- added patches CVE-2025-7425 [bsc#1246296], Heap Use-After-Free in libxslt caused by atype corruption in xmlAttrPtr + libxml2-CVE-2025-7425.patch Package libzypp was updated: - runposttrans: strip root prefix from tmppath (bsc#1250343)- fixup! Make ld.so ignore the subarch packages during install (bsc#1246912) - version 17.37.18 (35) - Make ld.so ignore the subarch packages during install (bsc#1246912) - version 17.37.17 (35) - Fix evaluation of libproxy results (bsc#1247690) - Replace URL variables inside mirrorlist/metalink files (fixes #667) - version 17.37.16 (35) - Append RepoInfo::path() to the mirror URLs in Preloader (bsc#1247054) - version 17.37.15 (35) - During installation indicate the backend being used (bsc#1246038) If some package actually needs to know, it should test for ZYPP_CLASSIC_RPMTRANS being set in the environment. Otherwise the transaction is driven by librpm. - version 17.37.14 (35) - Workaround 'rpm -vv' leaving scriptlets /var/tmp (bsc#1218459) - Verbose log libproxy results if PX_DEBUG=1 is set. - BuildRequires: cmake &gt;= 3.17. - version 17.37.13 (35) - Allow explicit request to probe an added repo's URL (bsc#1246466) - Fix tests with -DISABLE_MEDIABACKEND_TESTS=1 (fixes #661) - version 17.37.12 (35) - Add runtime check for a broken rpm-4.18.0 --runpostrans (bsc#1246149) - Add regression test for bsc#1245220 and some other filesize related tests. - version 17.37.11 (35) - BuildRequires: %{libsolv_devel_package} &gt;= 0.7.34 (bsc#1243486) Newer rpm versions no longer allow a ':' in rpm package names or obsoletes. So injecting an Obsoletes: product:oldproductname &lt; oldproductversion into the -release package to indicate a product rename is no longer possible. Since libsolv-0.7.34 you can and should use: Provides: product-obsoletes(oldproductname) &lt; oldproductversion in the -release package. libsolv will then inject the appropriate Obsoletes into the Product. - version 17.37.10 (35) - Ignore DeltaRpm download errors (bsc#1245672) DeltaRpms are in fact optional resources. In case of a failure the full rpm is downloaded. - Improve fix for incorrect filesize handling (bsc#1245220) - version 17.37.9 (35) - Do not trigger download data exceeded errors on HTTP non data responses (bsc#1245220) In some cases a HTTP 401 or 407 did trigger a &quot;filesize exceeded&quot; error, because the response payload size was compared against the expected filesize. This patch adds some checks if the response code is in the success range and only then takes expected filesize into account. Otherwise the response content-length is used or a fallback of 2Mb if no content-length is known. - version 17.37.8 (35) - Fix SEGV in MediaDISK handler (bsc#1245452) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. DownloadAsNeeded can not be combined with the rpm singletrans installer backend because a rpm transaction requires all package headers to be available the the beginning of the transaction. So explicitly selecting this mode also turns on the classic_rpmtrans backend. - Fix evaluation of libproxy results (bsc#1244710) - version 17.37.7 (35) - Enhancements regarding mirror handling during repo refresh. Added means to disable the use of mirrors when downloading security relevant files. Requires updaing zypper to 1.14.91. - Fix autotestcase writer if ZYPP_FULLLOG=1 (bsc#1244042) If ZYPP_FULLLOG=1 a solver testcase to &quot;/var/log/YaST2/autoTestcase&quot; should be written for each solver run. There was no testcase written for the very first solver run. This is now fixed. - Pass $1==2 to %posttrans script if it's an update (bsc#1243279) - version 17.37.6 (35) Package nvme-cli was updated: - Update to version 2.8+94.gbf4a448c: * netapp-ontapdev: update invalid device handling (bsc#1247017) * netapp-smdev: update invalid device handling (bsc#1247017) - Update to version 2.8+92.g998dceae: * nvme: fix mem leak in nvme copy (bsc#1243716) * nvme-print: suppress output when no ctrl is present for list-subsys (bsc#1243716) * nvme: extend filter to match device name (bsc#1243716) * udev-rules-ontap: switch to queue-depth iopolicy (bsc#1246599) Package pam was updated: - Make sure that the buffer containing encrypted passwords get's erased bedore free. - Replace to previous CVE fix which led to CPU performance issues. [bsc#1246221, CVE-2024-10041, + libpam-introduce-secure-memory-erasure-helpers.patch + pam_modutil_get-overwrite-password-at-free.patch - passverify-always-run-the-helper-to-obtain-shadow_pwd.patch] Package python-PyYAML was updated: - Add python36-PyYAML provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-appdirs was updated: - Add python36-appdirs provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-asn1crypto was updated: - Add python36-asn1crypto provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-certifi was updated: - Add python36-certifi provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-cffi was updated: - Add python36-cffi provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-chardet was updated: - Add python36-chardet provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python3-cryptography was updated: - Add python36-cryptography provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 - Skipping failing test Package python-idna was updated: - Add python36-idna provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-packaging was updated: - Add python36-packaging provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python3-pyOpenSSL was updated: - Add python36-pyOpenSSL provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-pyasn1 was updated: - Add python36-pyasn1 provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-pycparser was updated: - Add python36-pycparser provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-pyparsing was updated: - Add python36-pyparsing provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-pytz was updated: - Add python36-pytz provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-py was updated: - Add python36-py provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-requests was updated: - Add python36- provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python3-setuptools was updated: - Add python36-setuptools provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-six was updated: - Add python36-six provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package python-urllib3 was updated: - Add patch CVE-2025-50181-poolmanager-redirects.patch: * Pool managers now properly control redirects when retries is passed (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925) - Add python36-urllib3 provides/obsoletes to enable SLE-12 -&gt; SLE-15 migration, bsc#1233012 Package regionServiceClientConfigGCE was updated: - Update to version 5.0.0 (bsc#1246995) + SLE 16 python-requests requiers SSL v3 certificates. Update 2 region server certs to support SLE 16 when it gets released. - Update conditional to handle name change of metadata package in SLE 16 (bsc#1242063) Package release-notes-sles was updated: - 15.6.20250821 (tracked in bsc#933411)- Added note about virt-install --cdrom with SEV (bsc#1241602) - Added note about SSH algo control method changing and link (bsc#1244260) - Added note about 4096-bit signing key (jsc#PED-8000) - Added note about Non unified image for SEV (bsc#1232762) - Added note about new systems management module (jsc#PED-12703) - Added note about externally supported flag (jsc#PED-8462) - Added MI300A support (jsc#PED-7607) - Added note about PHP 7.4 deprecation (jsc#PED-8166) - Clarified support of BPF-related tools (jsc#PED-8569) - Added note about deprecating NFSv2 (bsc#1230914) Package samba was updated: - CVE-2025-9640: fix vfs_streams_xattr uninitialized memory write; (bsc#1251279);(bso#15885). - CVE-2025-10230: fix command Injection in WINS Server Hook Script; (bsc#1251280);(bso#15903). Package sudo was updated: - Fix for SG#69994, bsc#1240954, bsc#1245743: * bsc1240954.patch: [PATCH] If user's tty goes away, tell monitor to revoke the tty in its session. Package suse-build-key was updated: - adjust UID (name + email) of SLES16 signing key with official names. (bsc#1245223) Package suse-module-tools was updated: - Update to version 15.6.11: * spec file: add missing util-linux requirement (bsc#1241038) * regenerate-initrd-posttrans: Fix SKIP_REGENERATE_INITRD_ALL (bsc#1228929) Package sysconfig was updated: - version 0.85.10 * codespell run for all repository files and changes file * spec: define permissions for ghost file attrs to avoid rpm --restore resets them to 0 (bsc#1237595). * spec: fix name-repeated-in-summary rpmlint warning Package systemd-presets-branding-SLE was updated: - enable sysstat_collect.timer and sysstat_summary.timer [bsc#1244553] and [bsc#1246835] - modified sources % default-SLE.preset Package systemd-rpm-macros was updated: - Bump version to 16 - Introduce %udev_trigger_with_reload() for packages that need to trigger events in theirs scriplets. The new macro automatically triggers a reload of the udev rule files as this step is often overlooked by packages (bsc#1237143). Package vim was updated: - Fix the following CVEs and bugs: * bsc#1246602 (CVE-2025-53906) * bsc#1246604 (CVE-2025-53905) * bsc#1247939 (CVE-2025-55158) * bsc#1247938 (CVE-2025-55157) - Update to 9.1.1629: 9.1.1629: Vim9: Not able to use more than 10 type arguments in a generic function 9.1.1628: fuzzy.c has a few issues 9.1.1627: fuzzy matching can be improved 9.1.1626: cindent: does not handle compound literals 9.1.1625: Autocompletion slow with include- and tag-completion 9.1.1624: Cscope not enabled on MacOS 9.1.1623: Buffer menu does not handle unicode names correctly 9.1.1622: Patch v9.1.1432 causes performance regressions 9.1.1621: flicker in popup menu during cmdline autocompletion 9.1.1620: filetype: composer.lock and symfony.lock files not recognized 9.1.1619: Incorrect E535 error message 9.1.1618: completion: incorrect selected index returned from complete_info() 9.1.1617: Vim9: some error messages can be improved 9.1.1616: xxd: possible buffer overflow with bitwise output 9.1.1615: diff format erroneously detected 9.1.1614: Vim9: possible variable type change 9.1.1613: tests: test_search leaves a few swapfiles behind 9.1.1612: Ctrl-G/Ctrl-T do not ignore the end search delimiter 9.1.1611: possible undefined behaviour in mb_decompose() 9.1.1610: completion: hang or E684 when 'tagfunc' calls complete() 9.1.1609: complete: Heap-buffer overflow with complete function 9.1.1608: No command-line completion for :unsilent {command} 9.1.1607: :apple command detected as :append 9.1.1606: filetype: a few more files are not recognized 9.1.1605: cannot specify scope for chdir() 9.1.1604: completion: incsearch highlight might be lost 9.1.1603: completion: cannot use autoloaded funcs in 'complete' F{func} 9.1.1602: filetype: requirements-*.txt files are not recognized 9.1.1601: Patch v8.1.0425 was wrong 9.1.1600: using diff anchors with hidden buffers fails silently 9.1.1599: :bnext doesn't go to unlisted help buffers 9.1.1598: filetype: waybar config file is not recognized 9.1.1597: CI reports leaks in libgtk3 library 9.1.1596: tests: Test_search_wildmenu_iminsert() depends on help file 9.1.1595: Wayland: non-portable use of select() 9.1.1594: completion: search completion throws errors 9.1.1593: Confusing error when compiling incomplete try block 9.1.1592: Vim9: crash with classes and garbage collection 9.1.1591: VMS support can be improved 9.1.1590: cannot perform autocompletion 9.1.1589: Cannot disable cscope interface using configure 9.1.1588: Vim9: cannot split dict inside command block 9.1.1587: Wayland: timeout not updated before select() 9.1.1586: Vim9: can define an enum/interface in a function 9.1.1585: Wayland: gvim still needs GVIM_ENABLE_WAYLAND 9.1.1584: using ints as boolean type 9.1.1583: gvim window lost its icons 9.1.1582: style issue in vim9type.c and vim9generics.c 9.1.1581: possible memory leak in vim9generics.c 9.1.1580: possible memory leak in vim9type.c 9.1.1579: Coverity complains about unchecked return value 9.1.1578: configure: comment still mentions autoconf 2.71 9.1.1577: Vim9: no generic support yet 9.1.1576: cannot easily trigger wildcard expansion 9.1.1575: tabpanel not drawn correctly with wrapped lines 9.1.1574: Dead code in mbyte.c 9.1.1573: Memory leak when pressing Ctrl-D in cmdline mode 9.1.1572: expanding $var does not escape whitespace for 'path' 9.1.1571: CmdlineChanged triggered to often 9.1.1570: Copilot suggested some improvements in cmdexpand.c 9.1.1569: tests: Vim9 tests can be improved 9.1.1568: need a few more default highlight groups 9.1.1567: crash when using inline diff mode 9.1.1566: self-referenced enum may not get freed 9.1.1565: configure: does not consider tiny version for wayland 9.1.1564: crash when opening popup to closing buffer 9.1.1563: completion: ruler may disappear 9.1.1562: close button always visible in the 'tabline' 9.1.1561: configure: wayland test can be improved 9.1.1560: configure: uses $PKG_CONFIG before it is defined 9.1.1559: tests: Test_popup_complete_info_01() fails when run alone 9.1.1558: str2blob() treats NULL string and empty string differently 9.1.1557: not possible to anchor specific lines in difff mode 9.1.1556: string handling in cmdexpand.c can be improved 9.1.1555: completion: repeated insertion of leader 9.1.1554: crash when omni-completion opens command-line window 9.1.1553: Vim9: crash when accessing a variable in if condition 9.1.1552: [security]: path traversal issue in tar.vim 9.1.1551: [security]: path traversal issue in zip.vim 9.1.1550: defaults: 'showcmd' is not enabled in non-compatible mode on Unix 9.1.1549: filetype: pkl files are not recognized 9.1.1548: filetype: OpenFGA files are not recognized 9.1.1547: Wayland: missing ifdef 9.1.1546: Vim9: error with has() and short circuit evaluation 9.1.1545: typo in os_unix.c 9.1.1544: :retab cannot be limited to indentation only 9.1.1543: Wayland: clipboard appears to not be working 9.1.1542: Coverity complains about uninitialized variable 9.1.1541: Vim9: error when last enum value ends with a comma 9.1.1540: completion: menu state wrong on interruption 9.1.1539: completion: messages don't respect 'shm' setting 9.1.1537: helptoc: still some issues when markdown code blocks 9.1.1536: tests: test_plugin_comment uses wrong :Check command 9.1.1535: the maximum search count uses hard-coded value 99 9.1.1534: unnecessary code in tabpanel.c 9.1.1533: helptoc: does not handle code sections in markdown well 9.1.1532: termdebug: not enough ways to configure breakpoints 9.1.1531: confusing error with nested legacy function 9.1.1530: Missing version change in v9.1.1529 9.1.1529: Win32: the toolbar in the GUI is old and dated 9.1.1528: completion: crash with getcompletion() 9.1.1527: Vim9: Crash with string compound assignment 9.1.1526: completion: search completion match may differ in case 9.1.1525: tests: testdir/ is a bit messy 9.1.1524: tests: too many imports in the test suite 9.1.1523: tests: test_clipmethod fails in non X11 environment 9.1.1522: tests: still some ANSI escape sequences in test output 9.1.1521: completion: pum does not reset scroll pos on reopen with 'noselect' 9.1.1520: completion: search completion doesn't handle 'smartcase' well 9.1.1519: tests: Test_termdebug_decimal_breakpoints() may fail 9.1.1518: getcompletiontype() may crash 9.1.1517: filetype: autopkgtest files are not recognized 9.1.1516: tests: no test that 'incsearch' is updated after search completion 9.1.1515: Coverity complains about potential unterminated strings 9.1.1514: Coverity complains about the use of tmpfile() 9.1.1513: resizing Vim window causes unexpected internal window width 9.1.1512: completion: can only complete from keyword characters 9.1.1511: tests: two edit tests change v:testing from 1 to 0 9.1.1510: Search completion may use invalid memory 9.1.1509: patch 9.1.1505 was not good 9.1.1508: string manipulation can be improved in cmdexpand.c 9.1.1507: symlinks are resolved on :cd commands 9.1.1506: tests: missing cleanup in Test_search_cmdline_incsearch_highlight() 9.1.1505: not possible to return completion type for :ex command 9.1.1504: filetype: numbat files are not recognized 9.1.1503: filetype: haxe files are not recognized 9.1.1502: filetype: quickbms files are not recognized 9.1.1501: filetype: flix files are not recognized 9.1.1500: if_python: typo in python error variable 9.1.1499: MS-Windows: no indication of ARM64 architecture 9.1.1498: completion: 'complete' funcs behave different to 'omnifunc' 9.1.1497: Link error with shm_open() 9.1.1496: terminal: still not highlighting empty cells correctly 9.1.1495: Wayland: uses $XDG_SEAT to determine seat 9.1.1494: runtime(tutor): no French translation for Chapter 2 9.1.1493: manually comparing positions on buffer 9.1.1492: tests: failure when Wayland compositor fails to start 9.1.1491: missing out-of-memory checks in cmdexpand.c 9.1.1490: 'wildchar' does not work in search contexts 9.1.1489: terminal: no visual highlight of empty cols with empty 'listchars' 9.1.1488: configure: using obsolete macro AC_PROG_GCC_TRADITIONAL 9.1.1487: :cl doesn't invoke :clist 9.1.1486: documentation issues with Wayland 9.1.1485: missing Wayland clipboard support 9.1.1484: tests: Turkish locale tests fails on Mac 9.1.1483: not possible to translation position in buffer 9.1.1482: scrolling with 'splitkeep' and line() 9.1.1481: gcc complains about uninitialized variable 9.1.1480: Turkish translation outdated 9.1.1479: regression when displaying localized percentage position 9.1.1478: Unused assignment in ex_uniq() 9.1.1476: no easy way to deduplicate text 9.1.1476: missing out-of-memory checks in cmdexpand.c 9.1.1475: completion: regression when &quot;nearest&quot; in 'completeopt' 9.1.1474: missing out-of-memory check in mark.c 9.1.1473: inconsistent range arg for :diffget/diffput 9.1.1472: if_python: PySequence_Fast_{GET_SIZE,GET_ITEM} removed 9.1.1471: completion: inconsistent ordering with CTRL-P 9.1.1470: use-after-free with popup callback on error 9.1.1469: potential buffer-underflow with invalid hl_id 9.1.1468: filetype: bright(er)script files are not recognized 9.1.1467: too many strlen() calls 9.1.1466: filetype: not all lex files are recognized 9.1.1465: tabpanel: not correctly drawn with 'equalalways' 9.1.1464: gv does not work in operator-pending mode 9.1.1463: Integer overflow in getmarklist() after linewise operation 9.1.1462: missing change from patch v9.1.1461 9.1.1461: tabpanel: tabpanel vanishes with popup menu 9.1.1460: MS-Windows: too many strlen() calls in os_win32.c 9.1.1459: xxd: coloring output is inefficient 9.1.1458: tabpanel: tabs not properly updated with 'stpl' 9.1.1457: compile warning with tabpanelopt 9.1.1456: comment plugin fails toggling if 'cms' contains \ 9.1.1455: Haiku: dailog objects created with no reference 9.1.1454: tests: no test for pum at line break position 9.1.1453: tests: Test_geometry() may fail 9.1.1452: completion: redundant check for completion flags 9.1.1451: tabpanel rendering artifacts when scrolling 9.1.1450: Session has wrong arglist with :tcd and :arglocal 9.1.1449: typo in pum_display() 9.1.1448: tabpanel is not displayed correctly when msg_scrolled 9.1.1447: completion: crash when backspacing with fuzzy completion 9.1.1446: filetype: cuda-gdb config files are not recognized 9.1.1445: negative matchfuzzy scores although there is a match 9.1.1444: Unused assignment in set_fuzzy_score() 9.1.1443: potential buffer underflow in insertchar() 9.1.1442: tests: Test_diff_fold_redraw() is insufficient 9.1.1441: completion: code can be improved 9.1.1440: too many strlen() calls in os_win32.c 9.1.1439: Last diff folds not merged 9.1.1438: tests: Test_breakindent_list_split() fails 9.1.1437: MS-Windows: internal compile error in uc_list() 9.1.1436: GUI control code is displayed on the console on startup 9.1.1435: completion: various flaws in fuzzy completion 9.1.1434: MS-Windows: missing out-of-memory checks in os_win32.c 9.1.1433: Unnecessary :if when writing session 9.1.1432: GTK GUI: Buffer menu does not handle unicode correctly 9.1.1431: Hit-Enter Prompt when loading session files 9.1.1430: tabpanel may flicker in the GUI 9.1.1429: dragging outside the tabpanel changes tabpagenr 9.1.1428: completion: register completion needs cleanup 9.1.1427: rendering artifacts with the tabpanel 9.1.1426: completion: register contents not completed 9.1.1425: tabpanel: there are still some problems with the tabpanel 9.1.1424: PMenu selection broken with multi-line selection and limits 9.1.1423: :tag command not working correctly using Vim9 Script 9.1.1422: scheduling of complete function can be improved 9.1.1421: tests: need a test for the new-style tutor.tutor 9.1.1420: tests: could need some more tests for shebang lines 9.1.1419: It is difficult to ignore all but some events 9.1.1418: configures GUI auto detection favors GTK2 9.1.1417: missing info about register completion in complete_info() 9.1.1416: completion limits not respected for fuzzy completions 9.1.1415: potential use-after free when there is an error in 'tabpanel' 9.1.1414: MS-Windows: compile warnings in os_win32.c 9.1.1413: spurious CursorHold triggered in GUI on startup 9.1.1412: tests: Test_tabpanel_tabonly() fails on larger screens 9.1.1411: crash when calling non-existing function for tabpanel 9.1.1410: out-of-bounds access with 'completefunc' 9.1.1409: using f-flag in 'complete' conflicts with Neovim 9.1.1408: not easily possible to complete from register content 9.1.1407: Can't use getpos('v') in OptionSet when using setbufvar() Package yast2-packager was updated: - Fix Internal Error: Encoding::CompatibilityError when adding SLE-HA as add-on product (bsc#1245555) - 4.6.10 Package zypper was updated: - Fixed `bash-completion`: `zypper refresh` now ignores repository priority lines. - Changes to support building against restructured libzypp in stack build (bsc#1230267) - version 1.14.94 - Fix addrepo to handle explicit --check and --no-check requests (bsc#1246466) - Accept &quot;show&quot; as alias for &quot;info&quot; (bsc#1245985) - version 1.14.93 - sh: Reset solver options after command (bsc#1245496) - Explicitly selecting DownloadAsNeeded also selects the classic_rpmtrans backend. - version 1.14.92 - BuildRequires: libzypp-devel &gt;= 17.37.6. Enhancements regarding mirror handling during repo refresh. Adapt to libzypp API changes. (bsc#1230267) - version 1.14.91 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-byos-v20251022-arm64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 bind-utils-9.18.33-150600.3.9.1 boost-license1_66_0-1.66.0-150200.12.7.1 cloud-regionsrv-client-10.5.2-150300.13.29.1 cloud-regionsrv-client-license-watcher-1.0.0-150300.13.29.1 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.29.1 crypto-policies-20230920.570ea89-150600.3.12.1 curl-8.14.1-150600.4.28.1 docker-28.3.3_ce-150000.230.1 dracut-059+suse.562.geca59f6b-150600.3.23.1 glibc-2.38-150600.14.37.1 glibc-i18ndata-2.38-150600.14.37.1 glibc-locale-2.38-150600.14.37.1 glibc-locale-base-2.38-150600.14.37.1 google-dracut-config-0.0.4-150300.7.12.1 google-guest-oslogin-20240311.01-150000.1.56.1 grub2-2.12-150600.8.37.1 grub2-arm64-efi-2.12-150600.8.37.1 hwinfo-21.89-150500.3.12.1 iproute2-6.4-150600.7.9.1 jq-1.6-150000.3.9.1 kernel-default-6.4.0-150600.23.73.1 krb5-1.20.1-150600.11.14.1 krb5-client-1.20.1-150600.11.14.1 libavahi-client3-0.8-150600.15.9.1 libavahi-common3-0.8-150600.15.9.1 libboost_regex1_66_0-1.66.0-150200.12.7.1 libboost_system1_66_0-1.66.0-150200.12.7.1 libboost_thread1_66_0-1.66.0-150200.12.7.1 libbrotlicommon1-1.0.7-150200.3.5.1 libbrotlidec1-1.0.7-150200.3.5.1 libcurl4-8.14.1-150600.4.28.1 libexpat1-2.7.1-150400.3.31.1 libgcc_s1-14.3.0+git11799-150000.1.11.1 libgnutls30-3.8.3-150600.4.9.1 libjq1-1.6-150000.3.9.1 libnvme-mi1-1.8+84.g73e0811d-150600.3.18.1 libnvme1-1.8+84.g73e0811d-150600.3.18.1 libopenssl1_1-1.1.1w-150600.5.18.1 libopenssl3-3.1.4-150600.5.39.1 libpolkit-agent-1-0-121-150500.3.6.1 libpolkit-gobject-1-0-121-150500.3.6.1 libpython3_6m1_0-3.6.15-150300.10.97.1 libruby2_5-2_5-2.5.9-150000.4.49.1 libsolv-tools-base-0.7.34-150600.8.17.2 libsqlite3-0-3.50.2-150000.3.33.1 libssh-config-0.9.8-150600.11.6.1 libssh4-0.9.8-150600.11.6.1 libstdc++6-14.3.0+git11799-150000.1.11.1 libsystemd0-254.27-150600.4.43.3 libudev1-254.27-150600.4.43.3 libxml2-2-2.10.3-150500.5.32.1 libyaml-0-2-0.1.7-150000.3.4.1 libzypp-17.37.18-150600.3.82.1 nscd-2.38-150600.14.37.1 nvme-cli-2.8+94.gbf4a448c-150600.3.21.1 openssl-3-3.1.4-150600.5.39.1 pam-1.3.0-150000.6.86.1 polkit-121-150500.3.6.1 python3-3.6.15-150300.10.97.2 python3-PyYAML-5.4.1-150300.3.6.1 python3-appdirs-1.4.3-150000.3.3.1 python3-asn1crypto-0.24.0-150000.3.5.1 python3-base-3.6.15-150300.10.97.1 python3-certifi-2018.1.18-150000.3.6.1 python3-cffi-1.13.2-150200.3.5.1 python3-chardet-3.0.4-150000.5.6.1 python3-cryptography-3.3.2-150400.26.1 python3-curses-3.6.15-150300.10.97.2 python3-idna-2.6-150000.3.6.1 python3-iniconfig-1.1.1-150000.1.13.1 python3-packaging-21.3-150200.3.6.1 python3-py-1.10.0-150100.5.15.1 python3-pyOpenSSL-21.0.0-150400.10.1 python3-pyasn1-0.4.2-150000.3.8.1 python3-pycparser-2.17-150000.3.5.1 python3-pyparsing-2.4.7-150300.3.3.1 python3-pytz-2022.1-150300.3.9.1 python3-requests-2.25.1-150300.3.18.1 python3-salt-3006.0-150500.4.57.2 python3-setuptools-44.1.1-150400.9.15.1 python3-six-1.14.0-150200.15.1 python3-solv-0.7.34-150600.8.17.2 python3-urllib3-1.25.10-150300.4.18.1 python3-zypp-plugin-0.6.5-150600.18.8.1 regionServiceClientConfigGCE-5.0.0-150000.4.18.1 release-notes-sles-15.6.20250821-150600.3.9.1 rsyslog-8.2406.0-150600.12.8.1 ruby-solv-0.7.34-150600.8.17.2 ruby2.5-2.5.9-150000.4.49.1 ruby2.5-stdlib-2.5.9-150000.4.49.1 salt-3006.0-150500.4.57.2 salt-minion-3006.0-150500.4.57.2 samba-client-libs-4.19.8+git.435.78ced6cf30d-150600.3.21.1 sqlite3-tcl-3.50.2-150000.3.33.1 sudo-1.9.15p5-150600.3.12.1 suse-build-key-12.0-150000.8.61.2 suse-module-tools-15.6.11-150600.3.9.2 sysconfig-0.85.10-150200.15.1 sysconfig-netconfig-0.85.10-150200.15.1 systemd-254.27-150600.4.43.3 systemd-presets-branding-SLE-15.1-150600.35.3.1 systemd-rpm-macros-16-150000.7.42.1 systemd-sysvcompat-254.27-150600.4.43.3 udev-254.27-150600.4.43.3 update-alternatives-1.19.0.4-150000.4.7.1 vim-9.1.1629-150500.20.33.1 vim-data-common-9.1.1629-150500.20.33.1 yast2-packager-4.6.10-150600.3.3.1 zypper-1.14.94-150600.10.52.1 bind-utils-9.18.33-150600.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 boost-license1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 cloud-regionsrv-client-10.5.2-150300.13.29.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 cloud-regionsrv-client-license-watcher-1.0.0-150300.13.29.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 cloud-regionsrv-client-plugin-gce-1.0.0-150300.13.29.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 crypto-policies-20230920.570ea89-150600.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 curl-8.14.1-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 docker-28.3.3_ce-150000.230.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 dracut-059+suse.562.geca59f6b-150600.3.23.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 glibc-2.38-150600.14.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 glibc-i18ndata-2.38-150600.14.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 glibc-locale-2.38-150600.14.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 glibc-locale-base-2.38-150600.14.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 google-dracut-config-0.0.4-150300.7.12.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 google-guest-oslogin-20240311.01-150000.1.56.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 grub2-2.12-150600.8.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 grub2-arm64-efi-2.12-150600.8.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 hwinfo-21.89-150500.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 iproute2-6.4-150600.7.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 jq-1.6-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 kernel-default-6.4.0-150600.23.73.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 krb5-1.20.1-150600.11.14.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 krb5-client-1.20.1-150600.11.14.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libavahi-client3-0.8-150600.15.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libavahi-common3-0.8-150600.15.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libboost_regex1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libboost_system1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libboost_thread1_66_0-1.66.0-150200.12.7.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libbrotlicommon1-1.0.7-150200.3.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libbrotlidec1-1.0.7-150200.3.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libcurl4-8.14.1-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libexpat1-2.7.1-150400.3.31.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libgcc_s1-14.3.0+git11799-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libgnutls30-3.8.3-150600.4.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libjq1-1.6-150000.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libnvme-mi1-1.8+84.g73e0811d-150600.3.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libnvme1-1.8+84.g73e0811d-150600.3.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libopenssl1_1-1.1.1w-150600.5.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libopenssl3-3.1.4-150600.5.39.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libpolkit-agent-1-0-121-150500.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libpolkit-gobject-1-0-121-150500.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libpython3_6m1_0-3.6.15-150300.10.97.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libruby2_5-2_5-2.5.9-150000.4.49.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libsolv-tools-base-0.7.34-150600.8.17.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libsqlite3-0-3.50.2-150000.3.33.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libssh-config-0.9.8-150600.11.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libssh4-0.9.8-150600.11.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libstdc++6-14.3.0+git11799-150000.1.11.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libsystemd0-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libudev1-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libxml2-2-2.10.3-150500.5.32.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libyaml-0-2-0.1.7-150000.3.4.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 libzypp-17.37.18-150600.3.82.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 nscd-2.38-150600.14.37.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 nvme-cli-2.8+94.gbf4a448c-150600.3.21.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 openssl-3-3.1.4-150600.5.39.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 pam-1.3.0-150000.6.86.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 polkit-121-150500.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-3.6.15-150300.10.97.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-PyYAML-5.4.1-150300.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-appdirs-1.4.3-150000.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-asn1crypto-0.24.0-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-base-3.6.15-150300.10.97.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-certifi-2018.1.18-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-cffi-1.13.2-150200.3.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-chardet-3.0.4-150000.5.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-cryptography-3.3.2-150400.26.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-curses-3.6.15-150300.10.97.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-idna-2.6-150000.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-iniconfig-1.1.1-150000.1.13.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-packaging-21.3-150200.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-py-1.10.0-150100.5.15.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-pyOpenSSL-21.0.0-150400.10.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-pyasn1-0.4.2-150000.3.8.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-pycparser-2.17-150000.3.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-pyparsing-2.4.7-150300.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-pytz-2022.1-150300.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-requests-2.25.1-150300.3.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-salt-3006.0-150500.4.57.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-setuptools-44.1.1-150400.9.15.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-six-1.14.0-150200.15.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-solv-0.7.34-150600.8.17.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-urllib3-1.25.10-150300.4.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 python3-zypp-plugin-0.6.5-150600.18.8.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 regionServiceClientConfigGCE-5.0.0-150000.4.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 release-notes-sles-15.6.20250821-150600.3.9.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 rsyslog-8.2406.0-150600.12.8.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 ruby-solv-0.7.34-150600.8.17.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 ruby2.5-2.5.9-150000.4.49.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 ruby2.5-stdlib-2.5.9-150000.4.49.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 salt-3006.0-150500.4.57.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 salt-minion-3006.0-150500.4.57.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 samba-client-libs-4.19.8+git.435.78ced6cf30d-150600.3.21.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 sqlite3-tcl-3.50.2-150000.3.33.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 sudo-1.9.15p5-150600.3.12.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 suse-build-key-12.0-150000.8.61.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 suse-module-tools-15.6.11-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 sysconfig-0.85.10-150200.15.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 sysconfig-netconfig-0.85.10-150200.15.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 systemd-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 systemd-presets-branding-SLE-15.1-150600.35.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 systemd-rpm-macros-16-150000.7.42.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 systemd-sysvcompat-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 udev-254.27-150600.4.43.3 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 update-alternatives-1.19.0.4-150000.4.7.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 vim-9.1.1629-150500.20.33.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 vim-data-common-9.1.1629-150500.20.33.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 yast2-packager-4.6.10-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 zypper-1.14.94-150600.10.52.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVE-2016-9840 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVE-2019-11135 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace CVE-2023-31248 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. CVE-2023-3772 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds read in smb2_sess_setup ksmbd does not consider the case of that smb2 session setup is in compound request. If this is the second payload of the compound, OOB read issue occurs while processing the first payload in the smb2_sess_setup(). CVE-2023-3867 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol. CVE-2023-39197 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea. CVE-2023-4130 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. CVE-2023-42753 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), except for SMB2_OPLOCK_BREAK_HE command, the request size of other commands is not checked, it's not expected. Fix it by add check for request size of other commands. CVE-2023-4515 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings. CVE-2023-52888 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: igb: Fix igb_down hung on surprise removal In a setup where a Thunderbolt hub connects to Ethernet and a display through USB Type-C, users may experience a hung task timeout when they remove the cable between the PC and the Thunderbolt hub. This is because the igb_down function is called multiple times when the Thunderbolt hub is unplugged. For example, the igb_io_error_detected triggers the first call, and the igb_remove triggers the second call. The second call to igb_down will block at napi_synchronize. Here's the call trace: __schedule+0x3b0/0xddb ? __mod_timer+0x164/0x5d3 schedule+0x44/0xa8 schedule_timeout+0xb2/0x2a4 ? run_local_timers+0x4e/0x4e msleep+0x31/0x38 igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] __dev_close_many+0x95/0xec dev_close_many+0x6e/0x103 unregister_netdevice_many+0x105/0x5b1 unregister_netdevice_queue+0xc2/0x10d unregister_netdev+0x1c/0x23 igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] pci_device_remove+0x3f/0x9c device_release_driver_internal+0xfe/0x1b4 pci_stop_bus_device+0x5b/0x7f pci_stop_bus_device+0x30/0x7f pci_stop_bus_device+0x30/0x7f pci_stop_and_remove_bus_device+0x12/0x19 pciehp_unconfigure_device+0x76/0xe9 pciehp_disable_slot+0x6e/0x131 pciehp_handle_presence_or_link_change+0x7a/0x3f7 pciehp_ist+0xbe/0x194 irq_thread_fn+0x22/0x4d ? irq_thread+0x1fd/0x1fd irq_thread+0x17b/0x1fd ? irq_forced_thread_fn+0x5f/0x5f kthread+0x142/0x153 ? __irq_get_irqchip_state+0x46/0x46 ? kthread_associate_blkcg+0x71/0x71 ret_from_fork+0x1f/0x30 In this case, igb_io_error_detected detaches the network interface and requests a PCIE slot reset, however, the PCIE reset callback is not being invoked and thus the Ethernet connection breaks down. As the PCIE error in this case is a non-fatal one, requesting a slot reset can be avoided. This patch fixes the task hung issue and preserves Ethernet connection by ignoring non-fatal PCIE errors. CVE-2023-53148 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Pointer may be dereferenced Klocwork tool reported pointer 'rport' returned from call to function fc_bsg_to_rport() may be NULL and will be dereferenced. Add a fix to validate rport before dereferencing. CVE-2023-53150 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid10: prevent soft lockup while flush writes Currently, there is no limit for raid1/raid10 plugged bio. While flushing writes, raid1 has cond_resched() while raid10 doesn't, and too many writes can cause soft lockup. Follow up soft lockup can be triggered easily with writeback test for raid10 with ramdisks: watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] Call Trace: <TASK> call_rcu+0x16/0x20 put_object+0x41/0x80 __delete_object+0x50/0x90 delete_object_full+0x2b/0x40 kmemleak_free+0x46/0xa0 slab_free_freelist_hook.constprop.0+0xed/0x1a0 kmem_cache_free+0xfd/0x300 mempool_free_slab+0x1f/0x30 mempool_free+0x3a/0x100 bio_free+0x59/0x80 bio_put+0xcf/0x2c0 free_r10bio+0xbf/0xf0 raid_end_bio_io+0x78/0xb0 one_write_done+0x8a/0xa0 raid10_end_write_request+0x1b4/0x430 bio_endio+0x175/0x320 brd_submit_bio+0x3b9/0x9b7 [brd] __submit_bio+0x69/0xe0 submit_bio_noacct_nocheck+0x1e6/0x5a0 submit_bio_noacct+0x38c/0x7e0 flush_pending_writes+0xf0/0x240 raid10d+0xac/0x1ed0 Fix the problem by adding cond_resched() to raid10 like what raid1 did. Note that unlimited plugged bio still need to be optimized, for example, in the case of lots of dirty pages writeback, this will take lots of memory and io will spend a long time in plug, hence io latency is bad. CVE-2023-53151 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix calltrace warning in amddrm_buddy_fini The following call trace is observed when removing the amdgpu driver, which is caused by that BOs allocated for psp are not freed until removing. [61811.450562] RIP: 0010:amddrm_buddy_fini.cold+0x29/0x47 [amddrm_buddy] [61811.450577] Call Trace: [61811.450577] <TASK> [61811.450579] amdgpu_vram_mgr_fini+0x135/0x1c0 [amdgpu] [61811.450728] amdgpu_ttm_fini+0x207/0x290 [amdgpu] [61811.450870] amdgpu_bo_fini+0x27/0xa0 [amdgpu] [61811.451012] gmc_v9_0_sw_fini+0x4a/0x60 [amdgpu] [61811.451166] amdgpu_device_fini_sw+0x117/0x520 [amdgpu] [61811.451306] amdgpu_driver_release_kms+0x16/0x30 [amdgpu] [61811.451447] devm_drm_dev_init_release+0x4d/0x80 [drm] [61811.451466] devm_action_release+0x15/0x20 [61811.451469] release_nodes+0x40/0xb0 [61811.451471] devres_release_all+0x9b/0xd0 [61811.451473] __device_release_driver+0x1bb/0x2a0 [61811.451476] driver_detach+0xf3/0x140 [61811.451479] bus_remove_driver+0x6c/0xf0 [61811.451481] driver_unregister+0x31/0x60 [61811.451483] pci_unregister_driver+0x40/0x90 [61811.451486] amdgpu_exit+0x15/0x447 [amdgpu] For smu v13_0_2, if the GPU supports xgmi, refer to commit f5c7e7797060 ("drm/amdgpu: Adjust removal control flow for smu v13_0_2"), it will run gpu recover in AMDGPU_RESET_FOR_DEVICE_REMOVE mode when removing, which makes all devices in hive list have hw reset but no resume except the basic ip blocks, then other ip blocks will not call .hw_fini according to ip_block.status.hw. Since psp_free_shared_bufs just includes some software operations, so move it to psp_sw_fini. CVE-2023-53152 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: udf: Fix uninitialized array access for some pathnames For filenames that begin with . and are between 2 and 5 characters long, UDF charset conversion code would read uninitialized memory in the output buffer. The only practical impact is that the name may be prepended a "unification hash" when it is not actually needed but still it is good to fix this. CVE-2023-53165 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix null pointer dereference in tracing_err_log_open() Fix an issue in function 'tracing_err_log_open'. The function doesn't call 'seq_open' if the file is opened only with write permissions, which results in 'file->private_data' being left as null. If we then use 'lseek' on that opened file, 'seq_lseek' dereferences 'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. Writing to this node requires root privileges, therefore this bug has very little security impact. Tracefs node: /sys/kernel/tracing/error_log Example Kernel panic: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 Call trace: mutex_lock+0x30/0x110 seq_lseek+0x34/0xb8 __arm64_sys_lseek+0x6c/0xb8 invoke_syscall+0x58/0x13c el0_svc_common+0xc4/0x10c do_el0_svc+0x24/0x98 el0_svc+0x24/0x88 el0t_64_sync_handler+0x84/0xe4 el0t_64_sync+0x1b4/0x1b8 Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) ---[ end trace 561d1b49c12cf8a5 ]--- Kernel panic - not syncing: Oops: Fatal exception CVE-2023-53167 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: Removed unneeded of_node_put in felix_parse_ports_node Remove unnecessary of_node_put from the continue path to prevent child node from being released twice, which could avoid resource leak or other unexpected issues. CVE-2023-53170 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix possible memory leak if device_add() fails If device_add() returns error, the name allocated by dev_set_name() needs be freed. As the comment of device_add() says, put_device() should be used to decrease the reference count in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanp(). CVE-2023-53174 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: hv: Fix a crash in hv_pci_restore_msi_msg() during hibernation When a Linux VM with an assigned PCI device runs on Hyper-V, if the PCI device driver is not loaded yet (i.e. MSI-X/MSI is not enabled on the device yet), doing a VM hibernation triggers a panic in hv_pci_restore_msi_msg() -> msi_lock_descs(&pdev->dev), because pdev->dev.msi.data is still NULL. Avoid the panic by checking if MSI-X/MSI is enabled. CVE-2023-53175 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: hi846: fix usage of pm_runtime_get_if_in_use() pm_runtime_get_if_in_use() does not only return nonzero values when the device is in use, it can return a negative errno too. And especially during resuming from system suspend, when runtime pm is not yet up again, -EAGAIN is being returned, so the subsequent pm_runtime_put() call results in a refcount underflow. Fix system-resume by handling -EAGAIN of pm_runtime_get_if_in_use(). CVE-2023-53177 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid NULL pointer access during management transmit cleanup Currently 'ar' reference is not added in skb_cb. Though this is generally not used during transmit completion callbacks, on interface removal the remaining idr cleanup callback uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them during transmit call for proper usage to avoid NULL pointer dereference. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 CVE-2023-53180 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf/dma-resv: Stop leaking on krealloc() failure Currently dma_resv_get_fences() will leak the previously allocated array if the fence iteration got restarted and the krealloc_array() fails. Free the old array by hand, and make sure we still clear the returned *fences so the caller won't end up accessing freed memory. Some (but not all) of the callers of dma_resv_get_fences() seem to still trawl through the array even when dma_resv_get_fences() failed. And let's zero out *num_fences as well for good measure. CVE-2023-53181 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2023-53183 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Set new vector length before reallocating As part of fixing the allocation of the buffer for SVE state when changing SME vector length we introduced an immediate reallocation of the SVE state, this is also done when changing the SVE vector length for consistency. Unfortunately this reallocation is done prior to writing the new vector length to the task struct, meaning the allocation is done with the old vector length and can lead to memory corruption due to an undersized buffer being used. Move the update of the vector length before the allocation to ensure that the new vector length is taken into account. For some reason this isn't triggering any problems when running tests on the arm64 fixes branch (even after repeated tries) but is triggering issues very often after merge into mainline. CVE-2023-53184 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes A bad USB device is able to construct a service connection response message with target endpoint being ENDPOINT0 which is reserved for HTC_CTRL_RSVD_SVC and should not be modified to be used for any other services. Reject such service connection responses. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2023-53185 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free of new block group that became unused If a task creates a new block group and that block group becomes unused before we finish its creation, at btrfs_create_pending_block_groups(), then when btrfs_mark_bg_unused() is called against the block group, we assume that the block group is currently in the list of block groups to reclaim, and we move it out of the list of new block groups and into the list of unused block groups. This has two consequences: 1) We move it out of the list of new block groups associated to the current transaction. So the block group creation is not finished and if we attempt to delete the bg because it's unused, we will not find the block group item in the extent tree (or the new block group tree), its device extent items in the device tree etc, resulting in the deletion to fail due to the missing items; 2) We don't increment the reference count on the block group when we move it to the list of unused block groups, because we assumed the block group was on the list of block groups to reclaim, and in that case it already has the correct reference count. However the block group was on the list of new block groups, in which case no extra reference was taken because it's local to the current task. This later results in doing an extra reference count decrement when removing the block group from the unused list, eventually leading the reference count to 0. This second case was caught when running generic/297 from fstests, which produced the following assertion failure and stack trace: [589.559] assertion failed: refcount_read(&block_group->refs) == 1, in fs/btrfs/block-group.c:4299 [589.559] ------------[ cut here ]------------ [589.559] kernel BUG at fs/btrfs/block-group.c:4299! [589.560] invalid opcode: 0000 [#1] PREEMPT SMP PTI [589.560] CPU: 8 PID: 2819134 Comm: umount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [589.560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [589.560] RIP: 0010:btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.561] Code: 68 62 da c0 (...) [589.561] RSP: 0018:ffffa55a8c3b3d98 EFLAGS: 00010246 [589.561] RAX: 0000000000000058 RBX: ffff8f030d7f2000 RCX: 0000000000000000 [589.562] RDX: 0000000000000000 RSI: ffffffff953f0878 RDI: 00000000ffffffff [589.562] RBP: ffff8f030d7f2088 R08: 0000000000000000 R09: ffffa55a8c3b3c50 [589.562] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8f05850b4c00 [589.562] R13: ffff8f030d7f2090 R14: ffff8f05850b4cd8 R15: dead000000000100 [589.563] FS: 00007f497fd2e840(0000) GS:ffff8f09dfc00000(0000) knlGS:0000000000000000 [589.563] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [589.563] CR2: 00007f497ff8ec10 CR3: 0000000271472006 CR4: 0000000000370ee0 [589.563] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [589.564] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [589.564] Call Trace: [589.564] <TASK> [589.565] ? __die_body+0x1b/0x60 [589.565] ? die+0x39/0x60 [589.565] ? do_trap+0xeb/0x110 [589.565] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.566] ? do_error_trap+0x6a/0x90 [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.566] ? exc_invalid_op+0x4e/0x70 [589.566] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] ? asm_exc_invalid_op+0x16/0x20 [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] ? btrfs_free_block_groups+0x449/0x4a0 [btrfs] [589.567] close_ctree+0x35d/0x560 [btrfs] [589.568] ? fsnotify_sb_delete+0x13e/0x1d0 [589.568] ? dispose_list+0x3a/0x50 [589.568] ? evict_inodes+0x151/0x1a0 [589.568] generic_shutdown_super+0x73/0x1a0 [589.569] kill_anon_super+0x14/0x30 [589.569] btrfs_kill_super+0x12/0x20 [btrfs] [589.569] deactivate_locked ---truncated--- CVE-2023-53187 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6/addrconf: fix a potential refcount underflow for idev Now in addrconf_mod_rs_timer(), reference idev depends on whether rs_timer is not pending. Then modify rs_timer timeout. There is a time gap in [1], during which if the pending rs_timer becomes not pending. It will miss to hold idev, but the rs_timer is activated. Thus rs_timer callback function addrconf_rs_timer() will be executed and put idev later without holding idev. A refcount underflow issue for idev can be caused by this. if (!timer_pending(&idev->rs_timer)) in6_dev_hold(idev); <--------------[1] mod_timer(&idev->rs_timer, jiffies + when); To fix the issue, hold idev if mod_timer() return 0. CVE-2023-53189 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix nexthop hash size The nexthop code expects a 31 bit hash, such as what is returned by fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash returned by skb_get_hash() can lead to problems related to the fact that 'int hash' is a negative number when the MSB is set. In the case of hash threshold nexthop groups, nexthop_select_path_hthr() will disproportionately select the first nexthop group entry. In the case of resilient nexthop groups, nexthop_select_path_res() may do an out of bounds access in nh_buckets[], for example: hash = -912054133 num_nh_buckets = 2 bucket_index = 65535 which leads to the following panic: BUG: unable to handle page fault for address: ffffc900025910c8 PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:nexthop_select_path+0x197/0xbf0 Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x1ee/0x5c0 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? search_bpf_extables+0xfe/0x1c0 ? fixup_exception+0x3b/0x470 ? exc_page_fault+0xf6/0x110 ? asm_exc_page_fault+0x26/0x30 ? nexthop_select_path+0x197/0xbf0 ? nexthop_select_path+0x197/0xbf0 ? lock_is_held_type+0xe7/0x140 vxlan_xmit+0x5b2/0x2340 ? __lock_acquire+0x92b/0x3370 ? __pfx_vxlan_xmit+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_register_lock_class+0x10/0x10 ? skb_network_protocol+0xce/0x2d0 ? dev_hard_start_xmit+0xca/0x350 ? __pfx_vxlan_xmit+0x10/0x10 dev_hard_start_xmit+0xca/0x350 __dev_queue_xmit+0x513/0x1e20 ? __pfx___dev_queue_xmit+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? mark_held_locks+0x44/0x90 ? skb_push+0x4c/0x80 ? eth_header+0x81/0xe0 ? __pfx_eth_header+0x10/0x10 ? neigh_resolve_output+0x215/0x310 ? ip6_finish_output2+0x2ba/0xc90 ip6_finish_output2+0x2ba/0xc90 ? lock_release+0x236/0x3e0 ? ip6_mtu+0xbb/0x240 ? __pfx_ip6_finish_output2+0x10/0x10 ? find_held_lock+0x83/0xa0 ? lock_is_held_type+0xe7/0x140 ip6_finish_output+0x1ee/0x780 ip6_output+0x138/0x460 ? __pfx_ip6_output+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_ip6_finish_output+0x10/0x10 NF_HOOK.constprop.0+0xc0/0x420 ? __pfx_NF_HOOK.constprop.0+0x10/0x10 ? ndisc_send_skb+0x2c0/0x960 ? __pfx_lock_release+0x10/0x10 ? __local_bh_enable_ip+0x93/0x110 ? lock_is_held_type+0xe7/0x140 ndisc_send_skb+0x4be/0x960 ? __pfx_ndisc_send_skb+0x10/0x10 ? mark_held_locks+0x65/0x90 ? find_held_lock+0x83/0xa0 ndisc_send_ns+0xb0/0x110 ? __pfx_ndisc_send_ns+0x10/0x10 addrconf_dad_work+0x631/0x8e0 ? lock_acquire+0x180/0x3f0 ? __pfx_addrconf_dad_work+0x10/0x10 ? mark_held_locks+0x24/0x90 process_one_work+0x582/0x9c0 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? mark_held_locks+0x24/0x90 worker_thread+0x93/0x630 ? __kthread_parkme+0xdc/0x100 ? __pfx_worker_thread+0x10/0x10 kthread+0x1a5/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ---truncated--- CVE-2023-53192 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init The line cards array is not freed in the error path of mlxsw_m_linecards_init(), which can lead to a memory leak. Fix by freeing the array in the error path, thereby making the error path identical to mlxsw_m_linecards_fini(). CVE-2023-53195 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: qcom: Fix potential memory leak Function dwc3_qcom_probe() allocates memory for resource structure which is pointed by parent_res pointer. This memory is not freed. This leads to memory leak. Use stack memory to prevent memory leak. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2023-53196 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: wraparound mbox producer index Driver is not handling the wraparound of the mbox producer index correctly. Currently the wraparound happens once u32 max is reached. Bit 31 of the producer index register is special and should be set only once for the first command. Because the producer index overflow setting bit31 after a long time, FW goes to initialization sequence and this causes FW hang. Fix is to wraparound the mbox producer index once it reaches u16 max. CVE-2023-53201 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-races around user->unix_inflight. user->unix_inflight is changed under spin_lock(unix_gc_lock), but too_many_unix_fds() reads it locklessly. Let's annotate the write/read accesses to user->unix_inflight. BUG: KCSAN: data-race in unix_attach_fds / unix_inflight write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: unix_inflight+0x157/0x180 net/unix/scm.c:66 unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: too_many_unix_fds net/unix/scm.c:101 [inline] unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 value changed: 0x000000000000000c -> 0x000000000000000d Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 CVE-2023-53204 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler We do check for target CPU == -1, but this might change at the time we are going to use it. Hold the physical target CPU in a local variable to avoid out-of-bound accesses to the cpu arrays. CVE-2023-53205 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus_core) Fix NULL pointer dereference Pass i2c_client to _pmbus_is_enabled to drop the assumption that a regulator device is passed in. This will fix the issue of a NULL pointer dereference when called from _pmbus_get_flags. CVE-2023-53206 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ublk: fail to recover device if queue setup is interrupted In ublk_ctrl_end_recovery(), if wait_for_completion_interruptible() is interrupted by signal, queues aren't setup successfully yet, so we have to fail UBLK_CMD_END_USER_RECOVERY, otherwise kernel oops can be triggered. CVE-2023-53207 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state When emulating nested VM-Exit, load L1's TSC multiplier if L1's desired ratio doesn't match the current ratio, not if the ratio L1 is using for L2 diverges from the default. Functionally, the end result is the same as KVM will run L2 with L1's multiplier if L2's multiplier is the default, i.e. checking that L1's multiplier is loaded is equivalent to checking if L2 has a non-default multiplier. However, the assertion that TSC scaling is exposed to L1 is flawed, as userspace can trigger the WARN at will by writing the MSR and then updating guest CPUID to hide the feature (modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking KVM's state_test selftest to do vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0); vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR); after restoring state in a new VM+vCPU yields an endless supply of: ------------[ cut here ]------------ WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105 nested_svm_vmexit+0x6af/0x720 [kvm_amd] Call Trace: nested_svm_exit_handled+0x102/0x1f0 [kvm_amd] svm_handle_exit+0xb9/0x180 [kvm_amd] kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm] kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm] ? trace_hardirqs_off+0x4d/0xa0 __se_sys_ioctl+0x7a/0xc0 __x64_sys_ioctl+0x21/0x30 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Unlike the nested VMRUN path, hoisting the svm->tsc_scaling_enabled check into the if-statement is wrong as KVM needs to ensure L1's multiplier is loaded in the above scenario. Alternatively, the WARN_ON() could simply be deleted, but that would make KVM's behavior even more subtle, e.g. it's not immediately obvious why it's safe to write MSR_AMD64_TSC_RATIO when checking only tsc_ratio_msr. CVE-2023-53208 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: Fix possible NULL dereference In a call to mac80211_hwsim_select_tx_link() the sta pointer might be NULL, thus need to check that it is not NULL before accessing it. CVE-2023-53209 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix null-ptr-deref for r5l_flush_stripe_to_raid() r5l_flush_stripe_to_raid() will check if the list 'flushing_ios' is empty, and then submit 'flush_bio', however, r5l_log_flush_endio() is clearing the list first and then clear the bio, which will cause null-ptr-deref: T1: submit flush io raid5d handle_active_stripes r5l_flush_stripe_to_raid // list is empty // add 'io_end_ios' to the list bio_init submit_bio // io1 T2: io1 is done r5l_log_flush_endio list_splice_tail_init // clear the list T3: submit new flush io ... r5l_flush_stripe_to_raid // list is empty // add 'io_end_ios' to the list bio_init bio_uninit // clear bio->bi_blkg submit_bio // null-ptr-deref Fix this problem by clearing bio before clearing the list in r5l_log_flush_endio(). CVE-2023-53210 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/fair: Don't balance task to its current running CPU We've run into the case that the balancer tries to balance a migration disabled task and trigger the warning in set_task_cpu() like below: ------------[ cut here ]------------ WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : set_task_cpu+0x188/0x240 lr : load_balance+0x5d0/0xc60 sp : ffff80000803bc70 x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 Call trace: set_task_cpu+0x188/0x240 load_balance+0x5d0/0xc60 rebalance_domains+0x26c/0x380 _nohz_idle_balance.isra.0+0x1e0/0x370 run_rebalance_domains+0x6c/0x80 __do_softirq+0x128/0x3d8 ____do_softirq+0x18/0x24 call_on_irq_stack+0x2c/0x38 do_softirq_own_stack+0x24/0x3c __irq_exit_rcu+0xcc/0xf4 irq_exit_rcu+0x18/0x24 el1_interrupt+0x4c/0xe4 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x74/0x78 arch_cpu_idle+0x18/0x4c default_idle_call+0x58/0x194 do_idle+0x244/0x2b0 cpu_startup_entry+0x30/0x3c secondary_start_kernel+0x14c/0x190 __secondary_switched+0xb0/0xb4 ---[ end trace 0000000000000000 ]--- Further investigation shows that the warning is superfluous, the migration disabled task is just going to be migrated to its current running CPU. This is because that on load balance if the dst_cpu is not allowed by the task, we'll re-select a new_dst_cpu as a candidate. If no task can be balanced to dst_cpu we'll try to balance the task to the new_dst_cpu instead. In this case when the migration disabled task is not on CPU it only allows to run on its current CPU, load balance will select its current CPU as new_dst_cpu and later triggers the warning above. The new_dst_cpu is chosen from the env->dst_grpmask. Currently it contains CPUs in sched_group_span() and if we have overlapped groups it's possible to run into this case. This patch makes env->dst_grpmask of group_balance_mask() which exclude any CPUs from the busiest group and solve the issue. For balancing in a domain with no overlapped groups the behaviour keeps same as before. CVE-2023-53215 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nubus: Partially revert proc_create_single_data() conversion The conversion to proc_create_single_data() introduced a regression whereby reading a file in /proc/bus/nubus results in a seg fault: # grep -r . /proc/bus/nubus/e/ Data read fault at 0x00000020 in Super Data (pc=0x1074c2) BAD KERNEL BUSERR Oops: 00000000 Modules linked in: PC: [<001074c2>] PDE_DATA+0xc/0x16 SR: 2010 SP: 38284958 a2: 01152370 d0: 00000001 d1: 01013000 d2: 01002790 d3: 00000000 d4: 00000001 d5: 0008ce2e a0: 00000000 a1: 00222a40 Process grep (pid: 45, task=142f8727) Frame format=B ssw=074d isc=2008 isb=4e5e daddr=00000020 dobuf=01199e70 baddr=001074c8 dibuf=ffffffff ver=f Stack from 01199e48: 01199e70 00222a58 01002790 00000000 011a3000 01199eb0 015000c0 00000000 00000000 01199ec0 01199ec0 000d551a 011a3000 00000001 00000000 00018000 d003f000 00000003 00000001 0002800d 01052840 01199fa8 c01f8000 00000000 00000029 0b532b80 00000000 00000000 00000029 0b532b80 01199ee4 00103640 011198c0 d003f000 00018000 01199fa8 00000000 011198c0 00000000 01199f4c 000b3344 011198c0 d003f000 00018000 01199fa8 00000000 00018000 011198c0 Call Trace: [<00222a58>] nubus_proc_rsrc_show+0x18/0xa0 [<000d551a>] seq_read+0xc4/0x510 [<00018000>] fp_fcos+0x2/0x82 [<0002800d>] __sys_setreuid+0x115/0x1c6 [<00103640>] proc_reg_read+0x5c/0xb0 [<00018000>] fp_fcos+0x2/0x82 [<000b3344>] __vfs_read+0x2c/0x13c [<00018000>] fp_fcos+0x2/0x82 [<00018000>] fp_fcos+0x2/0x82 [<000b8aa2>] sys_statx+0x60/0x7e [<000b34b6>] vfs_read+0x62/0x12a [<00018000>] fp_fcos+0x2/0x82 [<00018000>] fp_fcos+0x2/0x82 [<000b39c2>] ksys_read+0x48/0xbe [<00018000>] fp_fcos+0x2/0x82 [<000b3a4e>] sys_read+0x16/0x1a [<00018000>] fp_fcos+0x2/0x82 [<00002b84>] syscall+0x8/0xc [<00018000>] fp_fcos+0x2/0x82 [<0000c016>] not_ext+0xa/0x18 Code: 4e5e 4e75 4e56 0000 206e 0008 2068 ffe8 <2068> 0020 2008 4e5e 4e75 4e56 0000 2f0b 206e 0008 2068 0004 2668 0020 206b ffe8 Disabling lock debugging due to kernel taint Segmentation fault The proc_create_single_data() conversion does not work because single_open(file, nubus_proc_rsrc_show, PDE_DATA(inode)) is not equivalent to the original code. CVE-2023-53217 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2023-53220 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memleak due to fentry attach failure If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms. This meamleak can be verified by a simple bpf program as follows: SEC("fentry/trap_init") int fentry_run() { return 0; } It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in the system by checking /proc/kallsyms. $ tail /proc/kallsyms ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf] ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf] $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'" [2522] FUNC 'trap_init' type_id=119 linkage=static $ echo $((6442453466 & 0x7fffffff)) 2522 Note that there are two left bpf trampoline images, that is because the libbpf will fallback to raw tracepoint if -EINVAL is returned. CVE-2023-53221 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: jfs_dmap: Validate db_l2nbperpage while mounting In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block number inside dbFree(). db_l2nbperpage, which is the log2 number of blocks per page, is passed as an argument to BLKTODMAP which uses it for shifting. Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is too big. This happens because the large value is set without any validation in dbMount() at line 181. Thus, make sure that db_l2nbperpage is correct while mounting. Max number of blocks per page = Page size / Min block size => log2(Max num_block per page) = log2(Page size / Min block size) = log2(Page size) - log2(Min block size) => Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE CVE-2023-53222 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix OOB and integer underflow when rx packets Make sure mwifiex_process_mgmt_packet, mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet not out-of-bounds access the skb->data buffer. CVE-2023-53226 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix warning in cifs_smb3_do_mount() This fixes the following warning reported by kernel test robot fs/smb/client/cifsfs.c:982 cifs_smb3_do_mount() warn: possible memory leak of 'cifs_sb' CVE-2023-53230 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: erofs: Fix detection of atomic context Current check for atomic context is not sufficient as z_erofs_decompressqueue_endio can be called under rcu lock from blk_mq_flush_plug_list(). See the stacktrace [1] In such case we should hand off the decompression work for async processing rather than trying to do sync decompression in current context. Patch fixes the detection by checking for rcu_read_lock_any_held() and while at it use more appropriate !in_task() check than in_atomic(). Background: Historically erofs would always schedule a kworker for decompression which would incur the scheduling cost regardless of the context. But z_erofs_decompressqueue_endio() may not always be in atomic context and we could actually benefit from doing the decompression in z_erofs_decompressqueue_endio() if we are in thread context, for example when running with dm-verity. This optimization was later added in patch [2] which has shown improvement in performance benchmarks. ============================================== [1] Problem stacktrace [name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291 [name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi [name:core&]preempt_count: 0, expected: 0 [name:core&]RCU nest depth: 1, expected: 0 CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1 Hardware name: MT6897 (DT) Call trace: dump_backtrace+0x108/0x15c show_stack+0x20/0x30 dump_stack_lvl+0x6c/0x8c dump_stack+0x20/0x48 __might_resched+0x1fc/0x308 __might_sleep+0x50/0x88 mutex_lock+0x2c/0x110 z_erofs_decompress_queue+0x11c/0xc10 z_erofs_decompress_kickoff+0x110/0x1a4 z_erofs_decompressqueue_endio+0x154/0x180 bio_endio+0x1b0/0x1d8 __dm_io_complete+0x22c/0x280 clone_endio+0xe4/0x280 bio_endio+0x1b0/0x1d8 blk_update_request+0x138/0x3a4 blk_mq_plug_issue_direct+0xd4/0x19c blk_mq_flush_plug_list+0x2b0/0x354 __blk_flush_plug+0x110/0x160 blk_finish_plug+0x30/0x4c read_pages+0x2fc/0x370 page_cache_ra_unbounded+0xa4/0x23c page_cache_ra_order+0x290/0x320 do_sync_mmap_readahead+0x108/0x2c0 filemap_fault+0x19c/0x52c __do_fault+0xc4/0x114 handle_mm_fault+0x5b4/0x1168 do_page_fault+0x338/0x4b4 do_translation_fault+0x40/0x60 do_mem_abort+0x60/0xc8 el0_da+0x4c/0xe0 el0t_64_sync_handler+0xd4/0xfc el0t_64_sync+0x1a0/0x1a4 [2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/ CVE-2023-53231 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/tests: helpers: Avoid a driver uaf when using __drm_kunit_helper_alloc_drm_device() the driver may be dereferenced by device-managed resources up until the device is freed, which is typically later than the kunit-managed resource code frees it. Fix this by simply make the driver device-managed as well. In short, the sequence leading to the UAF is as follows: INIT: Code allocates a struct device as a kunit-managed resource. Code allocates a drm driver as a kunit-managed resource. Code allocates a drm device as a device-managed resource. EXIT: Kunit resource cleanup frees the drm driver Kunit resource cleanup puts the struct device, which starts a device-managed resource cleanup device-managed cleanup calls drm_dev_put() drm_dev_put() dereferences the (now freed) drm driver -> Boom. Related KASAN message: [55272.551542] ================================================================== [55272.551551] BUG: KASAN: slab-use-after-free in drm_dev_put.part.0+0xd4/0xe0 [drm] [55272.551603] Read of size 8 at addr ffff888127502828 by task kunit_try_catch/10353 [55272.551612] CPU: 4 PID: 10353 Comm: kunit_try_catch Tainted: G U N 6.5.0-rc7+ #155 [55272.551620] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 0403 01/26/2021 [55272.551626] Call Trace: [55272.551629] <TASK> [55272.551633] dump_stack_lvl+0x57/0x90 [55272.551639] print_report+0xcf/0x630 [55272.551645] ? _raw_spin_lock_irqsave+0x5f/0x70 [55272.551652] ? drm_dev_put.part.0+0xd4/0xe0 [drm] [55272.551694] kasan_report+0xd7/0x110 [55272.551699] ? drm_dev_put.part.0+0xd4/0xe0 [drm] [55272.551742] drm_dev_put.part.0+0xd4/0xe0 [drm] [55272.551783] devres_release_all+0x15d/0x1f0 [55272.551790] ? __pfx_devres_release_all+0x10/0x10 [55272.551797] device_unbind_cleanup+0x16/0x1a0 [55272.551802] device_release_driver_internal+0x3e5/0x540 [55272.551808] ? kobject_put+0x5d/0x4b0 [55272.551814] bus_remove_device+0x1f1/0x3f0 [55272.551819] device_del+0x342/0x910 [55272.551826] ? __pfx_device_del+0x10/0x10 [55272.551830] ? lock_release+0x339/0x5e0 [55272.551836] ? kunit_remove_resource+0x128/0x290 [kunit] [55272.551845] ? __pfx_lock_release+0x10/0x10 [55272.551851] platform_device_del.part.0+0x1f/0x1e0 [55272.551856] ? _raw_spin_unlock_irqrestore+0x30/0x60 [55272.551863] kunit_remove_resource+0x195/0x290 [kunit] [55272.551871] ? _raw_spin_unlock_irqrestore+0x30/0x60 [55272.551877] kunit_cleanup+0x78/0x120 [kunit] [55272.551885] ? __kthread_parkme+0xc1/0x1f0 [55272.551891] ? __pfx_kunit_try_run_case_cleanup+0x10/0x10 [kunit] [55272.551900] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit] [55272.551909] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit] [55272.551919] kthread+0x2e7/0x3c0 [55272.551924] ? __pfx_kthread+0x10/0x10 [55272.551929] ret_from_fork+0x2d/0x70 [55272.551935] ? __pfx_kthread+0x10/0x10 [55272.551940] ret_from_fork_asm+0x1b/0x30 [55272.551948] </TASK> [55272.551953] Allocated by task 10351: [55272.551956] kasan_save_stack+0x1c/0x40 [55272.551962] kasan_set_track+0x21/0x30 [55272.551966] __kasan_kmalloc+0x8b/0x90 [55272.551970] __kmalloc+0x5e/0x160 [55272.551976] kunit_kmalloc_array+0x1c/0x50 [kunit] [55272.551984] drm_exec_test_init+0xfa/0x2c0 [drm_exec_test] [55272.551991] kunit_try_run_case+0xdd/0x250 [kunit] [55272.551999] kunit_generic_run_threadfn_adapter+0x4a/0x90 [kunit] [55272.552008] kthread+0x2e7/0x3c0 [55272.552012] ret_from_fork+0x2d/0x70 [55272.552017] ret_from_fork_asm+0x1b/0x30 [55272.552024] Freed by task 10353: [55272.552027] kasan_save_stack+0x1c/0x40 [55272.552032] kasan_set_track+0x21/0x30 [55272.552036] kasan_save_free_info+0x27/0x40 [55272.552041] __kasan_slab_free+0x106/0x180 [55272.552046] slab_free_freelist_hook+0xb3/0x160 [55272.552051] __kmem_cache_free+0xb2/0x290 [55272.552056] kunit_remove_resource+0x195/0x290 [kunit] [55272.552064] kunit_cleanup+0x7 ---truncated--- CVE-2023-53235 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM. In the for loop, 'i' is used as the index for array 'priv->ports[]' with a check (i > INNO_PHY_PORT_NUM) which indicates that INNO_PHY_PORT_NUM is allowed value for 'i' in the same loop. This > comparison needs to be changed to >=, otherwise it potentially leads to an out of bounds write on the next iteration through the loop CVE-2023-53238 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile Callers of `btrfs_reduce_alloc_profile` expect it to return exactly one allocation profile flag, and failing to do so may ultimately result in a WARN_ON and remount-ro when allocating new blocks, like the below transaction abort on 6.1. `btrfs_reduce_alloc_profile` has two ways of determining the profile, first it checks if a conversion balance is currently running and uses the profile we're converting to. If no balance is currently running, it returns the max-redundancy profile which at least one block in the selected block group has. This works by simply checking each known allocation profile bit in redundancy order. However, `btrfs_reduce_alloc_profile` has not been updated as new flags have been added - first with the `DUP` profile and later with the RAID1C34 profiles. Because of the way it checks, if we have blocks with different profiles and at least one is known, that profile will be selected. However, if none are known we may return a flag set with multiple allocation profiles set. This is currently only possible when a balance from one of the three unhandled profiles to another of the unhandled profiles is canceled after allocating at least one block using the new profile. In that case, a transaction abort like the below will occur and the filesystem will need to be mounted with -o skip_balance to get it mounted rw again (but the balance cannot be resumed without a similar abort). [770.648] ------------[ cut here ]------------ [770.648] BTRFS: Transaction aborted (error -22) [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs] [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0 [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test) [770.648] MSR: 9000000002029033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 28848282 XER: 20040000 [770.648] CFAR: c000000000135110 IRQMASK: 0 GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026 GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027 GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8 GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000 GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001 GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800 GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001 [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs] [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] [770.648] Call Trace: [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable) [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs] [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs] [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs] [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs] [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs] [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs] [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs] [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs] [770.648] [ ---truncated--- CVE-2023-53243 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix handling of virtual Fibre Channel timeouts Hyper-V provides the ability to connect Fibre Channel LUNs to the host system and present them in a guest VM as a SCSI device. I/O to the vFC device is handled by the storvsc driver. The storvsc driver includes a partial integration with the FC transport implemented in the generic portion of the Linux SCSI subsystem so that FC attributes can be displayed in /sys. However, the partial integration means that some aspects of vFC don't work properly. Unfortunately, a full and correct integration isn't practical because of limitations in what Hyper-V provides to the guest. In particular, in the context of Hyper-V storvsc, the FC transport timeout function fc_eh_timed_out() causes a kernel panic because it can't find the rport and dereferences a NULL pointer. The original patch that added the call from storvsc_eh_timed_out() to fc_eh_timed_out() is faulty in this regard. In many cases a timeout is due to a transient condition, so the situation can be improved by just continuing to wait like with other I/O requests issued by storvsc, and avoiding the guaranteed panic. For a permanent failure, continuing to wait may result in a hung thread instead of a panic, which again may be better. So fix the panic by removing the storvsc call to fc_eh_timed_out(). This allows storvsc to keep waiting for a response. The change has been tested by users who experienced a panic in fc_eh_timed_out() due to transient timeouts, and it solves their problem. In the future we may want to deprecate the vFC functionality in storvsc since it can't be fully fixed. But it has current users for whom it is working well enough, so it should probably stay for a while longer. CVE-2023-53245 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand While trying to get the subpage blocksize tests running, I hit the following panic on generic/476 assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_clear_checked+0x38/0xc0 btrfs_page_clear_checked+0x48/0x98 btrfs_truncate_block+0x5d0/0x6a8 btrfs_cont_expand+0x5c/0x528 btrfs_write_check.isra.0+0xf8/0x150 btrfs_buffered_write+0xb4/0x760 btrfs_do_write_iter+0x2f8/0x4b0 btrfs_file_write_iter+0x1c/0x30 do_iter_readv_writev+0xc8/0x158 do_iter_write+0x9c/0x210 vfs_iter_write+0x24/0x40 iter_file_splice_write+0x224/0x390 direct_splice_actor+0x38/0x68 splice_direct_to_actor+0x12c/0x260 do_splice_direct+0x90/0xe8 generic_copy_file_range+0x50/0x90 vfs_copy_file_range+0x29c/0x470 __arm64_sys_copy_file_range+0xcc/0x498 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x168 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x114/0x120 el0t_64_sync+0x194/0x198 This happens because during btrfs_cont_expand we'll get a page, set it as mapped, and if it's not Uptodate we'll read it. However between the read and re-locking the page we could have called release_folio() on the page, but left the page in the file mapping. release_folio() can clear the page private, and thus further down we blow up when we go to modify the subpage bits. Fix this by putting the set_page_extent_mapped() after the read. This is safe because read_folio() will call set_page_extent_mapped() before it does the read, and then if we clear page private but leave it on the mapping we're completely safe re-setting set_page_extent_mapped(). With this patch I can now run generic/476 without panicing. CVE-2023-53247 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: install stub fence into potential unused fence pointers When using cpu to update page tables, vm update fences are unused. Install stub fence into these fence pointers instead of NULL to avoid NULL dereference when calling dma_fence_wait() on them. CVE-2023-53248 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe Use devm_of_iomap() instead of of_iomap() to automatically handle the unused ioremap region. If any error occurs, regions allocated by kzalloc() will leak, but using devm_kzalloc() instead will automatically free the memory using devm_kfree(). CVE-2023-53249 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler() rxq can be NULL only when trans_pcie->rxq is NULL and entry->entry is zero. For the case when entry->entry is not equal to 0, rxq won't be NULL even if trans_pcie->rxq is NULL. Modify checker to check for trans_pcie->rxq. CVE-2023-53251 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync hci_update_accept_list_sync iterates over hdev->pend_le_conns and hdev->pend_le_reports, and waits for controller events in the loop body, without holding hdev lock. Meanwhile, these lists and the items may be modified e.g. by le_scan_cleanup. This can invalidate the list cursor or any other item in the list, resulting to invalid behavior (eg use-after-free). Use RCU for the hci_conn_params action lists. Since the loop bodies in hci_sync block and we cannot use RCU or hdev->lock for the whole loop, copy list items first and then iterate on the copy. Only the flags field is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we read valid values. Free params everywhere with hci_conn_params_free so the cleanup is guaranteed to be done properly. This fixes the following, which can be triggered e.g. by BlueZ new mgmt-tester case "Add + Remove Device Nowait - Success", or by changing hci_le_set_cig_params to always return false, and running iso-tester: ================================================================== BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) ? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) kasan_report (mm/kasan/report.c:538) ? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) ? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) ? mutex_lock (kernel/locking/mutex.c:282) ? __pfx_mutex_lock (kernel/locking/mutex.c:282) ? __pfx_mutex_unlock (kernel/locking/mutex.c:538) ? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) ? __pfx_worker_thread (kernel/workqueue.c:2480) kthread (kernel/kthread.c:376) ? __pfx_kthread (kernel/kthread.c:331) ret_from_fork (arch/x86/entry/entry_64.S:314) </TASK> Allocated by task 31: kasan_save_stack (mm/kasan/common.c:46) kasan_set_track (mm/kasan/common.c:52) __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) hci_connect_cis (net/bluetooth/hci_conn.c:2266) iso_connect_cis (net/bluetooth/iso.c:390) iso_sock_connect (net/bluetooth/iso.c:899) __sys_connect (net/socket.c:2003 net/socket.c:2020) __x64_sys_connect (net/socket.c:2027) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) Freed by task 15: kasan_save_stack (mm/kasan/common.c:46) kasan_set_track (mm/kasan/common.c:52) kasan_save_free_info (mm/kasan/generic.c:523) __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) hci_conn_params_del (net/bluetooth/hci_core.c:2323) le_scan_cleanup (net/bluetooth/hci_conn.c:202) process_one_work (./arch/x86/include/asm/preempt. ---truncated--- CVE-2023-53252 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() svc_create_memory_pool() is only called from stratix10_svc_drv_probe(). Most of resources in the probe are managed, but not this memremap() call. There is also no memunmap() call in the file. So switch to devm_memremap() to avoid a resource leak. CVE-2023-53255 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check S1G action frame size Before checking the action code, check that it even exists in the frame. CVE-2023-53257 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix possible underflow for displays with large vblank [Why] Underflow observed when using a display with a large vblank region and low refresh rate [How] Simplify calculation of vblank_nom Increase value for VBlankNomDefaultUS to 800us CVE-2023-53258 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_permission() Following process: P1 P2 path_lookupat link_path_walk inode_permission ovl_permission ovl_i_path_real(inode, &realpath) path->dentry = ovl_i_dentry_upper(inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL realinode = d_inode(realpath.dentry) // return NULL inode_permission(realinode) inode->i_sb // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 335.664979] BUG: kernel NULL pointer dereference, address: 0000000000000002 [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0 [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0 [ 335.678939] Call Trace: [ 335.679165] <TASK> [ 335.679371] ovl_permission+0xde/0x320 [ 335.679723] inode_permission+0x15e/0x2c0 [ 335.680090] link_path_walk+0x115/0x550 [ 335.680771] path_lookupat.isra.0+0xb2/0x200 [ 335.681170] filename_lookup+0xda/0x240 [ 335.681922] vfs_statx+0xa6/0x1f0 [ 335.682233] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. CVE-2023-53260 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: coresight: Fix memory leak in acpi_buffer->pointer There are memory leaks reported by kmemleak: ... unreferenced object 0xffff00213c141000 (size 1024): comm "systemd-udevd", pid 2123, jiffies 4294909467 (age 6062.160s) hex dump (first 32 bytes): 04 00 00 00 02 00 00 00 18 10 14 3c 21 00 ff ff ...........<!... 00 00 00 00 00 00 00 00 03 00 00 00 10 00 00 00 ................ backtrace: [<000000004b7c9001>] __kmem_cache_alloc_node+0x2f8/0x348 [<00000000b0fc7ceb>] __kmalloc+0x58/0x108 [<0000000064ff4695>] acpi_os_allocate+0x2c/0x68 [<000000007d57d116>] acpi_ut_initialize_buffer+0x54/0xe0 [<0000000024583908>] acpi_evaluate_object+0x388/0x438 [<0000000017b2e72b>] acpi_evaluate_object_typed+0xe8/0x240 [<000000005df0eac2>] coresight_get_platform_data+0x1b4/0x988 [coresight] ... The ACPI buffer memory (buf.pointer) should be freed. But the buffer is also used after returning from acpi_get_dsd_graph(). Move the temporary variables buf to acpi_coresight_parse_graph(), and free it before the function return to prevent memory leak. CVE-2023-53261 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create We can't simply free the connector after calling drm_connector_init on it. We need to clean up the drm side first. It might not fix all regressions from commit 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts"), but at least it fixes a memory corruption in error handling related to that commit. CVE-2023-53263 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe Use devm_of_iomap() instead of of_iomap() to automatically handle the unused ioremap region. If any error occurs, regions allocated by kzalloc() will leak, but using devm_kzalloc() instead will automatically free the memory using devm_kfree(). Also, fix error handling of hws by adding unregister_hws label, which unregisters remaining hws when iomap failed. CVE-2023-53264 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: net: ena: fix shift-out-of-bounds in exponential backoff The ENA adapters on our instances occasionally reset. Once recently logged a UBSAN failure to console in the process: UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117 Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017 Workqueue: ena ena_fw_reset_device [ena] Call Trace: <TASK> dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e ? __const_udelay+0x43/0x50 ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena] wait_for_reset_state+0x54/0xa0 [ena] ena_com_dev_reset+0xc8/0x110 [ena] ena_down+0x3fe/0x480 [ena] ena_destroy_device+0xeb/0xf0 [ena] ena_fw_reset_device+0x30/0x50 [ena] process_one_work+0x22b/0x3d0 worker_thread+0x4d/0x3f0 ? process_one_work+0x3d0/0x3d0 kthread+0x12a/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 </TASK> Apparently, the reset delays are getting so large they can trigger a UBSAN panic. Looking at the code, the current timeout is capped at 5000us. Using a base value of 100us, the current code will overflow after (1<<29). Even at values before 32, this function wraps around, perhaps unintentionally. Cap the value of the exponent used for this backoff at (1<<16) which is larger than currently necessary, but large enough to support bigger values in the future. CVE-2023-53272 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt8183: Add back SSPM related clocks This reverts commit 860690a93ef23b567f781c1b631623e27190f101. On the MT8183, the SSPM related clocks were removed claiming a lack of usage. This however causes some issues when the driver was converted to the new simple-probe mechanism. This mechanism allocates enough space for all the clocks defined in the clock driver, not the highest index in the DT binding. This leads to out-of-bound writes if their are holes in the DT binding or the driver (due to deprecated or unimplemented clocks). These errors can go unnoticed and cause memory corruption, leading to crashes in unrelated areas, or nothing at all. KASAN will detect them. Add the SSPM related clocks back to the MT8183 clock driver to fully implement the DT binding. The SSPM clocks are for the power management co-processor, and should never be turned off. They are marked as such. CVE-2023-53274 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() The variable codec->regmap is often protected by the lock codec->regmap_lock when is accessed. However, it is accessed without holding the lock when is accessed in snd_hdac_regmap_sync(): if (codec->regmap) In my opinion, this may be a harmful race, because if codec->regmap is set to NULL right after the condition is checked, a null-pointer dereference can occur in the called function regcache_sync(): map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c To fix this possible null-pointer dereference caused by data race, the mutex_lock coverage is extended to protect the if statement as well as the function call to regcache_sync(). [ Note: the lack of the regmap_lock itself is harmless for the current codec driver implementations, as snd_hdac_regmap_sync() is only for PM runtime resume that is prohibited during the codec probe. But the change makes the whole code more consistent, so it's merged as is -- tiwai ] CVE-2023-53275 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up gets called for uninitialized wait queue sp->nvme_ls_waitq. qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] RIP: 0010:__wake_up_common+0x4c/0x190 RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7c/0xc0 qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed previously in the commits tagged Fixed: below. CVE-2023-53280 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Return the firmware result upon destroying QP/RQ Previously when destroying a QP/RQ, the result of the firmware destruction function was ignored and upper layers weren't informed about the failure. Which in turn could lead to various problems since when upper layer isn't aware of the failure it continues its operation thinking that the related QP/RQ was successfully destroyed while it actually wasn't, which could lead to the below kernel WARN. Currently, we return the correct firmware destruction status to upper layers which in case of the RQ would be mlx5_ib_destroy_wq() which was already capable of handling RQ destruction failure or in case of a QP to destroy_qp_common(), which now would actually warn upon qp destruction failure. WARNING: CPU: 3 PID: 995 at drivers/infiniband/core/rdma_core.c:940 uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs] Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core overlay mlx5_core fuse CPU: 3 PID: 995 Comm: python3 Not tainted 5.16.0-rc5+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:uverbs_destroy_ufile_hw+0xcb/0xe0 [ib_uverbs] Code: 41 5c 41 5d 41 5e e9 44 34 f0 e0 48 89 df e8 4c 77 ff ff 49 8b 86 10 01 00 00 48 85 c0 74 a1 4c 89 e7 ff d0 eb 9a 0f 0b eb c1 <0f> 0b be 04 00 00 00 48 89 df e8 b6 f6 ff ff e9 75 ff ff ff 90 0f RSP: 0018:ffff8881533e3e78 EFLAGS: 00010287 RAX: ffff88811b2cf3e0 RBX: ffff888106209700 RCX: 0000000000000000 RDX: ffff888106209780 RSI: ffff8881533e3d30 RDI: ffff888109b101a0 RBP: 0000000000000001 R08: ffff888127cb381c R09: 0de9890000000009 R10: ffff888127cb3800 R11: 0000000000000000 R12: ffff888106209780 R13: ffff888106209750 R14: ffff888100f20660 R15: 0000000000000000 FS: 00007f8be353b740(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8bd5b117c0 CR3: 000000012cd8a004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ib_uverbs_close+0x1a/0x90 [ib_uverbs] __fput+0x82/0x230 task_work_run+0x59/0x90 exit_to_user_mode_prepare+0x138/0x140 syscall_exit_to_user_mode+0x1d/0x50 ? __x64_sys_close+0xe/0x40 do_syscall_64+0x4a/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8be3ae0abb Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 83 43 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 c1 43 f9 ff 8b 44 RSP: 002b:00007ffdb51909c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000557bb7f7c020 RCX: 00007f8be3ae0abb RDX: 0000557bb7c74010 RSI: 0000557bb7f14ca0 RDI: 0000000000000005 RBP: 0000557bb7fbd598 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000557bb7fbd5b8 R13: 0000557bb7fbd5a8 R14: 0000000000001000 R15: 0000557bb7f7c020 </TASK> CVE-2023-53286 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Put the cdns set active part outside the spin lock The device may be scheduled during the resume process, so this cannot appear in atomic operations. Since pm_runtime_set_active will resume suppliers, put set active outside the spin lock, which is only used to protect the struct cdns data structure, otherwise the kernel will report the following warning: BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1163 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 651, name: sh preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 CPU: 0 PID: 651 Comm: sh Tainted: G WC 6.1.20 #1 Hardware name: Freescale i.MX8QM MEK (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x64/0x80 dump_stack+0x1c/0x38 __might_resched+0x1fc/0x240 __might_sleep+0x68/0xc0 __pm_runtime_resume+0x9c/0xe0 rpm_get_suppliers+0x68/0x1b0 __pm_runtime_set_status+0x298/0x560 cdns_resume+0xb0/0x1c0 cdns3_controller_resume.isra.0+0x1e0/0x250 cdns3_plat_resume+0x28/0x40 CVE-2023-53287 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/client: Fix memory leak in drm_client_modeset_probe When a new mode is set to modeset->mode, the previous mode should be freed. This fixes the following kmemleak report: drm_mode_duplicate+0x45/0x220 [drm] drm_client_modeset_probe+0x944/0xf50 [drm] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] drm_client_register+0x169/0x240 [drm] ast_pci_probe+0x142/0x190 [ast] local_pci_probe+0xdc/0x180 work_for_cpu_fn+0x4e/0xa0 process_one_work+0x8b7/0x1540 worker_thread+0x70a/0xed0 kthread+0x29f/0x340 ret_from_fork+0x1f/0x30 CVE-2023-53288 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale Running the 'kfree_rcu_test' test case [1] results in a splat [2]. The root cause is the kfree_scale_thread thread(s) continue running after unloading the rcuscale module. This commit fixes that isue by invoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing the rcuscale module. [1] modprobe rcuscale kfree_rcu_test=1 // After some time rmmod rcuscale rmmod torture [2] BUG: unable to handle page fault for address: ffffffffc0601a87 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:0xffffffffc0601a87 Code: Unable to access opcode bytes at 0xffffffffc0601a5d. RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? kvfree_call_rcu+0xf0/0x3a0 ? kthread+0xf3/0x120 ? kthread_complete_and_exit+0x20/0x20 ? ret_from_fork+0x1f/0x30 </TASK> Modules linked in: rfkill sunrpc ... [last unloaded: torture] CR2: ffffffffc0601a87 ---[ end trace 0000000000000000 ]--- CVE-2023-53291 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none After grabbing q->sysfs_lock, q->elevator may become NULL because of elevator switch. Fix the NULL dereference on q->elevator by checking it with lock. CVE-2023-53292 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap api: Fix possible memory leak for vcap_dup_rule() Inject fault When select CONFIG_VCAP_KUNIT_TEST, the below memory leak occurs. If kzalloc() for duprule succeeds, but the following kmemdup() fails, the duprule, ckf and caf memory will be leaked. So kfree them in the error path. unreferenced object 0xffff122744c50600 (size 192): comm "kunit_try_catch", pid 346, jiffies 4294896122 (age 911.812s) hex dump (first 32 bytes): 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,... 00 00 00 00 00 00 00 00 18 06 c5 44 27 12 ff ff ...........D'... backtrace: [<00000000394b0db8>] __kmem_cache_alloc_node+0x274/0x2f8 [<0000000001bedc67>] kmalloc_trace+0x38/0x88 [<00000000b0612f98>] vcap_dup_rule+0x50/0x460 [<000000005d2d3aca>] vcap_add_rule+0x8cc/0x1038 [<00000000eef9d0f8>] test_vcap_xn_rule_creator.constprop.0.isra.0+0x238/0x494 [<00000000cbda607b>] vcap_api_rule_remove_in_front_test+0x1ac/0x698 [<00000000c8766299>] kunit_try_run_case+0xe0/0x20c [<00000000c4fe9186>] kunit_generic_run_threadfn_adapter+0x50/0x94 [<00000000f6864acf>] kthread+0x2e8/0x374 [<0000000022e639b3>] ret_from_fork+0x10/0x20 CVE-2023-53303 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: fix overlap expiration walk The lazy gc on insert that should remove timed-out entries fails to release the other half of the interval, if any. Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0 in nftables.git and kmemleak enabled kernel. Second bug is the use of rbe_prev vs. prev pointer. If rbe_prev() returns NULL after at least one iteration, rbe_prev points to element that is not an end interval, hence it should not be removed. Lastly, check the genmask of the end interval if this is active in the current generation. CVE-2023-53304 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free Fix potential use-after-free in l2cap_le_command_rej. CVE-2023-53305 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix integer overflow in radeon_cs_parser_init The type of size is unsigned, if size is 0x40000000, there will be an integer overflow, size will be zero after size *= sizeof(uint32_t), will cause uninitialized memory to be referenced later CVE-2023-53309 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, nilfs_evict_inode() could cause use-after-free read for nilfs_root if inodes are left in "garbage_list" and released by nilfs_dispose_list at the end of nilfs_detach_log_writer(), and this bug was fixed by commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"). However, it turned out that there is another possibility of UAF in the call path where mark_inode_dirty_sync() is called from iput(): nilfs_detach_log_writer() nilfs_dispose_list() iput() mark_inode_dirty_sync() __mark_inode_dirty() nilfs_dirty_inode() __nilfs_mark_inode_dirty() nilfs_load_inode_block() --> causes UAF of nilfs_root struct This can happen after commit 0ae45f63d4ef ("vfs: add support for a lazytime mount option"), which changed iput() to call mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME flag and i_nlink is non-zero. This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only") when using the syzbot reproducer, but the issue has potentially existed before. Fix this issue by adding a "purging flag" to the nilfs structure, setting that flag while disposing the "garbage_list" and checking it in __nilfs_mark_inode_dirty(). Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"), this patch does not rely on ns_writer to determine whether to skip operations, so as not to break recovery on mount. The nilfs_salvage_orphan_logs routine dirties the buffer of salvaged data before attaching the log writer, so changing __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL will cause recovery write to fail. The purpose of using the cleanup-only flag is to allow for narrowing of such conditions. CVE-2023-53311 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix net_dev_start_xmit trace event vs skb_transport_offset() After blamed commit, we must be more careful about using skb_transport_offset(), as reminded us by syzbot: WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline] WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14 Modules linked in: CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline] RIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline] RIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14 Code: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff RSP: 0018:ffffc900002bf700 EFLAGS: 00010293 RAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280 RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff RBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67 R13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0 Call Trace: <TASK> [<ffffffff84715e35>] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline] [<ffffffff84715e35>] xmit_one net/core/dev.c:3643 [inline] [<ffffffff84715e35>] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660 [<ffffffff8471a232>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff85416493>] dev_queue_xmit include/linux/netdevice.h:3030 [inline] [<ffffffff85416493>] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108 [<ffffffff85416744>] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 [<ffffffff853bc52a>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline] [<ffffffff853bc52a>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline] [<ffffffff853bc52a>] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701 [<ffffffff8151023c>] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289 [<ffffffff81511938>] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436 CVE-2023-53312 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix wrong setting of max_corr_read_errors There is no input check when echo md/max_read_errors and overflow might occur. Add check of input number. CVE-2023-53313 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev/ep93xx-fb: Do not assign to struct fb_info.dev Do not assing the Linux device to struct fb_info.dev. The call to register_framebuffer() initializes the field to the fbdev device. Drivers should not override its value. Fixes a bug where the driver incorrectly decreases the hardware device's reference counter and leaks the fbdev device. v2: * add Fixes tag (Dan) CVE-2023-53314 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Free resources after unregistering them The DP component's unbind operation walks through the submodules to unregister and clean things up. But if the unbind happens because the DP controller itself is being removed, all the memory for those submodules has just been freed. Change the order of these operations to avoid the many use-after-free that otherwise happens in this code path. Patchwork: https://patchwork.freedesktop.org/patch/542166/ CVE-2023-53316 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm Currently there is no synchronisation between finalize_pkvm() and kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if kvm_arm_init() fails resulting in the following warning on all the CPUs and eventually a HYP panic: | kvm [1]: IPA Size Limit: 48 bits | kvm [1]: Failed to init hyp memory protection | kvm [1]: error initializing Hyp mode: -22 | | <snip> | | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50 | Modules linked in: | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237 | Hardware name: FVP Base RevC (DT) | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) | pc : _kvm_host_prot_finalize+0x30/0x50 | lr : __flush_smp_call_function_queue+0xd8/0x230 | | Call trace: | _kvm_host_prot_finalize+0x3c/0x50 | on_each_cpu_cond_mask+0x3c/0x6c | pkvm_drop_host_privileges+0x4c/0x78 | finalize_pkvm+0x3c/0x5c | do_one_initcall+0xcc/0x240 | do_initcall_level+0x8c/0xac | do_initcalls+0x54/0x94 | do_basic_setup+0x1c/0x28 | kernel_init_freeable+0x100/0x16c | kernel_init+0x20/0x1a0 | ret_from_fork+0x10/0x20 | Failed to finalize Hyp protection: -22 | dtb=fvp-base-revc.dtb | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540! | kvm [95]: nVHE call trace: | kvm [95]: [<ffff800081052984>] __kvm_nvhe_hyp_panic+0xac/0xf8 | kvm [95]: [<ffff800081059644>] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac | kvm [95]: [<ffff80008105511c>] __kvm_nvhe_handle_trap+0x4c/0x160 | kvm [95]: [<ffff8000810540fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4 | kvm [95]: ---[ end nVHE call trace ]--- | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000 | Kernel panic - not syncing: HYP panic: | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800 | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000 | VCPU:0000000000000000 | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237 | Hardware name: FVP Base RevC (DT) | Workqueue: rpciod rpc_async_schedule | Call trace: | dump_backtrace+0xec/0x108 | show_stack+0x18/0x2c | dump_stack_lvl+0x50/0x68 | dump_stack+0x18/0x24 | panic+0x138/0x33c | nvhe_hyp_panic_handler+0x100/0x184 | new_slab+0x23c/0x54c | ___slab_alloc+0x3e4/0x770 | kmem_cache_alloc_node+0x1f0/0x278 | __alloc_skb+0xdc/0x294 | tcp_stream_alloc_skb+0x2c/0xf0 | tcp_sendmsg_locked+0x3d0/0xda4 | tcp_sendmsg+0x38/0x5c | inet_sendmsg+0x44/0x60 | sock_sendmsg+0x1c/0x34 | xprt_sock_sendmsg+0xdc/0x274 | xs_tcp_send_request+0x1ac/0x28c | xprt_transmit+0xcc/0x300 | call_transmit+0x78/0x90 | __rpc_execute+0x114/0x3d8 | rpc_async_schedule+0x28/0x48 | process_one_work+0x1d8/0x314 | worker_thread+0x248/0x474 | kthread+0xfc/0x184 | ret_from_fork+0x10/0x20 | SMP: stopping secondary CPUs | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000 | PHYS_OFFSET: 0x80000000 | CPU features: 0x00000000,1035b7a3,ccfe773f | Memory Limit: none | ---[ end Kernel panic - not syncing: HYP panic: | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800 | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000 | VCPU:0000000000000000 ]--- Fix it by checking for the successfull initialisation of kvm_arm_init() in finalize_pkvm() before proceeding any futher. CVE-2023-53319 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: drop short frames While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are passed in. CVE-2023-53321 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Wait for io return on terminate rport System crash due to use after free. Current code allows terminate_rport_io to exit before making sure all IOs has returned. For FCP-2 device, IO's can hang on in HW because driver has not tear down the session in FW at first sign of cable pull. When dev_loss_tmo timer pops, terminate_rport_io is called and upper layer is about to free various resources. Terminate_rport_io trigger qla to do the final cleanup, but the cleanup might not be fast enough where it leave qla still holding on to the same resource. Wait for IO's to return to upper layer before resources are freed. CVE-2023-53322 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext2/dax: Fix ext2_setsize when len is page aligned PAGE_ALIGN(x) macro gives the next highest value which is multiple of pagesize. But if x is already page aligned then it simply returns x. So, if x passed is 0 in dax_zero_range() function, that means the length gets passed as 0 to ->iomap_begin(). In ext2 it then calls ext2_get_blocks -> max_blocks as 0 and hits bug_on here in ext2_get_blocks(). BUG_ON(maxblocks == 0); Instead we should be calling dax_truncate_page() here which takes care of it. i.e. it only calls dax_zero_range if the offset is not page/block aligned. This can be easily triggered with following on fsdax mounted pmem device. dd if=/dev/zero of=file count=1 bs=512 truncate -s 0 file [79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk [79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff) [93.793207] ------------[ cut here ]------------ [93.795102] kernel BUG at fs/ext2/inode.c:637! [93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI [93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139 [93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610 <...> [93.835298] Call Trace: [93.836253] <TASK> [93.837103] ? lock_acquire+0xf8/0x110 [93.838479] ? d_lookup+0x69/0xd0 [93.839779] ext2_iomap_begin+0xa7/0x1c0 [93.841154] iomap_iter+0xc7/0x150 [93.842425] dax_zero_range+0x6e/0xa0 [93.843813] ext2_setsize+0x176/0x1b0 [93.845164] ext2_setattr+0x151/0x200 [93.846467] notify_change+0x341/0x4e0 [93.847805] ? lock_acquire+0xf8/0x110 [93.849143] ? do_truncate+0x74/0xe0 [93.850452] ? do_truncate+0x84/0xe0 [93.851739] do_truncate+0x84/0xe0 [93.852974] do_sys_ftruncate+0x2b4/0x2f0 [93.854404] do_syscall_64+0x3f/0x90 [93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc CVE-2023-53323 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Don't leak some plane state Apparently no one noticed that mdp5 plane states leak like a sieve ever since we introduced plane_state->commit refcount a few years ago in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too early by tracking commits, v3.") Fix it by using the right helpers. Patchwork: https://patchwork.freedesktop.org/patch/551236/ CVE-2023-53324 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Change logging from drm_{err,info}() to dev_{err,info}() in functions mtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be essential to avoid getting NULL pointer kernel panics if any kind of error happens during AUX transfers happening before the bridge is attached. This may potentially start happening in a later commit implementing aux-bus support, as AUX transfers will be triggered from the panel driver (for EDID) before the mtk-dp bridge gets attached, and it's done in preparation for the same. CVE-2023-53325 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Enhance sanity check while generating attr_list ni_create_attr_list uses WARN_ON to catch error cases while generating attribute list, which only prints out stack trace and may not be enough. This repalces them with more proper error handling flow. [ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e [ 59.673268] #PF: supervisor read access in kernel mode [ 59.678354] #PF: error_code(0x0000) - not-present page [ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0 [ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI [ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4 [ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860 [ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8 [ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282 [ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe [ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0 [ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9 [ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180 [ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050 [ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000 [ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0 [ 59.787607] Call Trace: [ 59.790271] <TASK> [ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10 [ 59.797235] ? kernel_text_address+0xd3/0xe0 [ 59.800856] ? unwind_get_return_address+0x3e/0x60 [ 59.805101] ? __kasan_check_write+0x18/0x20 [ 59.809296] ? preempt_count_sub+0x1c/0xd0 [ 59.813421] ni_ins_attr_ext+0x52c/0x5c0 [ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10 [ 59.821926] ? __vfs_setxattr+0x121/0x170 [ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300 [ 59.829562] ? __vfs_setxattr_locked+0x145/0x170 [ 59.833987] ? vfs_setxattr+0x137/0x2a0 [ 59.836732] ? do_setxattr+0xce/0x150 [ 59.839807] ? setxattr+0x126/0x140 [ 59.842353] ? path_setxattr+0x164/0x180 [ 59.845275] ? __x64_sys_setxattr+0x71/0x90 [ 59.848838] ? do_syscall_64+0x3f/0x90 [ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 59.857046] ? stack_depot_save+0x17/0x20 [ 59.860299] ni_insert_attr+0x1ba/0x420 [ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10 [ 59.867069] ? preempt_count_sub+0x1c/0xd0 [ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50 [ 59.874088] ? __create_object+0x3ae/0x5d0 [ 59.877865] ni_insert_resident+0xc4/0x1c0 [ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10 [ 59.886355] ? kasan_save_alloc_info+0x1f/0x30 [ 59.891117] ? __kasan_kmalloc+0x8b/0xa0 [ 59.894383] ntfs_set_ea+0x90d/0xbf0 [ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10 [ 59.901011] ? kernel_text_address+0xd3/0xe0 [ 59.905308] ? __kernel_text_address+0x16/0x50 [ 59.909811] ? unwind_get_return_address+0x3e/0x60 [ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 59.920250] ? arch_stack_walk+0xa2/0x100 [ 59.924560] ? filter_irq_stacks+0x27/0x80 [ 59.928722] ntfs_setxattr+0x405/0x440 [ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10 [ 59.936634] ? kvmalloc_node+0x2d/0x120 [ 59.940378] ? kasan_save_stack+0x41/0x60 [ 59.943870] ? kasan_save_stack+0x2a/0x60 [ 59.947719] ? kasan_set_track+0x29/0x40 [ 59.951417] ? kasan_save_alloc_info+0x1f/0x30 [ 59.955733] ? __kasan_kmalloc+0x8b/0xa0 [ 59.959598] ? __kmalloc_node+0x68/0x150 [ 59.963163] ? kvmalloc_node+0x2d/0x120 [ 59.966490] ? vmemdup_user+0x2b/0xa0 ---truncated--- CVE-2023-53328 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Check start of empty przs during init After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as valid"), initialization would assume a prz was valid after seeing that the buffer_size is zero (regardless of the buffer start position). This unchecked start value means it could be outside the bounds of the buffer, leading to future access panics when written to: sysdump_panic_event+0x3b4/0x5b8 atomic_notifier_call_chain+0x54/0x90 panic+0x1c8/0x42c die+0x29c/0x2a8 die_kernel_fault+0x68/0x78 __do_kernel_fault+0x1c4/0x1e0 do_bad_area+0x40/0x100 do_translation_fault+0x68/0x80 do_mem_abort+0x68/0xf8 el1_da+0x1c/0xc0 __raw_writeb+0x38/0x174 __memcpy_toio+0x40/0xac persistent_ram_update+0x44/0x12c persistent_ram_write+0x1a8/0x1b8 ramoops_pstore_write+0x198/0x1e8 pstore_console_write+0x94/0xe0 ... To avoid this, also check if the prz start is 0 during the initialization phase. If not, the next prz sanity check case will discover it (start > size) and zap the buffer back to a sane state. [kees: update commit log with backtrace and clarifications] CVE-2023-53331 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run sensor->adev is not set yet. So if either of the dev_warn() calls about unknown values are hit this will lead to a NULL pointer deref. Set sensor->adev earlier, with a borrowed ref to avoid making unrolling on errors harder, to fix this. CVE-2023-53336 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: lwt: Fix return values of BPF xmit ops BPF encap ops can return different types of positive values, such like NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in ip(6)_finish_output2. When this happens, skbs that have been freed would continue to the neighbor subsystem, causing use-after-free bug and kernel crashes. To fix the incorrect behavior, skb_do_redirect return values can be simply discarded, the same as tc-egress behavior. On the other hand, bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU information. Thus convert its return values to avoid the conflict with LWTUNNEL_XMIT_CONTINUE. CVE-2023-53338 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix BUG_ON condition in btrfs_cancel_balance Pausing and canceling balance can race to interrupt balance lead to BUG_ON panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance does not take this race scenario into account. However, the race condition has no other side effects. We can fix that. Reproducing it with panic trace like this: kernel BUG at fs/btrfs/volumes.c:4618! RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0 Call Trace: <TASK> ? do_nanosleep+0x60/0x120 ? hrtimer_nanosleep+0xb7/0x1a0 ? sched_core_clone_cookie+0x70/0x70 btrfs_ioctl_balance_ctl+0x55/0x70 btrfs_ioctl+0xa46/0xd20 __x64_sys_ioctl+0x7d/0xa0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Race scenario as follows: > mutex_unlock(&fs_info->balance_mutex); > -------------------- > .......issue pause and cancel req in another thread > -------------------- > ret = __btrfs_balance(fs_info); > > mutex_lock(&fs_info->balance_mutex); > if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { > btrfs_info(fs_info, "balance: paused"); > btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); > } CVE-2023-53339 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix handling IPv4 routes with nhid Fix handling IPv4 routes referencing a nexthop via its id by replacing calls to fib_info_nh() with fib_info_nhc(). Trying to add an IPv4 route referencing a nextop via nhid: $ ip link set up swp5 $ ip a a 10.0.0.1/24 dev swp5 $ ip nexthop add dev swp5 id 20 via 10.0.0.2 $ ip route add 10.0.1.0/24 nhid 20 triggers warnings when trying to handle the route: [ 528.805763] ------------[ cut here ]------------ [ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera] [ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci] [ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1 [ 528.845178] Hardware name: delta,tn48m-dn (DT) [ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera] [ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera] [ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera] [ 528.876007] sp : ffff80000b20bc90 [ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48 [ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800 [ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200 [ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059 [ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000 [ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000 [ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020 [ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86 [ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc [ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80 [ 528.951058] Call trace: [ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera] [ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera] [ 528.965348] process_one_work+0x208/0x488 [ 528.969387] worker_thread+0x4c/0x430 [ 528.973068] kthread+0x120/0x138 [ 528.976313] ret_from_fork+0x10/0x20 [ 528.979909] ---[ end trace 0000000000000000 ]--- [ 528.984998] ------------[ cut here ]------------ [ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera] [ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci] [ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1 [ 529.024368] Hardware name: delta,tn48m-dn (DT) [ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera] [ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera] [ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera] [ 529.055452] sp : ffff80000b20bc60 [ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48 [ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800 [ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0 [ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059 [ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000 [ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000 [ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80 [ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 ---truncated--- CVE-2023-53342 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that has the link-local address as src and dst IP and will be forwarded to an external IP in the IPv6 Ext Hdr. For example, the script below generates a packet whose src IP is the link-local address and dst is updated to 11::. # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done # python3 >>> from socket import * >>> from scapy.all import * >>> >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" >>> >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) >>> >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) For such a packet, we call ip6_route_input() to look up a route for the next destination in these three functions depending on the header type. * ipv6_rthdr_rcv() * ipv6_rpl_srh_rcv() * ipv6_srh_rcv() If no route is found, ip6_null_entry is set to skb, and the following dst_input(skb) calls ip6_pkt_drop(). Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev as the input device is the loopback interface. Then, we have to check if skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref for ip6_null_entry. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ip6_pkt_drop (net/ipv6/route.c:4513) ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) __netif_receive_skb_one_core (net/core/dev.c:5455) process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) __napi_poll (net/core/dev.c:6460) net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4231) ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) sock_sendmsg (net/socket.c:725 net/socket.c:748) __sys_sendto (net/socket.c:2134) __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7f9dc751baea Code: d8 64 89 02 48 c7 c0 ff f ---truncated--- CVE-2023-53343 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix slicing memory leak The temporary buffer storing slicing configuration data from user is only freed on error. This is a memory leak. Free the buffer unconditionally. CVE-2023-53350 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/ttm: check null pointer before accessing when swapping Add a check to avoid null pointer dereference as below: [ 90.002283] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 90.002292] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 90.002346] ? exc_general_protection+0x159/0x240 [ 90.002352] ? asm_exc_general_protection+0x26/0x30 [ 90.002357] ? ttm_bo_evict_swapout_allowable+0x322/0x5e0 [ttm] [ 90.002365] ? ttm_bo_evict_swapout_allowable+0x42e/0x5e0 [ttm] [ 90.002373] ttm_bo_swapout+0x134/0x7f0 [ttm] [ 90.002383] ? __pfx_ttm_bo_swapout+0x10/0x10 [ttm] [ 90.002391] ? lock_acquire+0x44d/0x4f0 [ 90.002398] ? ttm_device_swapout+0xa5/0x260 [ttm] [ 90.002412] ? lock_acquired+0x355/0xa00 [ 90.002416] ? do_raw_spin_trylock+0xb6/0x190 [ 90.002421] ? __pfx_lock_acquired+0x10/0x10 [ 90.002426] ? ttm_global_swapout+0x25/0x210 [ttm] [ 90.002442] ttm_device_swapout+0x198/0x260 [ttm] [ 90.002456] ? __pfx_ttm_device_swapout+0x10/0x10 [ttm] [ 90.002472] ttm_global_swapout+0x75/0x210 [ttm] [ 90.002486] ttm_tt_populate+0x187/0x3f0 [ttm] [ 90.002501] ttm_bo_handle_move_mem+0x437/0x590 [ttm] [ 90.002517] ttm_bo_validate+0x275/0x430 [ttm] [ 90.002530] ? __pfx_ttm_bo_validate+0x10/0x10 [ttm] [ 90.002544] ? kasan_save_stack+0x33/0x60 [ 90.002550] ? kasan_set_track+0x25/0x30 [ 90.002554] ? __kasan_kmalloc+0x8f/0xa0 [ 90.002558] ? amdgpu_gtt_mgr_new+0x81/0x420 [amdgpu] [ 90.003023] ? ttm_resource_alloc+0xf6/0x220 [ttm] [ 90.003038] amdgpu_bo_pin_restricted+0x2dd/0x8b0 [amdgpu] [ 90.003210] ? __x64_sys_ioctl+0x131/0x1a0 [ 90.003210] ? do_syscall_64+0x60/0x90 CVE-2023-53352 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: skbuff: skb_segment, Call zero copy functions before using skbuff frags Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb") added the call to zero copy functions in skb_segment(). The change introduced a bug in skb_segment() because skb_orphan_frags() may possibly change the number of fragments or allocate new fragments altogether leaving nrfrags and frag to point to the old values. This can cause a panic with stacktrace like the one below. [ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc [ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26 [ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0 [ 194.021892] Call Trace: [ 194.027422] <TASK> [ 194.072861] tcp_gso_segment+0x107/0x540 [ 194.082031] inet_gso_segment+0x15c/0x3d0 [ 194.090783] skb_mac_gso_segment+0x9f/0x110 [ 194.095016] __skb_gso_segment+0xc1/0x190 [ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem] [ 194.107071] dev_qdisc_enqueue+0x16/0x70 [ 194.110884] __dev_queue_xmit+0x63b/0xb30 [ 194.121670] bond_start_xmit+0x159/0x380 [bonding] [ 194.128506] dev_hard_start_xmit+0xc3/0x1e0 [ 194.131787] __dev_queue_xmit+0x8a0/0xb30 [ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan] [ 194.141477] dev_hard_start_xmit+0xc3/0x1e0 [ 194.144622] sch_direct_xmit+0xe3/0x280 [ 194.147748] __dev_queue_xmit+0x54a/0xb30 [ 194.154131] tap_get_user+0x2a8/0x9c0 [tap] [ 194.157358] tap_sendmsg+0x52/0x8e0 [tap] [ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net] [ 194.173631] handle_tx+0xcd/0xe0 [vhost_net] [ 194.176959] vhost_worker+0x76/0xb0 [vhost] [ 194.183667] kthread+0x118/0x140 [ 194.190358] ret_from_fork+0x1f/0x30 [ 194.193670] </TASK> In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags local variable in skb_segment() stale. This resulted in the code hitting i >= nrfrags prematurely and trying to move to next frag_skb using list_skb pointer, which was NULL, and caused kernel panic. Move the call to zero copy functions before using frags and nr_frags. CVE-2023-53354 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null pointer check in gserial_suspend Consider a case where gserial_disconnect has already cleared gser->ioport. And if gserial_suspend gets called afterwards, it will lead to accessing of gser->ioport and thus causing null pointer dereference. Avoid this by adding a null pointer check. Added a static spinlock to prevent gser->ioport from becoming null after the newly added null pointer check. CVE-2023-53356 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() will return -EINVAL because 'page >= bitmap->pages', but the return value was not checked immediately in md_bitmap_get_counter() in order to set *blocks value and slab-out-of-bounds occurs. Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and return directly if true. CVE-2023-53357 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4.2: Rework scratch handling for READ_PLUS (again) I found that the read code might send multiple requests using the same nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is how we ended up occasionally double-freeing the scratch buffer, but also means we set a NULL pointer but non-zero length to the xdr scratch buffer. This results in an oops the first time decoding needs to copy something to scratch, which frequently happens when decoding READ_PLUS hole segments. I fix this by moving scratch handling into the pageio read code. I provide a function to allocate scratch space for decoding read replies, and free the scratch buffer when the nfs_pgio_header is freed. CVE-2023-53360 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: don't assume child devices are all fsl-mc devices Changes in VFIO caused a pseudo-device to be created as child of fsl-mc devices causing a crash [1] when trying to bind a fsl-mc device to VFIO. Fix this by checking the device type when enumerating fsl-mc child devices. [1] Modules linked in: Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP CPU: 6 PID: 1289 Comm: sh Not tainted 6.2.0-rc5-00047-g7c46948a6e9c #2 Hardware name: NXP Layerscape LX2160ARDB (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mc_send_command+0x24/0x1f0 lr : dprc_get_obj_region+0xfc/0x1c0 sp : ffff80000a88b900 x29: ffff80000a88b900 x28: ffff48a9429e1400 x27: 00000000000002b2 x26: ffff48a9429e1718 x25: 0000000000000000 x24: 0000000000000000 x23: ffffd59331ba3918 x22: ffffd59331ba3000 x21: 0000000000000000 x20: ffff80000a88b9b8 x19: 0000000000000000 x18: 0000000000000001 x17: 7270642f636d2d6c x16: 73662e3030303030 x15: ffffffffffffffff x14: ffffd59330f1d668 x13: ffff48a8727dc389 x12: ffff48a8727dc386 x11: 0000000000000002 x10: 00008ceaf02f35d4 x9 : 0000000000000012 x8 : 0000000000000000 x7 : 0000000000000006 x6 : ffff80000a88bab0 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000a88b9e8 x2 : ffff80000a88b9e8 x1 : 0000000000000000 x0 : ffff48a945142b80 Call trace: mc_send_command+0x24/0x1f0 dprc_get_obj_region+0xfc/0x1c0 fsl_mc_device_add+0x340/0x590 fsl_mc_obj_device_add+0xd0/0xf8 dprc_scan_objects+0x1c4/0x340 dprc_scan_container+0x38/0x60 vfio_fsl_mc_probe+0x9c/0xf8 fsl_mc_driver_probe+0x24/0x70 really_probe+0xbc/0x2a8 __driver_probe_device+0x78/0xe0 device_driver_attach+0x30/0x68 bind_store+0xa8/0x130 drv_attr_store+0x24/0x38 sysfs_kf_write+0x44/0x60 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x334/0x448 ksys_write+0x68/0xf0 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x44/0x108 el0_svc_common.constprop.1+0x94/0xf8 do_el0_svc+0x38/0xb0 el0_svc+0x20/0x50 el0t_64_sync_handler+0x98/0xc0 el0t_64_sync+0x174/0x178 Code: aa0103f4 a9025bf5 d5384100 b9400801 (79401260) ---[ end trace 0000000000000000 ]--- CVE-2023-53362 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: better fix null deref with partial DT Two versions of the original patch were sent but V1 was merged instead of V2 due to a mistake. So update to V2. The advantage of V2 is that it completely avoids dereferencing the pointer, even just to take the address, which may fix problems with some compilers. Both versions work on my gcc 9.4 but use the safer one. CVE-2023-53364 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ip6mr: Fix skb_under_panic in ip6mr_cache_report() skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4 head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:192! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x152/0x1d0 Call Trace: <TASK> skb_push+0xc4/0xe0 ip6mr_cache_report+0xd69/0x19b0 reg_vif_xmit+0x406/0x690 dev_hard_start_xmit+0x17e/0x6e0 __dev_queue_xmit+0x2d6a/0x3d20 vlan_dev_hard_start_xmit+0x3ab/0x5c0 dev_hard_start_xmit+0x17e/0x6e0 __dev_queue_xmit+0x2d6a/0x3d20 neigh_connected_output+0x3ed/0x570 ip6_finish_output2+0x5b5/0x1950 ip6_finish_output+0x693/0x11c0 ip6_output+0x24b/0x880 NF_HOOK.constprop.0+0xfd/0x530 ndisc_send_skb+0x9db/0x1400 ndisc_send_rs+0x12a/0x6c0 addrconf_dad_completed+0x3c9/0xea0 addrconf_dad_work+0x849/0x1420 process_one_work+0xa22/0x16e0 worker_thread+0x679/0x10c0 ret_from_fork+0x28/0x60 ret_from_fork_asm+0x11/0x20 When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit(). reg_vif_xmit() ip6mr_cache_report() skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4 And skb_push declared as: void *skb_push(struct sk_buff *skb, unsigned int len); skb->data -= len; //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850 skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails. CVE-2023-53365 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: fix mem leak in capture user mappings This commit fixes a memory leak caused when clearing the user_mappings info when a new context is opened immediately after user_mapping is captured and a hard reset is performed. CVE-2023-53367 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race issue between cpu buffer write and swap Warning happened in rb_end_commit() at code: if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing))) WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142 rb_commit+0x402/0x4a0 Call Trace: ring_buffer_unlock_commit+0x42/0x250 trace_buffer_unlock_commit_regs+0x3b/0x250 trace_event_buffer_commit+0xe5/0x440 trace_event_buffer_reserve+0x11c/0x150 trace_event_raw_event_sched_switch+0x23c/0x2c0 __traceiter_sched_switch+0x59/0x80 __schedule+0x72b/0x1580 schedule+0x92/0x120 worker_thread+0xa0/0x6f0 It is because the race between writing event into cpu buffer and swapping cpu buffer through file per_cpu/cpu0/snapshot: Write on CPU 0 Swap buffer by per_cpu/cpu0/snapshot on CPU 1 -------- -------- tracing_snapshot_write() [...] ring_buffer_lock_reserve() cpu_buffer = buffer->buffers[cpu]; // 1. Suppose find 'cpu_buffer_a'; [...] rb_reserve_next_event() [...] ring_buffer_swap_cpu() if (local_read(&cpu_buffer_a->committing)) goto out_dec; if (local_read(&cpu_buffer_b->committing)) goto out_dec; buffer_a->buffers[cpu] = cpu_buffer_b; buffer_b->buffers[cpu] = cpu_buffer_a; // 2. cpu_buffer has swapped here. rb_start_commit(cpu_buffer); if (unlikely(READ_ONCE(cpu_buffer->buffer) != buffer)) { // 3. This check passed due to 'cpu_buffer->buffer' [...] // has not changed here. return NULL; } cpu_buffer_b->buffer = buffer_a; cpu_buffer_a->buffer = buffer_b; [...] // 4. Reserve event from 'cpu_buffer_a'. ring_buffer_unlock_commit() [...] cpu_buffer = buffer->buffers[cpu]; // 5. Now find 'cpu_buffer_b' !!! rb_commit(cpu_buffer) rb_end_commit() // 6. WARN for the wrong 'committing' state !!! Based on above analysis, we can easily reproduce by following testcase: ``` bash #!/bin/bash dmesg -n 7 sysctl -w kernel.panic_on_warn=1 TR=/sys/kernel/tracing echo 7 > ${TR}/buffer_size_kb echo "sched:sched_switch" > ${TR}/set_event while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & while [ true ]; do echo 1 > ${TR}/per_cpu/cpu0/snapshot done & ``` To fix it, IIUC, we can use smp_call_function_single() to do the swap on the target cpu where the buffer is located, so that above race would be avoided. CVE-2023-53368 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dcb: choose correct policy to parse DCB_ATTR_BCN The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code static int dcbnl_bcn_setcfg(...) { ... ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. ) // !!! dcbnl_pfc_up_nest for attributes // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs ... for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) { // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs ... value_byte = nla_get_u8(data[i]); ... } ... for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) { // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs ... value_int = nla_get_u32(data[i]); ... } ... } That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the following access code fetch each nlattr as dcbnl_bcn_attrs attributes. By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find the beginning part of these two policies are "same". static const struct nla_policy dcbnl_pfc_up_nest[...] = { [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG}, }; static const struct nla_policy dcbnl_bcn_nest[...] = { [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG}, // from here is somewhat different [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32}, ... [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG}, }; Therefore, the current code is buggy and this nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0. Hence use the correct policy dcbnl_bcn_nest to parse the nested tb[DCB_ATTR_BCN] TLV. CVE-2023-53369 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix memory leak in mes self test The fences associated with mes queue have to be freed up during amdgpu_ring_fini. CVE-2023-53370 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create The memory pointed to by the fs->any pointer is not freed in the error path of mlx5e_fs_tt_redirect_any_create, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_fs_tt_redirect_any_destroy(). CVE-2023-53371 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early Not calling hci_(dis)connect_cfm before deleting conn referred to by a socket generally results to use-after-free. When cleaning up SCO connections when the parent ACL is deleted too early, use hci_conn_failed to do the connection cleanup properly. We also need to clean up ISO connections in a similar situation when connecting has started but LE Create CIS is not yet sent, so do it too here. CVE-2023-53374 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: prevent use-after-free by freeing the cfile later In smb2_compound_op we have a possible use-after-free which can cause hard to debug problems later on. This was revealed during stress testing with KASAN enabled kernel. Fixing it by moving the cfile free call to a few lines below, after the usage. CVE-2023-53377 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() Smatch reports: drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() warn: missing unwind goto? After geting irq, if ret < 0, it will return without error handling to free memory. Just add error handling to fix this problem. CVE-2023-53379 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request There are two check of 'mreplace' in raid10_sync_request(). In the first check, 'need_replace' will be set and 'mreplace' will be used later if no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be set to NULL if it is Faulty, but 'need_replace' will not be changed accordingly. null-ptr-deref occurs if Faulty is set between two check. Fix it by merging two checks into one. And replace 'need_replace' with 'mreplace' because their values are always the same. CVE-2023-53380 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: avoid possible NULL skb pointer dereference In 'mwifiex_handle_uap_rx_forward()', always check the value returned by 'skb_copy()' to avoid potential NULL pointer dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop original skb in case of copying failure. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2023-53384 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: mdp3: Fix resource leaks in of_find_device_by_node Use put_device to release the object get through of_find_device_by_node, avoiding resource leaks. CVE-2023-53385 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call. CVE-2023-53386 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs As the ramfs-based tmpfs uses ramfs_init_fs_context() for the init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb() to free it and avoid a memory leak. CVE-2023-53391 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix crash on regular rq reactivation When the regular rq is reactivated after the XSK socket is closed it could be reading stale cqes which eventually corrupts the rq. This leads to no more traffic being received on the regular rq and a crash on the next close or deactivation of the rq. Kal Cuttler Conely reported this issue as a crash on the release path when the xdpsock sample program is stopped (killed) and restarted in sequence while traffic is running. This patch flushes all cqes when during the rq flush. The cqe flushing is done in the reset state of the rq. mlx5e_rq_to_ready code is moved into the flush function to allow for this. CVE-2023-53394 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added to ASL Timer instruction opcode. When ASL timer instruction interpreted by ACPI interpreter, getting error. After adding AML_NO_OPERAND_RESOLVE flag to ASL Timer instruction opcode, issue is not observed. ============================================================= UBSAN: array-index-out-of-bounds in acpica/dswexec.c:401:12 index -1 is out of range for type 'union acpi_operand_object *[9]' CPU: 37 PID: 1678 Comm: cat Not tainted 6.0.0-dev-th500-6.0.y-1+bcf8c46459e407-generic-64k HW name: NVIDIA BIOS v1.1.1-d7acbfc-dirty 12/19/2022 Call trace: dump_backtrace+0xe0/0x130 show_stack+0x20/0x60 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 ubsan_epilogue+0x10/0x50 __ubsan_handle_out_of_bounds+0x80/0x90 acpi_ds_exec_end_op+0x1bc/0x6d8 acpi_ps_parse_loop+0x57c/0x618 acpi_ps_parse_aml+0x1e0/0x4b4 acpi_ps_execute_method+0x24c/0x2b8 acpi_ns_evaluate+0x3a8/0x4bc acpi_evaluate_object+0x15c/0x37c acpi_evaluate_integer+0x54/0x15c show_power+0x8c/0x12c [acpi_power_meter] CVE-2023-53395 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: modpost: fix off by one in is_executable_section() The > comparison should be >= to prevent an out of bounds array access. CVE-2023-53397 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required() KCSAN found an issue in obj_stock_flush_required(): stock->cached_objcg can be reset between the check and dereference: ================================================================== BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306 refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340 obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408 memcg_slab_free_hook mm/slab.h:587 [inline] __cache_free mm/slab.c:3373 [inline] __do_kmem_cache_free mm/slab.c:3577 [inline] kmem_cache_free+0x105/0x280 mm/slab.c:3602 __d_free fs/dcache.c:298 [inline] dentry_free fs/dcache.c:375 [inline] __dentry_kill+0x422/0x4a0 fs/dcache.c:621 dentry_kill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 __fput+0x3bf/0x570 fs/file_table.c:329 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x123/0x160 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171 exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: obj_stock_flush_required mm/memcontrol.c:3319 [inline] drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361 try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703 try_charge mm/memcontrol.c:2837 [inline] mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290 sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025 sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525 udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271 __do_sys_setsockopt net/socket.c:2282 [inline] __se_sys_setsockopt net/socket.c:2279 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0xffff8881382d52c0 -> 0xffff888138893740 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to stock->cached_objcg. CVE-2023-53401 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr() Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline] BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710 Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632 Call Trace: ntfs_list_ea fs/ntfs3/xattr.c:191 [inline] ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710 vfs_listxattr fs/xattr.c:457 [inline] listxattr+0x293/0x2d0 fs/xattr.c:804 Fix the logic of ea_all iteration. When the ea->name_len is 0, return immediately, or Add2Ptr() would visit invalid memory in the next loop. [almaz.alexandrovich@paragon-software.com: lines of the patch have changed] CVE-2023-53420 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() When blkg_alloc() is called to allocate a blkcg_gq structure with the associated blkg_iostat_set's, there are 2 fields within blkg_iostat_set that requires proper initialization - blkg & sync. The former field was introduced by commit 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") while the later one was introduced by commit f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat"). Unfortunately those fields in the blkg_iostat_set's are not properly re-initialized when they are cleared in v1's blkcg_reset_stats(). This can lead to a kernel panic due to NULL pointer access of the blkg pointer. The missing initialization of sync is less problematic and can be a problem in a debug kernel due to missing lockdep initialization. Fix these problems by re-initializing them after memory clearing. CVE-2023-53421 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: fix of_iomap memory leak Smatch reports: drivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn: 'base' from of_iomap() not released on lines: 496. This problem was also found in linux-next. In mtk_clk_simple_probe(), base is not released when handling errors if clk_data is not existed, which may cause a leak. So free_base should be added here to release base. CVE-2023-53424 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: platform: mediatek: vpu: fix NULL ptr dereference If pdev is NULL, then it is still dereferenced. This fixes this smatch warning: drivers/media/platform/mediatek/vpu/mtk_vpu.c:570 vpu_load_firmware() warn: address of NULL pointer 'pdev' CVE-2023-53425 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: Fix xsk_diag use-after-free error during socket cleanup Fix a use-after-free error that is possible if the xsk_diag interface is used after the socket has been unbound from the device. This can happen either due to the socket being closed or the device disappearing. In the early days of AF_XDP, the way we tested that a socket was not bound to a device was to simply check if the netdevice pointer in the xsk socket structure was NULL. Later, a better system was introduced by having an explicit state variable in the xsk socket struct. For example, the state of a socket that is on the way to being closed and has been unbound from the device is XSK_UNBOUND. The commit in the Fixes tag below deleted the old way of signalling that a socket is unbound, setting dev to NULL. This in the belief that all code using the old way had been exterminated. That was unfortunately not true as the xsk diagnostics code was still using the old way and thus does not work as intended when a socket is going down. Fix this by introducing a test against the state variable. If the socket is in the state XSK_UNBOUND, simply abort the diagnostic's netlink operation. CVE-2023-53426 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: powercap: arm_scmi: Remove recursion while parsing zones Powercap zones can be defined as arranged in a hierarchy of trees and when registering a zone with powercap_register_zone(), the kernel powercap subsystem expects this to happen starting from the root zones down to the leaves; on the other side, de-registration by powercap_deregister_zone() must begin from the leaf zones. Available SCMI powercap zones are retrieved dynamically from the platform at probe time and, while any defined hierarchy between the zones is described properly in the zones descriptor, the platform returns the availables zones with no particular well-defined order: as a consequence, the trees possibly composing the hierarchy of zones have to be somehow walked properly to register the retrieved zones from the root. Currently the ARM SCMI Powercap driver walks the zones using a recursive algorithm; this approach, even though correct and tested can lead to kernel stack overflow when processing a returned hierarchy of zones composed by particularly high trees. Avoid possible kernel stack overflow by substituting the recursive approach with an iterative one supported by a dynamically allocated stack-like data structure. CVE-2023-53428 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: don't check PageError in __extent_writepage __extent_writepage currenly sets PageError whenever any error happens, and the also checks for PageError to decide if to call error handling. This leads to very unclear responsibility for cleaning up on errors. In the VM and generic writeback helpers the basic idea is that once I/O is fired off all error handling responsibility is delegated to the end I/O handler. But if that end I/O handler sets the PageError bit, and the submitter checks it, the bit could in some cases leak into the submission context for fast enough I/O. Fix this by simply not checking PageError and just using the local ret variable to check for submission errors. This also fundamentally solves the long problem documented in a comment in __extent_writepage by never leaking the error bit into the submission context. CVE-2023-53429 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: firewire: net: fix use after free in fwnet_finish_incoming_packet() The netif_rx() function frees the skb so we can't dereference it to save the skb->len. CVE-2023-53432 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible memory leak if device_add() fails If device_add() returns error, the name allocated by dev_set_name() needs be freed. As the comment of device_add() says, put_device() should be used to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanp(). CVE-2023-53436 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/MCE: Always save CS register on AMD Zen IF Poison errors The Instruction Fetch (IF) units on current AMD Zen-based systems do not guarantee a synchronous #MC is delivered for poison consumption errors. Therefore, MCG_STATUS[EIPV|RIPV] will not be set. However, the microarchitecture does guarantee that the exception is delivered within the same context. In other words, the exact rIP is not known, but the context is known to not have changed. There is no architecturally-defined method to determine this behavior. The Code Segment (CS) register is always valid on such IF unit poison errors regardless of the value of MCG_STATUS[EIPV|RIPV]. Add a quirk to save the CS register for poison consumption from the IF unit banks. This is needed to properly determine the context of the error. Otherwise, the severity grading function will assume the context is IN_KERNEL due to the m->cs value being 0 (the initialized value). This leads to unnecessary kernel panics on data poison errors due to the kernel believing the poison consumption occurred in kernel context. CVE-2023-53438 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: cpumap: Fix memory leak in cpu_map_update_elem Syzkaller reported a memory leak as follows: BUG: memory leak unreferenced object 0xff110001198ef748 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... backtrace: [<ffffffffadd28087>] __cpu_map_entry_alloc+0xf7/0xb00 [<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] map_update_elem+0x4cb/0x720 [<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90 [<ffffffffb029cc80>] do_syscall_64+0x30/0x40 [<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 BUG: memory leak unreferenced object 0xff110001198ef528 (size 192): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffadd281f0>] __cpu_map_entry_alloc+0x260/0xb00 [<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] map_update_elem+0x4cb/0x720 [<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90 [<ffffffffb029cc80>] do_syscall_64+0x30/0x40 [<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 BUG: memory leak unreferenced object 0xff1100010fd93d68 (size 8): comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace: [<ffffffffade5db3e>] kvmalloc_node+0x11e/0x170 [<ffffffffadd28280>] __cpu_map_entry_alloc+0x2f0/0xb00 [<ffffffffadd28d8e>] cpu_map_update_elem+0x2fe/0x3d0 [<ffffffffadc6d0fd>] bpf_map_update_value.isra.0+0x2bd/0x520 [<ffffffffadc7349b>] map_update_elem+0x4cb/0x720 [<ffffffffadc7d983>] __se_sys_bpf+0x8c3/0xb90 [<ffffffffb029cc80>] do_syscall_64+0x30/0x40 [<ffffffffb0400099>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 In the cpu_map_update_elem flow, when kthread_stop is called before calling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bit of kthread has been set by kthread_stop, the threadfn of rcpu->kthread will never be executed, and rcpu->refcnt will never be 0, which will lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be released. Calling kthread_stop before executing kthread's threadfn will return -EINTR. We can complete the release of memory resources in this state. CVE-2023-53441 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Block switchdev mode when ADQ is active and vice versa ADQ and switchdev are not supported simultaneously. Enabling both at the same time can result in nullptr dereference. To prevent this, check if ADQ is active when changing devlink mode to switchdev mode, and check if switchdev is active when enabling ADQ. CVE-2023-53442 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix bulk_move corruption when adding a entry When the resource is the first in the bulk_move range, adding it again (thus moving it to the tail) will corrupt the list since the first pointer is not moved. This eventually lead to null pointer deref in ttm_lru_bulk_move_del() CVE-2023-53444 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free Struct pcie_link_state->downstream is a pointer to the pci_dev of function 0. Previously we retained that pointer when removing function 0, and subsequent ASPM policy changes dereferenced it, resulting in a use-after-free warning from KASAN, e.g.: # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove # echo powersave > /sys/module/pcie_aspm/parameters/policy BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 Call Trace: kasan_report+0xae/0xe0 pcie_config_aspm_link+0x42d/0x500 pcie_aspm_set_policy+0x8e/0x1a0 param_attr_store+0x162/0x2c0 module_attr_store+0x3e/0x80 PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM Control value in all functions of multi-function devices. Disable ASPM and free the pcie_link_state when any child function is removed so we can discard the dangling pcie_link_state->downstream pointer and maintain the same ASPM Control configuration for all functions. [bhelgaas: commit log and comment] CVE-2023-53446 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: f2fs: don't reset unchangable mount option in f2fs_remount() syzbot reports a bug as below: general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:__lock_acquire+0x69/0x2000 kernel/locking/lockdep.c:4942 Call Trace: lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5691 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300 __drop_extent_tree+0x3ac/0x660 fs/f2fs/extent_cache.c:1100 f2fs_drop_extent_tree+0x17/0x30 fs/f2fs/extent_cache.c:1116 f2fs_insert_range+0x2d5/0x3c0 fs/f2fs/file.c:1664 f2fs_fallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838 vfs_fallocate+0x54b/0x6b0 fs/open.c:324 ksys_fallocate fs/open.c:347 [inline] __do_sys_fallocate fs/open.c:355 [inline] __se_sys_fallocate fs/open.c:353 [inline] __x64_sys_fallocate+0xbd/0x100 fs/open.c:353 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is race condition as below: - since it tries to remount rw filesystem, so that do_remount won't call sb_prepare_remount_readonly to block fallocate, there may be race condition in between remount and fallocate. - in f2fs_remount(), default_options() will reset mount option to default one, and then update it based on result of parse_options(), so there is a hole which race condition can happen. Thread A Thread B - f2fs_fill_super - parse_options - clear_opt(READ_EXTENT_CACHE) - f2fs_remount - default_options - set_opt(READ_EXTENT_CACHE) - f2fs_fallocate - f2fs_insert_range - f2fs_drop_extent_tree - __drop_extent_tree - __may_extent_tree - test_opt(READ_EXTENT_CACHE) return true - write_lock(&et->lock) access NULL pointer - parse_options - clear_opt(READ_EXTENT_CACHE) CVE-2023-53447 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Removed unneeded release_mem_region Remove unnecessary release_mem_region from the error path to prevent mem region from being released twice, which could avoid resource leak or other unexpected issues. CVE-2023-53448 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix potential NULL pointer dereference Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate pointer before dereferencing the pointer. CVE-2023-53451 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. CVE-2023-53454 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Add length check when parsing nlattrs There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. CVE-2023-53456 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Fix null-ptr-deref Read in txBegin Syzkaller reported an issue where txBegin may be called on a superblock in a read-only mounted filesystem which leads to NULL pointer deref. This could be solved by checking if the filesystem is read-only before calling txBegin, and returning with appropiate error code. CVE-2023-53457 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring: wait interruptibly for request completions on exit WHen the ring exits, cleanup is done and the final cancelation and waiting on completions is done by io_ring_exit_work. That function is invoked by kworker, which doesn't take any signals. Because of that, it doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task detection checker! Normally we expect cancelations and completions to happen rather quickly. Some test cases, however, will exit the ring and park the owning task stopped (eg via SIGSTOP). If the owning task needs to run task_work to complete requests, then io_ring_exit_work won't make any progress until the task is runnable again. Hence io_ring_exit_work can trigger the hung task detection, which is particularly problematic if panic-on-hung-task is enabled. As the ring exit doesn't take signals to begin with, have it wait interruptibly rather than uninterruptibly. io_uring has a separate stuck-exit warning that triggers independently anyway, so we're not really missing anything by making this switch. CVE-2023-53461 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hsr: Fix uninit-value access in fill_frame_info() Syzbot reports the following uninit-value access problem. ===================================================== BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline] BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616 fill_frame_info net/hsr/hsr_forward.c:601 [inline] hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616 hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4889 [inline] netdev_start_xmit include/linux/netdevice.h:4903 [inline] xmit_one net/core/dev.c:3544 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560 __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] __sys_sendto+0x781/0xa30 net/socket.c:2176 __do_sys_sendto net/socket.c:2188 [inline] __se_sys_sendto net/socket.c:2184 [inline] __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:644 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] __sys_sendto+0x781/0xa30 net/socket.c:2176 __do_sys_sendto net/socket.c:2188 [inline] __se_sys_sendto net/socket.c:2184 [inline] __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 It is because VLAN not yet supported in hsr driver. Return error when protocol is ETH_P_8021Q in fill_frame_info() now to fix it. CVE-2023-53462 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Do not reset dql stats on NON_FATAL err All ibmvnic resets, make a call to netdev_tx_reset_queue() when re-opening the device. netdev_tx_reset_queue() resets the num_queued and num_completed byte counters. These stats are used in Byte Queue Limit (BQL) algorithms. The difference between these two stats tracks the number of bytes currently sitting on the physical NIC. ibmvnic increases the number of queued bytes though calls to netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports that it is done transmitting bytes, the ibmvnic device increases the number of completed bytes through calls to netdev_tx_completed_queue(). It is important to note that the driver batches its transmit calls and num_queued is increased every time that an skb is added to the next batch, not necessarily when the batch is sent to VIOS for transmission. Unlike other reset types, a NON FATAL reset will not flush the sub crq tx buffers. Therefore, it is possible for the batched skb array to be partially full. So if there is call to netdev_tx_reset_queue() when re-opening the device, the value of num_queued (0) would not account for the skb's that are currently batched. Eventually, when the batch is sent to VIOS, the call to netdev_tx_completed_queue() would increase num_completed to a value greater than the num_queued. This causes a BUG_ON crash: ibmvnic 30000002: Firmware reports error, cause: adapter problem. Starting recovery... ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ibmvnic 30000002: tx error 600 ------------[ cut here ]------------ kernel BUG at lib/dynamic_queue_limits.c:27! Oops: Exception in kernel mode, sig: 5 [....] NIP dql_completed+0x28/0x1c0 LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic] Call Trace: ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable) ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic] __handle_irq_event_percpu+0x98/0x270 ---[ end trace ]--- Therefore, do not reset the dql stats when performing a NON_FATAL reset. CVE-2023-53463 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: soundwire: qcom: fix storing port config out-of-bounds The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14), however we index it starting from 1, not 0, to match real port numbers. This can lead to writing port config past 'pconfig' bounds and overwriting next member of 'qcom_swrm_ctrl' struct. Reported also by smatch: drivers/soundwire/qcom.c:1269 qcom_swrm_get_port_config() error: buffer overflow 'ctrl->pconfig' 14 <= 14 CVE-2023-53465 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pwm: lpc32xx: Remove handling of PWM channels Because LPC32xx PWM controllers have only a single output which is registered as the only PWM device/channel per controller, it is known in advance that pwm->hwpwm value is always 0. On basis of this fact simplify the code by removing operations with pwm->hwpwm, there is no controls which require channel number as input. Even though I wasn't aware at the time when I forward ported that patch, this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL before devm_pwmchip_add() is called. CVE-2023-53472 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: cxl/acpi: Fix a use-after-free in cxl_parse_cfmws() KASAN and KFENCE detected an user-after-free in the CXL driver. This happens in the cxl_decoder_add() fail path. KASAN prints the following error: BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299) This happens in cxl_parse_cfmws(), where put_device() is called, releasing cxld, which is accessed later. Use the local variables in the dev_err() instead of pointing to the released memory. Since the dev_err() is printing a resource, change the open coded print format to use the %pr format specifier. CVE-2023-53479 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: kobject: Add sanity check for kset->kobj.ktype in kset_register() When I register a kset in the following way: static struct kset my_kset; kobject_set_name(&my_kset.kobj, "my_kset"); ret = kset_register(&my_kset); A null pointer dereference exception is occurred: [ 4453.568337] Unable to handle kernel NULL pointer dereference at \ virtual address 0000000000000028 ... ... [ 4453.810361] Call trace: [ 4453.813062] kobject_get_ownership+0xc/0x34 [ 4453.817493] kobject_add_internal+0x98/0x274 [ 4453.822005] kset_register+0x5c/0xb4 [ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset] ... ... Because I didn't initialize my_kset.kobj.ktype. According to the description in Documentation/core-api/kobject.rst: - A ktype is the type of object that embeds a kobject. Every structure that embeds a kobject needs a corresponding ktype. So add sanity check to make sure kset->kobj.ktype is not NULL. CVE-2023-53480 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 index -84 is out of range for type 's8[341]' (aka 'signed char[341]') CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 lookup_open fs/namei.c:3492 [inline] open_last_lookups fs/namei.c:3560 [inline] path_openat+0x13df/0x3170 fs/namei.c:3788 do_filp_open+0x234/0x490 fs/namei.c:3818 do_sys_openat2+0x13f/0x500 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x247/0x290 fs/open.c:1383 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f1f4e33f7e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> The bug occurs when the dbAllocDmapLev()function attempts to access dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. To rectify this, the patch introduces a safeguard within the dbAllocDmapLev() function. A check has been added to verify if leafidx is negative. If it is, the function immediately returns an I/O error, preventing any further execution that could potentially cause harm. Tested via syzbot. CVE-2023-53485 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas_flash: allow user copy to flash block cache objects With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the /proc/powerpc/rtas/firmware_update interface to prepare a system firmware update yields a BUG(): kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2 Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000 REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+) MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002242 XER: 0000000c CFAR: c0000000001fbd34 IRQMASK: 0 [ ... GPRs omitted ... ] NIP usercopy_abort+0xa0/0xb0 LR usercopy_abort+0x9c/0xb0 Call Trace: usercopy_abort+0x9c/0xb0 (unreliable) __check_heap_object+0x1b4/0x1d0 __check_object_size+0x2d0/0x380 rtas_flash_write+0xe4/0x250 proc_reg_write+0xfc/0x160 vfs_write+0xfc/0x4e0 ksys_write+0x90/0x160 system_call_exception+0x178/0x320 system_call_common+0x160/0x2c4 The blocks of the firmware image are copied directly from user memory to objects allocated from flash_block_cache, so flash_block_cache must be created using kmem_cache_create_usercopy() to mark it safe for user access. [mpe: Trim and indent oops] CVE-2023-53487 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix possible panic during hotplug remove During hotplug remove it is possible that the update counters work might be pending, and may run after memory has been freed. Cancel the update counters work before freeing memory. CVE-2023-53488 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: fix disconnect vs accept race Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in recvmsg()"), the mptcp protocol is still prone to a race between disconnect() (or shutdown) and accept. The root cause is that the mentioned commit checks the msk-level flag, but mptcp_stream_accept() does acquire the msk-level lock, as it can rely directly on the first subflow lock. As reported by Christoph than can lead to a race where an msk socket is accepted after that mptcp_subflow_queue_clean() releases the listener socket lock and just before it takes destructive actions leading to the following splat: BUG: kernel NULL pointer dereference, address: 0000000000000012 PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330 Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 <0f> b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89 RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300 RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020 R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880 FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> do_accept+0x1ae/0x260 net/socket.c:1872 __sys_accept4+0x9b/0x110 net/socket.c:1913 __do_sys_accept4 net/socket.c:1954 [inline] __se_sys_accept4 net/socket.c:1951 [inline] __x64_sys_accept4+0x20/0x30 net/socket.c:1951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Address the issue by temporary removing the pending request socket from the accept queue, so that racing accept() can't touch them. After depleting the msk - the ssk still exists, as plain TCP sockets, re-insert them into the accept queue, so that later inet_csk_listen_stop() will complete the tcp socket disposal. CVE-2023-53490 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: start_kernel: Add __no_stack_protector function attribute Back during the discussion of commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try") we discussed the need for a function attribute to control the omission of stack protectors on a per-function basis; at the time Clang had support for no_stack_protector but GCC did not. This was fixed in gcc-11. Now that the function attribute is available, let's start using it. Callers of boot_init_stack_canary need to use this function attribute unless they're compiled with -fno-stack-protector, otherwise the canary stored in the stack slot of the caller will differ upon the call to boot_init_stack_canary. This will lead to a call to __stack_chk_fail() then panic. CVE-2023-53491 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: accel/qaic: tighten bounds checking in decode_message() Copy the bounds checking from encode_message() to decode_message(). This patch addresses the following concerns. Ensure that there is enough space for at least one header so that we don't have a negative size later. if (msg_hdr_len < sizeof(*trans_hdr)) Ensure that we have enough space to read the next header from the msg->data. if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) return -EINVAL; Check that the trans_hdr->len is not below the minimum size: if (hdr_len < sizeof(*trans_hdr)) This minimum check ensures that we don't corrupt memory in decode_passthrough() when we do. memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr)); And finally, use size_add() to prevent an integer overflow: if (size_add(msg_len, hdr_len) > msg_hdr_len) CVE-2023-53493 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() rules is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rules to avoid OOB writing or NULL pointer dereference. CVE-2023-53495 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/platform/uv: Use alternate source for socket to node data The UV code attempts to build a set of tables to allow it to do bidirectional socket<=>node lookups. But when nr_cpus is set to a smaller number than actually present, the cpu_to_node() mapping information for unused CPUs is not available to build_socket_tables(). This results in skipping some nodes or sockets when creating the tables and leaving some -1's for later code to trip. over, causing oopses. The problem is that the socket<=>node lookups are created by doing a loop over all CPUs, then looking up the CPU's APICID and socket. But if a CPU is not present, there is no way to start this lookup. Instead of looping over all CPUs, take CPUs out of the equation entirely. Loop over all APICIDs which are mapped to a valid NUMA node. Then just extract the socket-id from the APICID. This avoid tripping over disabled CPUs. CVE-2023-53496 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm: fix slab-use-after-free in decode_session6 When the xfrm device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when the xfrm device sends IPv6 packets. The stack information is as follows: BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 Read of size 1 at addr ffff8881111458ef by task swapper/3/0 CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrm_decode_session+0x54/0xb0 xfrmi_xmit+0x173/0x1ca0 dev_hard_start_xmit+0x187/0x700 sch_direct_xmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __dev_queue_xmit+0x2215/0x3b10 neigh_connected_output+0x3c2/0x550 ip6_finish_output2+0x55a/0x1550 ip6_finish_output+0x6b9/0x1270 ip6_output+0x1f1/0x540 ndisc_send_skb+0xa63/0x1890 ndisc_send_rs+0x132/0x6f0 addrconf_rs_timer+0x3f1/0x870 call_timer_fn+0x1a0/0x580 expire_timers+0x29b/0x4b0 run_timer_softirq+0x326/0x910 __do_softirq+0x1d4/0x905 irq_exit_rcu+0xb7/0x120 sysvec_apic_timer_interrupt+0x97/0xc0 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:intel_idle_hlt+0x23/0x30 Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4 RSP: 0018:ffffc90000197d78 EFLAGS: 00000246 RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5 RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50 RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001 R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000 cpuidle_enter_state+0xd3/0x6f0 cpuidle_enter+0x4e/0xa0 do_idle+0x2fe/0x3c0 cpu_startup_entry+0x18/0x20 start_secondary+0x200/0x290 secondary_startup_64_no_verify+0x167/0x16b </TASK> Allocated by task 939: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x7f/0x90 kmem_cache_alloc_node+0x1cd/0x410 kmalloc_reserve+0x165/0x270 __alloc_skb+0x129/0x330 inet6_ifa_notify+0x118/0x230 __ipv6_ifa_notify+0x177/0xbe0 addrconf_dad_completed+0x133/0xe00 addrconf_dad_work+0x764/0x1390 process_one_work+0xa32/0x16f0 worker_thread+0x67d/0x10c0 kthread+0x344/0x440 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff888111145800 which belongs to the cache skbuff_small_head of size 640 The buggy address is located 239 bytes inside of freed 640-byte region [ffff888111145800, ffff888111145a80) As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. CVE-2023-53500 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind When unbinding pasid - a race condition exists vs outstanding page faults. To prevent this, the pasid_state object contains a refcount. * set to 1 on pasid bind * incremented on each ppr notification start * decremented on each ppr notification done * decremented on pasid unbind Since refcount_dec assumes that refcount will never reach 0: the current implementation causes the following to be invoked on pasid unbind: REFCOUNT_WARN("decrement hit 0; leaking memory") Fix this issue by changing refcount_dec to refcount_dec_and_test to explicitly handle refcount=1. CVE-2023-53501 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF ib_dealloc_device() should be called only after device cleanup. Fix the dealloc sequence. CVE-2023-53504 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: tegra: tegra124-emc: Fix potential memory leak The tegra and tegra needs to be freed in the error handling path, otherwise it will be leaked. CVE-2023-53505 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Unregister devlink params in case interface is down Currently, in case an interface is down, mlx5 driver doesn't unregister its devlink params, which leads to this WARN[1]. Fix it by unregistering devlink params in that case as well. [1] [ 295.244769 ] WARNING: CPU: 15 PID: 1 at net/core/devlink.c:9042 devlink_free+0x174/0x1fc [ 295.488379 ] CPU: 15 PID: 1 Comm: shutdown Tainted: G S OE 5.15.0-1017.19.3.g0677e61-bluefield #g0677e61 [ 295.509330 ] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.2.0.12761 Jun 6 2023 [ 295.543096 ] pc : devlink_free+0x174/0x1fc [ 295.551104 ] lr : mlx5_devlink_free+0x18/0x2c [mlx5_core] [ 295.561816 ] sp : ffff80000809b850 [ 295.711155 ] Call trace: [ 295.716030 ] devlink_free+0x174/0x1fc [ 295.723346 ] mlx5_devlink_free+0x18/0x2c [mlx5_core] [ 295.733351 ] mlx5_sf_dev_remove+0x98/0xb0 [mlx5_core] [ 295.743534 ] auxiliary_bus_remove+0x2c/0x50 [ 295.751893 ] __device_release_driver+0x19c/0x280 [ 295.761120 ] device_release_driver+0x34/0x50 [ 295.769649 ] bus_remove_device+0xdc/0x170 [ 295.777656 ] device_del+0x17c/0x3a4 [ 295.784620 ] mlx5_sf_dev_remove+0x28/0xf0 [mlx5_core] [ 295.794800 ] mlx5_sf_dev_table_destroy+0x98/0x110 [mlx5_core] [ 295.806375 ] mlx5_unload+0x34/0xd0 [mlx5_core] [ 295.815339 ] mlx5_unload_one+0x70/0xe4 [mlx5_core] [ 295.824998 ] shutdown+0xb0/0xd8 [mlx5_core] [ 295.833439 ] pci_device_shutdown+0x3c/0xa0 [ 295.841651 ] device_shutdown+0x170/0x340 [ 295.849486 ] __do_sys_reboot+0x1f4/0x2a0 [ 295.857322 ] __arm64_sys_reboot+0x2c/0x40 [ 295.865329 ] invoke_syscall+0x78/0x100 [ 295.872817 ] el0_svc_common.constprop.0+0x54/0x184 [ 295.882392 ] do_el0_svc+0x30/0xac [ 295.889008 ] el0_svc+0x48/0x160 [ 295.895278 ] el0t_64_sync_handler+0xa4/0x130 [ 295.903807 ] el0t_64_sync+0x1a4/0x1a8 [ 295.911120 ] ---[ end trace 4f1d2381d00d9dce ]--- CVE-2023-53507 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: ublk: fail to start device if queue setup is interrupted In ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is interrupted by signal, queues aren't setup successfully yet, so we have to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered. Reported by German when working on qemu-storage-deamon which requires single thread ublk daemon. CVE-2023-53508 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix handling of lrbp->cmd ufshcd_queuecommand() may be called two times in a row for a SCSI command before it is completed. Hence make the following changes: - In the functions that submit a command, do not check the old value of lrbp->cmd nor clear lrbp->cmd in error paths. - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd. See also scsi_send_eh_cmnd(). This commit prevents that the following appears if a command times out: WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8 Call trace: ufshcd_queuecommand+0x6f8/0x9a8 scsi_send_eh_cmnd+0x2c0/0x960 scsi_eh_test_devices+0x100/0x314 scsi_eh_ready_devs+0xd90/0x114c scsi_error_handler+0x2b4/0xb70 kthread+0x16c/0x1e0 CVE-2023-53510 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: don't break lifecycle of vm_dev vm_dev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct. Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called. To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs. The fix is easy, don't use devres in this case. Found during my research about object lifetime problems. CVE-2023-53515 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff") added one additional attribute named IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff. However, it forgot to describe the nla_policy at macvlan_policy (drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer can be faked as empty (0 bytes) by a malicious user, which could leads to OOB in heap just like CVE-2023-3773. To fix it, this commit just completes the nla_policy description for IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the potential OOB read. CVE-2023-53516 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix leak in devfreq_dev_release() srcu_init_notifier_head() allocates resources that need to be released with a srcu_cleanup_notifier_head() call. Reported by kmemleak. CVE-2023-53518 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: media: v4l2-mem2mem: add lock to protect parameter num_rdy Getting below error when using KCSAN to check the driver. Adding lock to protect parameter num_rdy when getting the value with function: v4l2_m2m_num_src_bufs_ready/v4l2_m2m_num_dst_bufs_ready. kworker/u16:3: [name:report&]BUG: KCSAN: data-race in v4l2_m2m_buf_queue kworker/u16:3: [name:report&] kworker/u16:3: [name:report&]read-write to 0xffffff8105f35b94 of 1 bytes by task 20865 on cpu 7: kworker/u16:3: v4l2_m2m_buf_queue+0xd8/0x10c CVE-2023-53519 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix hci_suspend_sync crash If hci_unregister_dev() frees the hci_dev object but hci_suspend_notifier may still be accessing it, it can cause the program to crash. Here's the call trace: <4>[102152.653246] Call Trace: <4>[102152.653254] hci_suspend_sync+0x109/0x301 [bluetooth] <4>[102152.653259] hci_suspend_dev+0x78/0xcd [bluetooth] <4>[102152.653263] hci_suspend_notifier+0x42/0x7a [bluetooth] <4>[102152.653268] notifier_call_chain+0x43/0x6b <4>[102152.653271] __blocking_notifier_call_chain+0x48/0x69 <4>[102152.653273] __pm_notifier_call_chain+0x22/0x39 <4>[102152.653276] pm_suspend+0x287/0x57c <4>[102152.653278] state_store+0xae/0xe5 <4>[102152.653281] kernfs_fop_write+0x109/0x173 <4>[102152.653284] __vfs_write+0x16f/0x1a2 <4>[102152.653287] ? selinux_file_permission+0xca/0x16f <4>[102152.653289] ? security_file_permission+0x36/0x109 <4>[102152.653291] vfs_write+0x114/0x21d <4>[102152.653293] __x64_sys_write+0x7b/0xdb <4>[102152.653296] do_syscall_64+0x59/0x194 <4>[102152.653299] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 This patch holds the reference count of the hci_dev object while processing it in hci_suspend_notifier to avoid potential crash caused by the race condition. CVE-2023-53520 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: fix time stamp counter initialization If the gs_usb device driver is unloaded (or unbound) before the interface is shut down, the USB stack first calls the struct usb_driver::disconnect and then the struct net_device_ops::ndo_stop callback. In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more RX'ed CAN frames are send from the USB device to the host. Later in gs_can_close() a reset control message is send to each CAN channel to remove the controller from the CAN bus. In this race window the USB device can still receive CAN frames from the bus and internally queue them to be send to the host. At least in the current version of the candlelight firmware, the queue of received CAN frames is not emptied during the reset command. After loading (or binding) the gs_usb driver, new URBs are submitted during the struct net_device_ops::ndo_open callback and the candlelight firmware starts sending its already queued CAN frames to the host. However, this scenario was not considered when implementing the hardware timestamp function. The cycle counter/time counter infrastructure is set up (gs_usb_timestamp_init()) after the USBs are submitted, resulting in a NULL pointer dereference if timecounter_cyc2time() (via the call chain: gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() -> gs_usb_skb_set_timestamp()) is called too early. Move the gs_usb_timestamp_init() function before the URBs are submitted to fix this problem. For a comprehensive solution, we need to consider gs_usb devices with more than 1 channel. The cycle counter/time counter infrastructure is setup per channel, but the RX URBs are per device. Once gs_can_open() of _a_ channel has been called, and URBs have been submitted, the gs_usb_receive_bulk_callback() can be called for _all_ available channels, even for channels that are not running, yet. As cycle counter/time counter has not set up, this will again lead to a NULL pointer dereference. Convert the cycle counter/time counter from a "per channel" to a "per device" functionality. Also set it up, before submitting any URBs to the device. Further in gs_usb_receive_bulk_callback(), don't process any URBs for not started CAN channels, only resubmit the URB. CVE-2023-53523 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jbd2: check 'jh->b_transaction' before removing it from checkpoint Following process will corrupt ext4 image: Step 1: jbd2_journal_commit_transaction __jbd2_journal_insert_checkpoint(jh, commit_transaction) // Put jh into trans1->t_checkpoint_list journal->j_checkpoint_transactions = commit_transaction // Put trans1 into journal->j_checkpoint_transactions Step 2: do_get_write_access test_clear_buffer_dirty(bh) // clear buffer dirty，set jbd dirty __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2 Step 3: drop_cache journal_shrink_one_cp_list jbd2_journal_try_remove_checkpoint if (!trylock_buffer(bh)) // lock bh, true if (buffer_dirty(bh)) // buffer is not dirty __jbd2_journal_remove_checkpoint(jh) // remove jh from trans1->t_checkpoint_list Step 4: jbd2_log_do_checkpoint trans1 = journal->j_checkpoint_transactions // jh is not in trans1->t_checkpoint_list jbd2_cleanup_journal_tail(journal) // trans1 is done Step 5: Power cut, trans2 is not committed, jh is lost in next mounting. Fix it by checking 'jh->b_transaction' before remove it from checkpoint. CVE-2023-53526 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix memory leak in tb_handle_dp_bandwidth_request() The memory allocated in tb_queue_dp_bandwidth_request() needs to be released once the request is handled to avoid leaking it. CVE-2023-53527 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix unsafe drain work queue code If create_qp does not fully succeed it is possible for qp cleanup code to attempt to drain the send or recv work queues before the queues have been created causing a seg fault. This patch checks to see if the queues exist before attempting to drain them. CVE-2023-53528 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() The following call trace was observed: localhost kernel: nvme nvme0: NVME-FC{0}: controller connect complete localhost kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u129:4/75092 localhost kernel: nvme nvme0: NVME-FC{0}: new ctrl: NQN "nqn.1992-08.com.netapp:sn.b42d198afb4d11ecad6d00a098d6abfa:subsystem.PR_Channel2022_RH84_subsystem_291" localhost kernel: caller is qla_nvme_post_cmd+0x216/0x1380 [qla2xxx] localhost kernel: CPU: 6 PID: 75092 Comm: kworker/u129:4 Kdump: loaded Tainted: G B W OE --------- --- 5.14.0-70.22.1.el9_0.x86_64+debug #1 localhost kernel: Hardware name: HPE ProLiant XL420 Gen10/ProLiant XL420 Gen10, BIOS U39 01/13/2022 localhost kernel: Workqueue: nvme-wq nvme_async_event_work [nvme_core] localhost kernel: Call Trace: localhost kernel: dump_stack_lvl+0x57/0x7d localhost kernel: check_preemption_disabled+0xc8/0xd0 localhost kernel: qla_nvme_post_cmd+0x216/0x1380 [qla2xxx] Use raw_smp_processor_id() instead of smp_processor_id(). Also use queue_work() across the driver instead of queue_work_on() thus avoiding usage of smp_processor_id() when CONFIG_DEBUG_PREEMPT is enabled. CVE-2023-53530 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: null_blk: fix poll request timeout handling When doing io_uring benchmark on /dev/nullb0, it's easy to crash the kernel if poll requests timeout triggered, as reported by David. [1] BUG: kernel NULL pointer dereference, address: 0000000000000008 Workqueue: kblockd blk_mq_timeout_work RIP: 0010:null_timeout_rq+0x4e/0x91 Call Trace: ? null_timeout_rq+0x4e/0x91 blk_mq_handle_expired+0x31/0x4b bt_iter+0x68/0x84 ? bt_tags_iter+0x81/0x81 __sbitmap_for_each_set.constprop.0+0xb0/0xf2 ? __blk_mq_complete_request_remote+0xf/0xf bt_for_each+0x46/0x64 ? __blk_mq_complete_request_remote+0xf/0xf ? percpu_ref_get_many+0xc/0x2a blk_mq_queue_tag_busy_iter+0x14d/0x18e blk_mq_timeout_work+0x95/0x127 process_one_work+0x185/0x263 worker_thread+0x1b5/0x227 This is indeed a race problem between null_timeout_rq() and null_poll(). null_poll() null_timeout_rq() spin_lock(&nq->poll_lock) list_splice_init(&nq->poll_list, &list) spin_unlock(&nq->poll_lock) while (!list_empty(&list)) req = list_first_entry() list_del_init() ... blk_mq_add_to_batch() // req->rq_next = NULL spin_lock(&nq->poll_lock) // rq->queuelist->next == NULL list_del_init(&rq->queuelist) spin_unlock(&nq->poll_lock) Fix these problems by setting requests state to MQ_RQ_COMPLETE under nq->poll_lock protection, in which null_timeout_rq() can safely detect this race and early return. Note this patch just fix the kernel panic when request timeout happen. [1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/ CVE-2023-53531 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. CVE-2024-10041 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:pam-1.3.0-150000.6.86.1 moderate When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVE-2024-11053 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. CVE-2024-12718 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 moderate When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug. CVE-2024-2004 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. CVE-2024-2379 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). CVE-2024-2466 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: tls: handle backlogging of crypto requests Since we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our requests to the crypto API, crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. For example, when the cryptd queue for AESNI is full (easy to trigger with an artificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued to the backlog but still processed. In that case, the async callback will also be called twice: first with err == -EINPROGRESS, which it seems we can just ignore, then with err == 0. Compared to Sabrina's original patch this version uses the new tls_*crypt_async_wait() helpers and converts the EBUSY to EINPROGRESS to avoid having to modify all the error handling paths. The handling is identical. CVE-2024-26584 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL. CVE-2024-26661 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshake_req_destroy_test1 Recently, handshake_req_destroy_test1 started failing: Expected handshake_req_destroy_test == req, but handshake_req_destroy_test == 0000000000000000 req == 0000000060f99b40 not ok 11 req_destroy works This is because "sock_release(sock)" was replaced with "fput(filp)" to address a memory leak. Note that sock_release() is synchronous but fput() usually delays the final close and clean-up. The delay is not consequential in the other cases that were changed but handshake_req_destroy_test1 is testing that handshake_req_cancel() followed by closing the file actually does call the ->hp_destroy method. Thus the PTR_EQ test at the end has to be sure that the final close is complete before it checks the pointer. We cannot use a completion here because if ->hp_destroy is never called (ie, there is an API bug) then the test will hang. Reported by: Guenter Roeck <linux@roeck-us.net> CVE-2024-26831 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. CVE-2024-35221 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libruby2_5-2_5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-stdlib-2.5.9-150000.4.49.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() When I did memory failure tests recently, below warning occurs: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0 Modules linked in: mce_inject hwpoison_inject CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire+0xccb/0x1ca0 RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 FS: 00007ff9f32aa740(0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff9f3134ba0 CR3: 00000008484e4000 CR4: 00000000000006f0 Call Trace: <TASK> lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages.part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_poison+0x9/0x70 memory_failure+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> panic+0x326/0x350 check_panic_on_warn+0x4f/0x50 __warn+0x98/0x190 report_bug+0x18e/0x1a0 handle_bug+0x3d/0x70 exc_invalid_op+0x18/0x70 asm_exc_invalid_op+0x1a/0x20 RIP: 0010:__lock_acquire+0xccb/0x1ca0 RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages.part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_poison+0x9/0x70 memory_failure+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 </TASK> After git bisecting and digging into the code, I believe the root cause is that _deferred_list field of folio is unioned with _hugetlb_subpool field. In __update_and_free_hugetlb_folio(), folio->_deferred_ ---truncated--- CVE-2024-36028 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. CVE-2024-36350 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) raw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(!PageBuddy(page)) ------------[ cut here ]------------ kernel BUG at include/linux/page-flags.h:1009! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__del_page_from_free_list+0x151/0x180 RSP: 0018:ffffa49c90437998 EFLAGS: 00000046 RAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0 RBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69 R10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80 R13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009 FS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0 Call Trace: <TASK> __rmqueue_pcplist+0x23b/0x520 get_page_from_freelist+0x26b/0xe40 __alloc_pages_noprof+0x113/0x1120 __folio_alloc_noprof+0x11/0xb0 alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130 __alloc_fresh_hugetlb_folio+0xe7/0x140 alloc_pool_huge_folio+0x68/0x100 set_max_huge_pages+0x13d/0x340 hugetlb_sysctl_handler_common+0xe8/0x110 proc_sys_call_handler+0x194/0x280 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff916114887 RSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887 RDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003 RBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0 R10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004 R13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00 </TASK> Modules linked in: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- And before the panic, there had an warning about bad page state: BUG: Bad page state in process page-types pfn:8cee00 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) page_type: 0xffffff7f(buddy) raw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000 page dumped because: nonzero mapcount Modules linked in: mce_inject hwpoison_inject CPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22 Call Trace: <TASK> dump_stack_lvl+0x83/0xa0 bad_page+0x63/0xf0 free_unref_page+0x36e/0x5c0 unpoison_memory+0x50b/0x630 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xcd/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f189a514887 RSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887 RDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003 RBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8 R13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040 </TASK> The root cause should be the below race: memory_failure try_memory_failure_hugetlb me_huge_page __page_handle_poison dissolve_free_hugetlb_folio drain_all_pages -- Buddy page can be isolated e.g. for compaction. take_page_off_buddy -- Failed as page is not in the ---truncated--- CVE-2024-39298 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON() when freeing tree block after error When freeing a tree block, at btrfs_free_tree_block(), if we fail to create a delayed reference we don't deal with the error and just do a BUG_ON(). The error most likely to happen is -ENOMEM, and we have a comment mentioning that only -ENOMEM can happen, but that is not true, because in case qgroups are enabled any error returned from btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned from btrfs_search_slot() for example) can be propagated back to btrfs_free_tree_block(). So stop doing a BUG_ON() and return the error to the callers and make them abort the transaction to prevent leaking space. Syzbot was triggering this, likely due to memory allocation failure injection. CVE-2024-44963 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix qgroup reserve leaks in cow_file_range In the buffered write path, the dirty page owns the qgroup reserve until it creates an ordered_extent. Therefore, any errors that occur before the ordered_extent is created must free that reservation, or else the space is leaked. The fstest generic/475 exercises various IO error paths, and is able to trigger errors in cow_file_range where we fail to get to allocating the ordered extent. Note that because we *do* clear delalloc, we are likely to remove the inode from the delalloc list, so the inodes/pages to not have invalidate/launder called on them in the commit abort path. This results in failures at the unmount stage of the test that look like: BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs] Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:close_ctree+0x222/0x4d0 [btrfs] RSP: 0018:ffffb4465283be00 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8 RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0 Call Trace: <TASK> ? close_ctree+0x222/0x4d0 [btrfs] ? __warn.cold+0x8e/0xea ? close_ctree+0x222/0x4d0 [btrfs] ? report_bug+0xff/0x140 ? handle_bug+0x3b/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? close_ctree+0x222/0x4d0 [btrfs] generic_shutdown_super+0x70/0x160 kill_anon_super+0x11/0x40 btrfs_kill_super+0x11/0x20 [btrfs] deactivate_locked_super+0x2e/0xa0 cleanup_mnt+0xb5/0x150 task_work_run+0x57/0x80 syscall_exit_to_user_mode+0x121/0x130 do_syscall_64+0xab/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f916847a887 ---[ end trace 0000000000000000 ]--- BTRFS error (device dm-8 state EA): qgroup reserved space leaked Cases 2 and 3 in the out_reserve path both pertain to this type of leak and must free the reserved qgroup data. Because it is already an error path, I opted not to handle the possible errors in btrfs_free_qgroup_data. CVE-2024-46733 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg When receiving proposal msg in server, the fields v2_ext_offset/ eid_cnt/ism_gid_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field v2_ext_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt before using them. CVE-2024-49568 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix helper writes to read-only maps Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds. The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway. However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *<ptr> = val. The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>). MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val. CVE-2024-49861 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). CVE-2024-49996 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely. CVE-2024-50106 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. CVE-2024-52615 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libavahi-client3-0.8-150600.15.9.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libavahi-common3-0.8-150600.15.9.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: sync_linked_regs() must preserve subreg_def Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5). CVE-2024-53125 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/ CVE-2024-56613 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases. CVE-2024-56699 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks. CVE-2024-56738 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:grub2-2.12-150600.8.37.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:grub2-arm64-efi-2.12-150600.8.37.1 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages() Fix an unwind issue in mlx5vf_add_migration_pages(). If a set of pages is allocated but fails to be added to the SG table, they need to be freed to prevent a memory leak. Any pages successfully added to the SG table will be freed as part of mlx5vf_free_data_buffer(). CVE-2024-56742 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo: fix initial map fill The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. CVE-2024-57947 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch. CVE-2024-57982 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts. CVE-2024-58053 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180 The corresponding interrupt flag trace: hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90 That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler: __cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180 This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end. Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time. The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account. Cure the problem by adding a corresponding check into cond_resched(). CVE-2024-58090 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test This fixes the tx timeout issue seen while running a stress test on btnxpuart for couple of hours, such that the interval between two HCI commands coincide with the power save timeout value of 2 seconds. Test procedure using bash script: <load btnxpuart.ko> hciconfig hci0 up //Enable Power Save feature hcitool -i hci0 cmd 3f 23 02 00 00 while (true) do hciconfig hci0 leadv sleep 2 hciconfig hci0 noleadv sleep 2 done Error log, after adding few more debug prints: Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00 Bluetooth: hci0: Set UART break: on, status=0 Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled Bluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00 Can't set advertise mode on hci0: Connection timed out (110) Bluetooth: hci0: command 0x200a tx timeout When the power save mechanism turns on UART break, and btnxpuart_tx_work() is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE, which prevents the psdata->work from being scheduled, which is responsible to turn OFF UART break. This issue is fixed by adding a ps_lock mutex around UART break on/off as well as around ps_state read/write. btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is PS_STATE_SLEEP, it will first schedule psdata->work, and then it will reschedule itself once UART break has been turned off and ps_state is PS_STATE_AWAKE. Tested above script for 50,000 iterations and TX timeout error was not observed anymore. CVE-2024-58238 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: stop recv() if initial process_rx_list gave us non-DATA If we have a non-DATA record on the rx_list and another record of the same type still on the queue, we will end up merging them: - process_rx_list copies the non-DATA record - we start the loop and process the first available record since it's of the same type - we break out of the loop since the record was not DATA Just check the record type and jump to the end in case process_rx_list did some work. CVE-2024-58239 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. CVE-2024-6197 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 important libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. CVE-2024-7264 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. CVE-2024-8096 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. CVE-2024-9681 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. CVE-2025-0167 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate libcurl would wrongly close the same eventfd file descriptor twice when taking down a connection channel after having completed a threaded name resolve. CVE-2025-0665 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. CVE-2025-0725 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. CVE-2025-10148 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration packets are passed to a shell without proper validation or escaping. Unsanitized NetBIOS name data from WINS registration packets are inserted into a shell command and executed by the Samba Active Directory Domain Controller's wins hook, allowing an unauthenticated network attacker to achieve remote command execution as the Samba process. CVE-2025-10230 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:samba-client-libs-4.19.8+git.435.78ced6cf30d-150600.3.21.1 critical In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport. CVE-2025-21658 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: <IRQ> ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 </TASK> Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated--- CVE-2025-21720 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the guest's DR6 value out of the core .vcpu_run() loop to fix a bug where KVM can load hardware with a stale vcpu->arch.dr6. When the guest accesses a DR and host userspace isn't debugging the guest, KVM disables DR interception and loads the guest's values into hardware on VM-Enter and saves them on VM-Exit. This allows the guest to access DRs at will, e.g. so that a sequence of DR accesses to configure a breakpoint only generates one VM-Exit. For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop. But for DR6, the guest's value doesn't need to be loaded into hardware for KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas VMX requires software to manually load the guest value, and so loading the guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done _inside_ the core run loop. Unfortunately, saving the guest values on VM-Exit is initiated by common x86, again outside of the core run loop. If the guest modifies DR6 (in hardware, when DR interception is disabled), and then the next VM-Exit is a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and clobber the guest's actual value. The bug shows up primarily with nested VMX because KVM handles the VMX preemption timer in the fastpath, and the window between hardware DR6 being modified (in guest context) and DR6 being read by guest software is orders of magnitude larger in a nested setup. E.g. in non-nested, the VMX preemption timer would need to fire precisely between #DB injection and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the window where hardware DR6 is "dirty" extends all the way from L1 writing DR6 to VMRESUME (in L1). L1's view: ========== <L1 disables DR interception> CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0 A: L1 Writes DR6 CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1 B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec D: L1 reads DR6, arch.dr6 = 0 CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0 CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0 L2 reads DR6, L1 disables DR interception CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216 CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0 CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0 L2 detects failure CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT L1 reads DR6 (confirms failure) CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0 L0's view: ========== L2 reads DR6, arch.dr6 = 0 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216 L2 => L1 nested VM-Exit CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216 CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23 CPU 23/KVM-5046 [001] d.... 3410. ---truncated--- CVE-2025-21839 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX. CVE-2025-21854 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: <TASK> ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 </TASK> ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place. CVE-2025-21872 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier. CVE-2025-21898 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated. CVE-2025-21899 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. CVE-2025-21920 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-21997 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Apply the link chain quirk on NEC isoc endpoints Two clearly different specimens of NEC uPD720200 (one with start/stop bug, one without) were seen to cause IOMMU faults after some Missed Service Errors. Faulting address is immediately after a transfer ring segment and patched dynamic debug messages revealed that the MSE was received when waiting for a TD near the end of that segment: [ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0 [ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000] [ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000] It gets even funnier if the next page is a ring segment accessible to the HC. Below, it reports MSE in segment at ff1e8000, plows through a zero-filled page at ff1e9000 and starts reporting events for TRBs in page at ff1ea000 every microframe, instead of jumping to seg ff1e6000. [ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0 [ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag. [ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint [ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31 [ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 At some point completion events change from Isoch Buffer Overrun to Short Packet and the HC finally finds cycle bit mismatch in ff1ec000. [ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13 [ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820 [ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2 It's possible that data from the isochronous device were written to random buffers of pending TDs on other endpoints (either IN or OUT), other devices or even other HCs in the same IOMMU domain. Lastly, an error from a different USB device on another HC. Was it caused by the above? I don't know, but it may have been. The disk was working without any other issues and generated PCIe traffic to starve the NEC of upstream BW and trigger those MSEs. The two HCs shared one x1 slot by means of a commercial "PCIe splitter" board. [ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd [ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s [ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00 [ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0 Fortunately, it appears that this ridiculous bug is avoided by setting the chain bit of Link TRBs on isochronous rings. Other ancient HCs are known which also expect the bit to be set and they ignore Link TRBs if it's not. Reportedly, 0.95 spec guaranteed that the bit is set. The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports tens of MSEs per second and runs into the bug within seconds. Chaining Link TRBs allows the same workload to run for many minutes, many times. No ne ---truncated--- CVE-2025-22022 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/ CVE-2025-22035 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first. CVE-2025-22083 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not copied. The easiest fix would be to simply clear the VM_PAT flag of the dst VMA if track_pfn_copy() fails. However, the whole thing is about "simply" clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() and performed a reservation, but copying the page tables fails, we'll simply clear the VM_PAT flag, not properly undoing the reservation ... which is also wrong. So let's fix it properly: set the VM_PAT flag only if the reservation succeeded (leaving it clear initially), and undo the reservation if anything goes wrong while copying the page tables: clearing the VM_PAT flag after undoing the reservation. Note that any copied page table entries will get zapped when the VMA will get removed later, after copy_page_range() succeeded; as VM_PAT is not set then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be happy. Note that leaving these page tables in place without a reservation is not a problem, as we are aborting fork(); this process will never run. A reproducer can trigger this usually at the first try: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 Modules linked in: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Call Trace: <TASK> ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Likely this case was missed in: d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed") ... and instead of undoing the reservation we simply cleared the VM_PAT flag. Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately. CVE-2025-22090 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-22111 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here. CVE-2025-22113 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-22120 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: vlan: don't propagate flags on open With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.211823] -------------------------------------------- [ 1.211936] ip/184 is trying to acquire lock: [ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0 [ 1.212207] [ 1.212207] but task is already holding lock: [ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.212487] [ 1.212487] other info that might help us debug this: [ 1.212626] Possible unsafe locking scenario: [ 1.212626] [ 1.212751] CPU0 [ 1.212815] ---- [ 1.212871] lock(&dev->lock); [ 1.212944] lock(&dev->lock); [ 1.213016] [ 1.213016] *** DEADLOCK *** [ 1.213016] [ 1.213143] May be due to missing lock nesting notation [ 1.213143] [ 1.213294] 3 locks held by ip/184: [ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0 [ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0 [ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0 [ 1.213895] [ 1.213895] stack backtrace: [ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 [ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [ 1.213994] Call Trace: [ 1.213995] <TASK> [ 1.213996] dump_stack_lvl+0x8e/0xd0 [ 1.214000] print_deadlock_bug+0x28b/0x2a0 [ 1.214020] lock_acquire+0xea/0x2a0 [ 1.214027] __mutex_lock+0xbf/0xd40 [ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI [ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev [ 1.214042] __dev_open+0x145/0x270 [ 1.214046] __dev_change_flags+0xb0/0x1e0 [ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev [ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info [ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0 [ 1.214058] notifier_call_chain+0x78/0x120 [ 1.214062] netif_open+0x6d/0x90 [ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0 [ 1.214066] bond_enslave+0x64c/0x1230 [ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0 [ 1.214077] do_setlink+0x516/0x13b0 [ 1.214094] rtnl_newlink+0xaba/0xb80 [ 1.214132] rtnetlink_rcv_msg+0x440/0x490 [ 1.214144] netlink_rcv_skb+0xeb/0x120 [ 1.214150] netlink_unicast+0x1f9/0x320 [ 1.214153] netlink_sendmsg+0x346/0x3f0 [ 1.214157] __sock_sendmsg+0x86/0xb0 [ 1.214160] ____sys_sendmsg+0x1c8/0x220 [ 1.214164] ___sys_sendmsg+0x28f/0x2d0 [ 1.214179] __x64_sys_sendmsg+0xef/0x140 [ 1.214184] do_syscall_64+0xec/0x1d0 [ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 1.214191] RIP: 0033:0x7f2d1b4a7e56 Device setup: netdevsim0 (down) ^ ^ bond netdevsim1.100@netdevsim1 allmulticast=on (down) When we enslave the lower device (netdevsim0) which has a vlan, we propagate vlan's allmuti/promisc flags during ndo_open. This causes (re)locking on of the real_dev. Propagate allmulti/promisc on flags change, not on the open. There is a slight semantics change that vlans that are down now propagate the flags, but this seems unlikely to result in the real issues. Reproducer: echo 0 1 > /sys/bus/netdevsim/new_device dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*) dev=$(echo $dev_path | rev | cut -d/ -f1 | rev) ip link set dev $dev name netdevsim0 ip link set dev netdevsim0 up ip link add link netdevsim0 name netdevsim0.100 type vlan id 100 ip link set dev netdevsim0.100 allm ---truncated--- CVE-2025-23163 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. CVE-2025-27221 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libruby2_5-2_5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-stdlib-2.5.9-150000.4.49.1 moderate A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. CVE-2025-32988 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libgnutls30-3.8.3-150600.4.9.1 important A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. CVE-2025-32989 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libgnutls30-3.8.3-150600.4.9.1 moderate A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. CVE-2025-32990 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libgnutls30-3.8.3-150600.4.9.1 moderate A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. CVE-2025-3576 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:krb5-1.20.1-150600.11.14.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:krb5-client-1.20.1-150600.11.14.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated--- CVE-2025-37738 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid memory leak while enabling statistics Driver uses monitor destination rings for extended statistics mode and standalone monitor mode. In extended statistics mode, TLVs are parsed from the buffer received from the monitor destination ring and assigned to the ppdu_info structure to update per-packet statistics. In standalone monitor mode, along with per-packet statistics, the packet data (payload) is captured, and the driver updates per MSDU to mac80211. When the AP interface is enabled, only extended statistics mode is activated. As part of enabling monitor rings for collecting statistics, the driver subscribes to HAL_RX_MPDU_START TLV in the filter configuration. This TLV is received from the monitor destination ring, and kzalloc for the mon_mpdu object occurs, which is not freed, leading to a memory leak. The kzalloc for the mon_mpdu object is only required while enabling the standalone monitor interface. This causes a memory leak while enabling extended statistics mode in the driver. Fix this memory leak by removing the kzalloc for the mon_mpdu object in the HAL_RX_MPDU_START TLV handling. Additionally, remove the standalone monitor mode handlings in the HAL_MON_BUF_ADDR and HAL_RX_MSDU_END TLVs. These TLV tags will be handled properly when enabling standalone monitor mode in the future. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 CVE-2025-37743 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: <TASK> tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237 CVE-2025-37756 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns. CVE-2025-37757 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory. CVE-2025-37786 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). CVE-2025-37798 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing. CVE-2025-37800 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200 CVE-2025-37801 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: harden block_group::bg_list against list_del() races As far as I can tell, these calls of list_del_init() on bg_list cannot run concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(), as they are in transaction error paths and situations where the block group is readonly. However, if there is any chance at all of racing with mark_bg_unused(), or a different future user of bg_list, better to be safe than sorry. Otherwise we risk the following interleaving (bg_list refcount in parens) T1 (some random op) T2 (btrfs_mark_bg_unused) !list_empty(&bg->bg_list); (1) list_del_init(&bg->bg_list); (1) list_move_tail (1) btrfs_put_block_group (0) btrfs_delete_unused_bgs bg = list_first_entry list_del_init(&bg->bg_list); btrfs_put_block_group(bg); (-1) Ultimately, this results in a broken ref count that hits zero one deref early and the real final deref underflows the refcount, resulting in a WARNING. CVE-2025-37856 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. CVE-2025-37859 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: clean up FDB, MDB, VLAN entries on unbind As explained in many places such as commit b117e1e8a86d ("net: dsa: delete dsa_legacy_fdb_add and dsa_legacy_fdb_del"), DSA is written given the assumption that higher layers have balanced additions/deletions. As such, it only makes sense to be extremely vocal when those assumptions are violated and the driver unbinds with entries still present. But Ido Schimmel points out a very simple situation where that is wrong: https://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/ (also briefly discussed by me in the aforementioned commit). Basically, while the bridge bypass operations are not something that DSA explicitly documents, and for the majority of DSA drivers this API simply causes them to go to promiscuous mode, that isn't the case for all drivers. Some have the necessary requirements for bridge bypass operations to do something useful - see dsa_switch_supports_uc_filtering(). Although in tools/testing/selftests/net/forwarding/local_termination.sh, we made an effort to popularize better mechanisms to manage address filters on DSA interfaces from user space - namely macvlan for unicast, and setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the fact is that 'bridge fdb add ... self static local' also exists as kernel UAPI, and might be useful to someone, even if only for a quick hack. It seems counter-productive to block that path by implementing shim .ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP in order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from running, although we could do that. Accepting that cleanup is necessary seems to be the only option. Especially since we appear to be coming back at this from a different angle as well. Russell King is noticing that the WARN_ON() triggers even for VLANs: https://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/ What happens in the bug report above is that dsa_port_do_vlan_del() fails, then the VLAN entry lingers on, and then we warn on unbind and leak it. This is not a straight revert of the blamed commit, but we now add an informational print to the kernel log (to still have a way to see that bugs exist), and some extra comments gathered from past years' experience, to justify the logic. CVE-2025-37864 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ngbe: fix memory leak in ngbe_probe() error path When ngbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent error paths after ngbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx->mac_table. Also change the label to which execution jumps when ngbe_sw_init() fails, because otherwise, it could lead to a double free for rss_key, when the mac_table allocation fails in wx_sw_init(). CVE-2025-37874 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency. CVE-2025-37884 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reset IRTE to host control if *new* route isn't postable Restore an IRTE back to host control (remapped or posted MSI mode) if the *new* GSI route prevents posting the IRQ directly to a vCPU, regardless of the GSI routing type. Updating the IRTE if and only if the new GSI is an MSI results in KVM leaving an IRTE posting to a vCPU. The dangling IRTE can result in interrupts being incorrectly delivered to the guest, and in the worst case scenario can result in use-after-free, e.g. if the VM is torn down, but the underlying host IRQ isn't freed. CVE-2025-37885 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak CVE-2025-37909 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ``` CVE-2025-37917 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race condition in AF_XDP generic RX path Move rx_lock from xsk_socket to xsk_buff_pool. Fix synchronization for shared umem mode in generic RX path where multiple sockets share single xsk_buff_pool. RX queue is exclusive to xsk_socket, while FILL queue can be shared between multiple sockets. This could result in race condition where two CPU cores access RX path of two different sockets sharing the same umem. Protect both queues by acquiring spinlock in shared xsk_buff_pool. Lock contention may be minimized in the future by some per-thread FQ buffering. It's safe and necessary to move spin_lock_bh(rx_lock) after xsk_rcv_check(): * xs->pool and spinlock_init is synchronized by xsk_bind() -> xsk_is_bound() memory barriers. * xsk_rcv_check() may return true at the moment of xsk_release() or xsk_unbind_dev(), however this will not cause any data races or race conditions. xsk_unbind_dev() removes xdp socket from all maps and waits for completion of all outstanding rx operations. Packets in RX path will either complete safely or drop. CVE-2025-37920 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-37921 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument. CVE-2025-37923 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-37927 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called. CVE-2025-37933 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on VM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE value. Consulting only the host kernel's host vs. guest masks results in running the guest with PEBS enabled even when the guest doesn't want to use PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply looking at exclude_host can't differentiate between events created by host userspace, and events created by KVM on behalf of the guest. Running the guest with PEBS unexpectedly enabled typically manifests as crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't written MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when trying to record PEBS events. The issue is most easily reproduced by running `perf kvm top` from before commit 7b100989b4f6 ("perf evlist: Remove __evlist__add_default") (after which, `perf kvm top` effectively stopped using PEBS). The userspace side of perf creates a guest-only PEBS event, which intel_guest_get_msrs() misconstrues a guest-*owned* PEBS event. Arguably, this is a userspace bug, as enabling PEBS on guest-only events simply cannot work, and userspace can kill VMs in many other ways (there is no danger to the host). However, even if this is considered to be bad userspace behavior, there's zero downside to perf/KVM restricting PEBS to guest-owned events. Note, commit 854250329c02 ("KVM: x86/pmu: Disable guest PEBS temporarily in two rare situations") fixed the case where host userspace is profiling KVM *and* userspace, but missed the case where userspace is profiling only KVM. CVE-2025-37936 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered and that same data is freed before the event is read, then the kernel can crash by reading freed memory. The verifier runs at boot up (or module load) and scans the print formats of the events and checks their arguments to make sure that dereferenced pointers are safe. If the format uses "%*p.." the verifier will ignore it, and that could be dangerous. Cover this case as well. Also add to the sample code a use case of "%*pbl". CVE-2025-37938 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd91016d16 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed b ---truncated--- CVE-2025-37945 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put(). CVE-2025-37946 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated--- CVE-2025-37961 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. CVE-2025-37968 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset. CVE-2025-37973 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa implementation's ->key_size() callback returns an unusually large value. Herbert instead suggests (for a division by 8): X / 8 + !!(X & 7) Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and use it in lieu of DIV_ROUND_UP() for ->key_size() return values. Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes" parameter is a ->key_size() return value in some instances, or a user-specified ASN.1 length in the case of ecdsa_get_signature_rs(). CVE-2025-37984 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent possible adminq overflow/stuck condition The pds_core's adminq is protected by the adminq_lock, which prevents more than 1 command to be posted onto it at any one time. This makes it so the client drivers cannot simultaneously post adminq commands. However, the completions happen in a different context, which means multiple adminq commands can be posted sequentially and all waiting on completion. On the FW side, the backing adminq request queue is only 16 entries long and the retry mechanism and/or overflow/stuck prevention is lacking. This can cause the adminq to get stuck, so commands are no longer processed and completions are no longer sent by the FW. As an initial fix, prevent more than 16 outstanding adminq commands so there's no way to cause the adminq from getting stuck. This works because the backing adminq request queue will never have more than 16 pending adminq commands, so it will never overflow. This is done by reducing the adminq depth to 16. CVE-2025-37987 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines. CVE-2025-37992 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. CVE-2025-37994 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. CVE-2025-37995 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts. CVE-2025-37997 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed. CVE-2025-37998 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek. CVE-2025-38000 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u CVE-2025-38001 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection. CVE-2025-38003 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too. CVE-2025-38004 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking. CVE-2025-38005 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: mctp: Don't access ifa_index when missing In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but only when the struct ifaddrmsg is provided. Otherwise it will be comparing to uninitialised memory - reproducible in the syzkaller case from dhcpd, or busybox "ip addr show". The kernel MCTP implementation has always filtered by ifa_index, so existing userspace programs expecting to dump MCTP addresses must already be passing a valid ifa_index value (either 0 or a real index). BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309 CVE-2025-38006 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38007 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org). CVE-2025-38009 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask. CVE-2025-38010 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab) CVE-2025-38011 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type. CVE-2025-38013 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. CVE-2025-38014 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. CVE-2025-38015 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798 CVE-2025-38018 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated--- CVE-2025-38020 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent(). CVE-2025-38022 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference. CVE-2025-38023 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work. CVE-2025-38024 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match. CVE-2025-38027 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 CVE-2025-38031 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0 CVE-2025-38034 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] <IRQ> [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated--- CVE-2025-38035 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock. CVE-2025-38040 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124 CVE-2025-38043 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it. CVE-2025-38044 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order. CVE-2025-38045 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated--- CVE-2025-38051 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 crypto_request_complete include/crypto/algapi.h:266 aead_request_complete include/crypto/internal/aead.h:85 cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772 crypto_request_complete include/crypto/algapi.h:266 cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 Allocated by task 8355: kzalloc_noprof include/linux/slab.h:778 tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466 tipc_init_net+0x2dd/0x430 net/tipc/core.c:72 ops_init+0xb9/0x650 net/core/net_namespace.c:139 setup_net+0x435/0xb40 net/core/net_namespace.c:343 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 Freed by task 63: kfree+0x12a/0x3b0 mm/slub.c:4557 tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539 tipc_exit_net+0x8c/0x110 net/tipc/core.c:119 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done may still visit it in cryptd_queue_worker workqueue. I reproduce this issue by: ip netns add ns1 ip link add veth1 type veth peer name veth2 ip link set veth1 netns ns1 ip netns exec ns1 tipc bearer enable media eth dev veth1 ip netns exec ns1 tipc node set key this_is_a_master_key master ip netns exec ns1 tipc bearer disable media eth dev veth1 ip netns del ns1 The key of reproduction is that, simd_aead_encrypt is interrupted, leading to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is triggered, and the tipc_crypto tx will be visited. tipc_disc_timeout tipc_bearer_xmit_skb tipc_crypto_xmit tipc_aead_encrypt crypto_aead_encrypt // encrypt() simd_aead_encrypt // crypto_simd_usable() is false child = &ctx->cryptd_tfm->base; simd_aead_encrypt crypto_aead_encrypt // encrypt() cryptd_aead_encrypt_enqueue cryptd_aead_enqueue cryptd_enqueue_request // trigger cryptd_queue_worker queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work) Fix this by holding net reference count before encrypt. CVE-2025-38052 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ... CVE-2025-38053 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. CVE-2025-38057 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with. CVE-2025-38058 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option "rescue=idatacsums" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search. CVE-2025-38059 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated--- CVE-2025-38060 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). CVE-2025-38061 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the "container" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch "iommu: Make iommu_dma_prepare_msi() into a generic operation" by using the IOMMU group mutex. CVE-2025-38062 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: "kworker/u260:0" #0 [ffff800084a2f7f0] __switch_to at ffff80004008aeb8 #1 [ffff800084a2f820] __schedule at ffff800040bfa0c4 #2 [ffff800084a2f880] schedule at ffff800040bfa4b4 #3 [ffff800084a2f8a0] io_schedule at ffff800040bfa9c4 #4 [ffff800084a2f8c0] rq_qos_wait at ffff8000405925bc #5 [ffff800084a2f940] wbt_wait at ffff8000405bb3a0 #6 [ffff800084a2f9a0] __rq_qos_throttle at ffff800040592254 #7 [ffff800084a2f9c0] blk_mq_make_request at ffff80004057cf38 #8 [ffff800084a2fa60] generic_make_request at ffff800040570138 #9 [ffff800084a2fae0] submit_bio at ffff8000405703b4 #10 [ffff800084a2fb50] xlog_write_iclog at ffff800001280834 [xfs] #11 [ffff800084a2fbb0] xlog_sync at ffff800001280c3c [xfs] #12 [ffff800084a2fbf0] xlog_state_release_iclog at ffff800001280df4 [xfs] #13 [ffff800084a2fc10] xlog_write at ffff80000128203c [xfs] #14 [ffff800084a2fcd0] xlog_cil_push at ffff8000012846dc [xfs] #15 [ffff800084a2fda0] xlog_cil_push_work at ffff800001284a2c [xfs] #16 [ffff800084a2fdb0] process_one_work at ffff800040111d08 #17 [ffff800084a2fe00] worker_thread at ffff8000401121cc #18 [ffff800084a2fe70] kthread at ffff800040118de4 After commit 2def2845cc33 ("xfs: don't allow log IO to be throttled"), the metadata submitted by xlog_write_iclog() should not be throttled. But due to the existence of the dm layer, throttling flush_bio indirectly causes the metadata bio to be throttled. Fix this by conditionally adding REQ_IDLE to flush_bio.bi_opf, which makes wbt_should_throttle() return false to avoid wbt_wait(). CVE-2025-38063 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. Invalid read at addr 0x102877002, size 2, region '(null)', reason: rejected Invalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected ... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. The issue is that virtio-console continues to write to the MMIO even after underlying virtio-pci device is reset. Additionally, Eric noticed that IOMMUs are reset before devices, if devices are not reset on shutdown they continue to poke at guest memory and get errors from the IOMMU. Some devices get wedged then. The problem can be solved by breaking all virtio devices on virtio bus shutdown, then resetting them. CVE-2025-38064 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. CVE-2025-38065 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo. CVE-2025-38068 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check. CVE-2025-38072 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. CVE-2025-38074 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started. CVE-2025-38075 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38077 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation. CVE-2025-38078 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. CVE-2025-38079 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient. CVE-2025-38080 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. CVE-2025-38081 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38083 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh@google.com: v2] CVE-2025-38084 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse. CVE-2025-38085 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio's taprio_dev_notifier() isn't protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this. CVE-2025-38087 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size. CVE-2025-38088 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble. The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531 says that if authentication fails that the RPC should be rejected instead with a status of AUTH_ERR. Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This sidesteps the whole problem of touching the rpc_accept_statp pointer in this situation and avoids the crash. CVE-2025-38089 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace. CVE-2025-38090 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore. CVE-2025-38094 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. CVE-2025-38095 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped and the netns is correctly deleted. Otherwise, the netns may not be reachable anymore (if all processes within the ns have terminated), so we cannot delete the xfrm state to drop its reference on the socket. This patch results in a small (~2% in my tests) performance regression. A GC-type mechanism could be added for the socket cache, to clear references if the state hasn't been used "recently", but it's a lot more complex than just not caching the socket. CVE-2025-38097 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. CVE-2025-38098 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. CVE-2025-38099 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state. CVE-2025-38100 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: <TASK> follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context->notify_page; if (notify_page) put_page(notify_page); // page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast. CVE-2025-38102 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors. CVE-2025-38103 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too. CVE-2025-38105 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38107 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38108 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]--- CVE-2025-38109 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation. CVE-2025-38110 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation. CVE-2025-38111 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check. CVE-2025-38112 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ] CVE-2025-38113 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & CVE-2025-38115 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated--- CVE-2025-38117 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-38118 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ] CVE-2025-38119 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios. CVE-2025-38122 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 </IRQ> CVE-2025-38123 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 CVE-2025-38124 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code. CVE-2025-38125 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate CVE-2025-38126 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] <IRQ> [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] </IRQ> [ +0.002098] <TASK> [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure. CVE-2025-38127 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning. CVE-2025-38129 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0. CVE-2025-38131 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() <iterating config_csdev_list> cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs() CVE-2025-38132 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. CVE-2025-38135 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]--- CVE-2025-38136 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38138 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index] CVE-2025-38142 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38143 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454] CVE-2025-38145 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: <IRQ> show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 </IRQ> CVE-2025-38146 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 </TASK> Modules linked in: CVE-2025-38147 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping. CVE-2025-38148 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the "error" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted. CVE-2025-38149 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails. CVE-2025-38151 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 CVE-2025-38153 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... ''' CVE-2025-38154 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init(). CVE-2025-38155 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. CVE-2025-38157 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated. CVE-2025-38158 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace. CVE-2025-38159 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38160 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8 CVE-2025-38161 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize(). CVE-2025-38162 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] <TASK> [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: "abc?de?fgh?". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes "?fgh?" will be cached until the length meets the cork_bytes requirement. However, some data in "?fgh?" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data "?" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { if (ret == -ENOSPC) ret = 0; goto send_end; ''' So it's ok to just return 'copied' without error when a "cork" situation occurs. CVE-2025-38166 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. CVE-2025-38173 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: <TASK> ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set. CVE-2025-38174 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. CVE-2025-38180 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3 options to fix the bug: 1) Return 0 in calipso_req_setattr() 2) Return an error in calipso_req_setattr() 3) Alaways set rsk_listener 1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie for CALIPSO. 3) is also no go as there have been many efforts to reduce atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood"). As of the blamed commit, SYN Cookie already did not need refcounting, and no one has stumbled on the bug for 9 years, so no CALIPSO user will care about SYN Cookie. Let's return an error in calipso_req_setattr() and calipso_req_delattr() in the SYN Cookie case. This can be reproduced by [1] on Fedora and now connect() of nc times out. [0]: TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806 Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b RSP: 0018:ffff88811af89038 EFLAGS: 00010216 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400 RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030 RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000 R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050 FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <IRQ> ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288 calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204 calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597 netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249 selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342 selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551 security_inet_conn_request+0x50/0xa0 security/security.c:4945 tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825 tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275 tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328 tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781 tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667 tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904 ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436 ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491 dst_input include/net/dst.h:469 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netf ---truncated--- CVE-2025-38181 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. CVE-2025-38182 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTP_INT_STS) specifications. However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with only LAN743X_PTP_N_EXTTS(4) elements, using channel as an index: lan743x_ptp_io_event_clock_get(..., u8 channel,...) { ... /* Update Local timestamp */ extts = &ptp->extts[channel]; extts->ts.tv_sec = sec; ... } To avoid an out-of-bounds write and utilize all the supported GPIO inputs, set LAN743X_PTP_N_EXTTS to 8. Detected using the static analysis tool - Svace. CVE-2025-38183 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer <eth:syz_tun>, priority 1 Oops: general protection fault KASAN: null-ptr-deref in range CPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT Hardware name: QEMU Ubuntu 24.04 PC RIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0 the ub was in fact a struct dev. when bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or other media when other thread changes it. fix this by checking media_id. CVE-2025-38184 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert atm_account_tx() in vcc_sendmsg(), which is expected to be done in atm_pop_raw(). Let's properly free skb with an invalid length in atmtcp_c_send(). [0]: BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670 alloc_skb include/linux/skbuff.h:1336 [inline] vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 CVE-2025-38185 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free. Allocate a temporary RPC container for holding the initial fragment of a large RPC when sending. Free the caller's container when all fragments are successfully sent. [ Rebase onto Blackwell changes. - Danilo ] CVE-2025-38187 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE Calling this packet is necessary when we switch contexts because there are various pieces of state used by userspace to synchronize between BR and BV that are persistent across submits and we need to make sure that they are in a "safe" state when switching contexts. Otherwise a userspace submission in one context could cause another context to function incorrectly and hang, effectively a denial of service (although without leaking data). This was missed during initial a7xx bringup. Patchwork: https://patchwork.freedesktop.org/patch/654924/ CVE-2025-38188 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert when copy_from_iter_full() fails, and then we will leak a socket. Let's factorise the revert part as atm_return_tx() and call it in the failure path. Note that the corresponding sk_wmem_alloc operation can be found in alloc_tx() as of the blamed commit. $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ CVE-2025-38190 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: clear the dst when changing skb protocol A not-so-careful NAT46 BPF program can crash the kernel if it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) The output interface has a 4->6 program attached at ingress. We try to loop the multicast skb back to the sending socket. Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr and changes skb->protocol to v6. We enter ip6_rcv_core which tries to use skb_dst(). But the dst is still an IPv4 one left after IPv4 mcast output. Clear the dst in all BPF helpers which change the protocol. Try to preserve metadata dsts, those may carry non-routing metadata. CVE-2025-38192 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sfq perturb -10 # negative value : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 1000000000 # too big : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 2000000 # acceptable value tc -s -d qd sh dev lo qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 CVE-2025-38193 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any error propagate into jffs2_sum_write_data, which eventually calls jffs2_link_node_ref in order to link the summary to an expectedly allocated node. kernel BUG at fs/jffs2/nodelist.c:592! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 Call Trace: <TASK> jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 call_write_iter include/linux/fs.h:2265 [inline] do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10c/0x170 fs/splice.c:950 splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fix this issue by checking return value of jffs2_prealloc_raw_node_refs before calling jffs2_sum_write_data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-38194 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet list will result in a NULL pointer dereference. CVE-2025-38197 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 dev_attr_store+0x55/0x80 drivers/base/core.c:2439 static struct fb_info *fbcon_registered_fb[FB_MAX]; ... static signed char con2fb_map[MAX_NR_CONSOLES]; ... static struct fb_info *fbcon_info_from_console(int console) ... return fbcon_registered_fb[con2fb_map[console]]; If con2fb_map contains a -1 things go wrong here. Instead, return NULL, as callers of fbcon_info_from_console() are trying to compare against existing "info" pointers, so error handling should kick in correctly. CVE-2025-38198 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. CVE-2025-38200 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") CVE-2025-38201 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will trigger the warning in bpf_map_lookup_percpu_elem(), because the bpf program only holds rcu_read_lock_trace lock. Therefore, add the missed check. CVE-2025-38202 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: runnable_at=-30ms RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body+0x61/0xb0 ? die_addr+0xb1/0xe0 ? exc_general_protection+0x333/0x510 ? asm_exc_general_protection+0x26/0x30 ? jfs_ioc_trim+0x34b/0x8f0 jfs_ioctl+0x3c8/0x4f0 ? __pfx_jfs_ioctl+0x10/0x10 ? __pfx_jfs_ioctl+0x10/0x10 __se_sys_ioctl+0x269/0x350 ? __pfx___se_sys_ioctl+0x10/0x10 ? do_syscall_64+0xfb/0x210 do_syscall_64+0xee/0x210 ? syscall_exit_to_user_mode+0x1e0/0x330 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe51f4903ad Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640 R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception [ Analysis ] We believe that we have found a concurrency bug in the `fs/jfs` module that results in a null pointer dereference. There is a closely related issue which has been fixed: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ... but, unfortunately, the accepted patch appears to still be susceptible to a null pointer dereference under some interleavings. To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This bug manifests quite rarely under normal circumstances, but is triggereable from a syz-program. CVE-2025-38203 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. CVE-2025-38204 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 [Why] If the dummy values in `populate_dummy_dml_surface_cfg()` aren't updated then they can lead to a divide by zero in downstream callers like CalculateVMAndRowBytes() [How] Initialize dummy value to a value to avoid divide by zero. CVE-2025-38205 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it. CVE-2025-38206 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional_prefix when tcon->origin_fullpath is not set. However, the check is missing when it is set. Add a check to prevent a potential NULL pointer dereference. CVE-2025-38208 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing. That expectation is not fully satisfied. While tsm_report_read(), tsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail if tsm_ops have been unregistered, tsm_report_privlevel_store() tsm_report_provider_show() fail to check for ops registration. Add the missing checks for tsm_ops having been removed. Now, in supporting the ability for tsm_unregister() to always succeed, it leaves the problem of what to do with lingering config-items. The expectation is that the admin that arranges for the ->remove() (unbind) of the ${tsm_arch}-guest driver is also responsible for deletion of all open config-items. Until that deletion happens, ->probe() (reload / bind) of the ${tsm_arch}-guest driver fails. This allows for emergency shutdown / revocation of attestation interfaces, and requires coordinated restart. CVE-2025-38210 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: <TASK> dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated--- CVE-2025-38211 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). CVE-2025-38212 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-38213 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ The reason is that fb_info->var is being modified in fb_set_var(), and then fb_videomode_to_var() is called. If it fails to add the mode to fb_info->modelist, fb_set_var() returns error, but does not restore the old value of fb_info->var. Restore fb_info->var on failure the same way it is done earlier in the function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-38214 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ Even though fbcon_init() checks beforehand if fb_match_mode() in var_to_display() fails, it can not prevent the panic because fbcon_init() does not return error code. Considering this and the comment in the code about fb_match_mode() returning NULL - "This should not happen" - it is better to prevent registering the fb_info if its mode was not set successfully. Also move fb_add_videomode() closer to the beginning of do_register_framebuffer() to avoid having to do the cleanup on fail. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-38215 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp, the code accesses the shared variable data->fan_source[channel] twice without holding any locks. It is first checked against FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again when used as an argument to the BIT() macro. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. Another thread executing fts_update_device() can modify the value of data->fan_source[channel] between the check and its use. If the value is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the BIT() macro will be called with a large shift value (BIT(255)). A bit shift by a value greater than or equal to the type width is undefined behavior and can lead to a crash or incorrect values being returned to userspace. Fix this by reading data->fan_source[channel] into a local variable once, eliminating the race condition. Additionally, add a bounds check to ensure the value is less than BITS_PER_LONG before passing it to the BIT() macro, making the code more robust against undefined behavior. This possible bug was found by an experimental static analysis tool developed by our team. CVE-2025-38217 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks as follows: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ext4_block_zero_page_range+0x30c/0x380 [ext4] ext4_truncate+0x436/0x440 [ext4] ext4_process_orphan+0x5d/0x110 [ext4] ext4_orphan_cleanup+0x124/0x4f0 [ext4] ext4_fill_super+0x262d/0x3110 [ext4] get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x26/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4ed/0x6b0 do_syscall_64+0x82/0x170 ... This occurs when processing a symlink inode from the orphan list. The partial block zeroing code in the truncate path calls ext4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls mapping->a_ops->dirty_folio(), but symlink inodes are not assigned an a_ops vector in ext4, hence the crash. To avoid this problem, update the ext4_dirty_journalled_data() helper to only mark the folio dirty on regular files (for which a_ops is assigned). This also matches the journaling logic in the ext4_symlink() creation path, where ext4_handle_dirty_metadata() is called directly. CVE-2025-38220 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL); That happens because write_begin will succeed as when ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len will be truncated, leading to ext4_prepare_inline_data parameter to be 6 instead of 0x10000000006. Then, later when write_end is called, we hit: BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); at ext4_write_inline_data. Fix it by using a loff_t type for the len parameter in ext4_prepare_inline_data instead of an unsigned int. [ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4_write_inline_data_end+0x126/0x2d0 [ 44.546523] generic_perform_write+0x17e/0x270 [ 44.546523] ext4_buffered_write_iter+0xc8/0x170 [ 44.546523] vfs_write+0x2be/0x3e0 [ 44.546523] __x64_sys_pwrite64+0x6d/0xc0 [ 44.546523] do_syscall_64+0x6a/0xf0 [ 44.546523] ? __wake_up+0x89/0xb0 [ 44.546523] ? xas_find+0x72/0x1c0 [ 44.546523] ? next_uptodate_folio+0x317/0x330 [ 44.546523] ? set_pte_range+0x1a6/0x270 [ 44.546523] ? filemap_map_pages+0x6ee/0x840 [ 44.546523] ? ext4_setattr+0x2fa/0x750 [ 44.546523] ? do_pte_missing+0x128/0xf70 [ 44.546523] ? security_inode_post_setattr+0x3e/0xd0 [ 44.546523] ? ___pte_offset_map+0x19/0x100 [ 44.546523] ? handle_mm_fault+0x721/0xa10 [ 44.546523] ? do_user_addr_fault+0x197/0x730 [ 44.546523] ? do_syscall_64+0x76/0xf0 [ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60 [ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90 [ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated--- CVE-2025-38222 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed allocations to prevent these issues. CVE-2025-38225 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0. CVE-2025-38226 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK> Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated--- CVE-2025-38227 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf. In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized. [1] BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev fs/read_write.c:848 [inline] vfs_writev+0x963/0x14e0 fs/read_write.c:1057 do_writev+0x247/0x5c0 fs/read_write.c:1101 __do_sys_writev fs/read_write.c:1169 [inline] __se_sys_writev fs/read_write.c:1166 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-38229 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_work allows sufficient time for nfsd_ssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4_state_start_net -> nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the delayed work may start before nfsd_ssc initialization finishes. Fix this by moving nfsd_ssc initialization before starting laundromat_work. CVE-2025-38231 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (on_rq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list. Crashes ======= This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself. Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? pick_next_task_rt+0x6e/0x1d0 ? do_error_trap+0x64/0xa0 ? pick_next_task_rt+0x6e/0x1d0 ? exc_invalid_op+0x4c/0x60 ? pick_next_task_rt+0x6e/0x1d0 ? asm_exc_invalid_op+0x12/0x20 ? pick_next_task_rt+0x6e/0x1d0 __schedule+0x5cb/0x790 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? __warn+0x8a/0xe0 ? exc_page_fault+0x3d6/0x520 ? asm_exc_page_fault+0x1e/0x30 ? pick_next_task_rt+0xb5/0x1d0 ? pick_next_task_rt+0x8c/0x1d0 __schedule+0x583/0x7e0 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) -> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? dequeue_top_rt_rq+0xa2/0xb0 ? do_error_trap+0x64/0xa0 ? dequeue_top_rt_rq+0xa2/0xb0 ? exc_invalid_op+0x4c/0x60 ? dequeue_top_rt_rq+0xa2/0xb0 ? asm_exc_invalid_op+0x12/0x20 ? dequeue_top_rt_rq+0xa2/0xb0 dequeue_rt_entity+0x1f/0x70 dequeue_task_rt+0x2d/0x70 __schedule+0x1a8/0x7e0 ? blk_finish_plug+0x25/0x40 schedule+0x3c/0xb0 futex_wait_queue_me+0xb6/0x120 futex_wait+0xd9/0x240 do_futex+0x344/0xa90 ? get_mm_exe_file+0x30/0x60 ? audit_exe_compare+0x58/0x70 ? audit_filter_rules.constprop.26+0x65e/0x1220 __x64_sys_futex+0x148/0x1f0 do_syscall_64+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? spurious_kernel_fault+0x171/0x1c0 ? exc_page_fault+0x3b6/0x520 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? asm_exc_page_fault+0x1e/0x30 ? _cond_resched+0x15/0x30 ? futex_wait_queue_me+0xc8/0x120 ? futex_wait+0xd9/0x240 ? try_to_wake_up+0x1b8/0x490 ? futex_wake+0x78/0x160 ? do_futex+0xcd/0xa90 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? plist_del+0x6a/0xd0 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? dequeue_pushable_task+0x20/0x70 ? __schedule+0x382/0x7e0 ? asm_sysvec_reschedule_i ---truncated--- CVE-2025-38234 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_ ---truncated--- CVE-2025-38236 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask *[1024]' dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x2b __ubsan_handle_out_of_bounds.cold+0x46/0x4b megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas] megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas] local_pci_probe+0x42/0x90 pci_device_probe+0xdc/0x290 really_probe+0xdb/0x340 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8b/0xe0 bus_add_driver+0x142/0x220 driver_register+0x72/0xd0 megasas_init+0xdf/0xff0 [megaraid_sas] do_one_initcall+0x57/0x310 do_init_module+0x90/0x250 init_module_from_file+0x85/0xc0 idempotent_init_module+0x114/0x310 __x64_sys_finit_module+0x65/0xc0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it accordingly. CVE-2025-38239 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order and prevent the following deadlock from happening ====================================================== WARNING: possible circular locking dependency detected 6.16.0-rc3-build2+ #1301 Tainted: G S W ------------------------------------------------------ cifsd/6055 is trying to acquire lock: ffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200 but task is already holding lock: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&ret_buf->chan_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_setup_session+0x81/0x4b0 cifs_get_smb_ses+0x771/0x900 cifs_mount_get_session+0x7e/0x170 cifs_mount+0x92/0x2d0 cifs_smb3_do_mount+0x161/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&ret_buf->ses_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_match_super+0x101/0x320 sget+0xab/0x270 cifs_smb3_do_mount+0x1e0/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}: check_noncircular+0x95/0xc0 check_prev_add+0x115/0x2f0 validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_signal_cifsd_for_reconnect+0x134/0x200 __cifs_reconnect+0x8f/0x500 cifs_handle_standard+0x112/0x280 cifs_demultiplex_thread+0x64d/0xbc0 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: &tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ret_buf->chan_lock); lock(&ret_buf->ses_lock); lock(&ret_buf->chan_lock); lock(&tcp_ses->srv_lock); *** DEADLOCK *** 3 locks held by cifsd/6055: #0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200 #1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200 #2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 CVE-2025-38244 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b </TASK> CVE-2025-38245 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT feature in production: [56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd 40f30). [56251.601413] ------------[ cut here ]------------ [56251.611357] kernel BUG at lib/list_debug.c:29! [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6. 3 #1 [56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE [56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025 [56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0 [56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89 [56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246 [56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000 [56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80 [56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18 [56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000 [56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40 [56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000 [56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0 [56251.831365] PKRU: 55555554 [56251.838653] Call Trace: [56251.845560] <IRQ> [56251.851943] cpu_map_enqueue.cold+0x5/0xa [56251.860243] xdp_do_redirect+0x2d9/0x480 [56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en] [56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en] [56251.885665] ? cpu_max_write+0x1e/0x100 [56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en] [56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en] [56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.944250] __napi_poll+0x2b/0x160 [56251.951155] bpf_trampoline_6442548651+0x79/0x123 [56251.959262] __napi_poll+0x5/0x160 [56251.966037] net_rx_action+0x3d2/0x880 [56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.989262] ? __hrtimer_run_queues+0x162/0x2a0 [56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en] [56252.019903] handle_softirqs+0xcf/0x270 [56252.026650] irq_exit_rcu+0x67/0x90 [56252.032933] common_interrupt+0x85/0xa0 [56252.039498] </IRQ> [56252.044246] <TASK> [56252.048935] asm_common_interrupt+0x26/0x40 [56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420 [56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29 [56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202 [56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000 [56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000 [56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e [56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860 [56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000 [56252.146667] ? cpuidle_enter_state+0xab/0x420 [56252.153909] cpuidle_enter+0x2d/0x40 [56252.160360] do_idle+0x176/0x1c0 [56252.166456 ---truncated--- CVE-2025-38246 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: <TASK> dump_stack ---truncated--- CVE-2025-38248 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor. CVE-2025-38249 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data. The problem is that there is no synchronisation after unlinking hdev from hci_dev_list in hci_unregister_dev(). There might be another thread still accessing the hdev which was fetched before the unlink operation. We can use SRCU for such synchronisation. Let's run hci_dev_reset() under SRCU and wait for its completion in hci_unregister_dev(). Another option would be to restore hci_dev->destruct(), which was removed in commit 587ae086f6e4 ("Bluetooth: Remove unused hci-destruct cb"). However, this would not be a good solution, as we should not run hci_unregister_dev() while there are in-flight ioctl() requests, which could lead to another data-race KCSAN splat. Note that other drivers seem to have the same problem, for exmaple, virtbt_remove(). [0]: BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718 CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 skb_queue_purge include/linux/skbuff.h:3368 [inline] vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 sock_do_ioctl+0xd9/0x300 net/socket.c:1190 sock_ioctl+0x576/0x790 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 </TASK> Allocated by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 misc_open+0x2bc/0x330 drivers/char/misc.c:161 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 do_dentry_open+0xdf0/0x1970 fs/open.c:964 vfs_open+0x3b/0x340 fs/open.c:1094 do_open fs/namei.c:3887 [inline] path_openat+0x2ee5/0x3830 fs/name ---truncated--- CVE-2025-38250 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize. CVE-2025-38251 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__bitmap_or+0x48/0x70 Call Trace: <TASK> __group_cpus_evenly+0x822/0x8c0 group_cpus_evenly+0x2d9/0x490 blk_mq_map_queues+0x1e/0x110 null_map_queues+0xc9/0x170 [null_blk] blk_mq_update_queue_map+0xdb/0x160 blk_mq_update_nr_hw_queues+0x22b/0x560 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_poll_queues_store+0xa4/0x130 [null_blk] configfs_write_iter+0x109/0x1d0 vfs_write+0x26e/0x6f0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x45c4/0x45f0 do_syscall_64+0xa5/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from kcalloc(), and later ZERO_SIZE_PTR will be deferenced. Fix the problem by checking numgrps first in group_cpus_evenly(), and return NULL directly if numgrps is zero. [yukuai3@huawei.com: also fix the non-SMP version] CVE-2025-38255 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). CVE-2025-38257 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked memory and unbalanced regulator enable count during probe errors or unbind. Fix this by converting entire code into devm_regulator_bulk_get_enable() which also greatly simplifies the code. CVE-2025-38259 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated--- CVE-2025-38263 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing. CVE-2025-38264 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it. CVE-2025-38272 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling. CVE-2025-38275 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38277 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] <TASK> [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, "BUG regs %x\n", bt_reg_mask(bt)); 4302 WARN_ONCE(1, "verifier backtracking bug"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { asm volatile ( "r2 = 2314885393468386424 ll;" "goto +0;" "if r2 <= r10 goto +3;" "if r1 >= -1835016 goto +0;" "if r2 <= 8 goto +0;" "if r3 <= 0 goto +0;" "exit;" ::: __clobber_all); } SEC("?raw_tp") __naked void bpf_jmp_r10(void) { asm volatile ( "r3 = 0 ll;" "call __bpf_jmp_r10;" "r0 = 0;" "exit;" ::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (" \ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated--- CVE-2025-38279 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed. CVE-2025-38283 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks. CVE-2025-38286 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed. CVE-2025-38289 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 CVE-2025-38290 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only. CVE-2025-38292 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 CVE-2025-38293 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the "theend_sgs" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the "theend_iv" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the "theend_iv" path. CVE-2025-38300 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. CVE-2025-38303 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA. CVE-2025-38304 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking. CVE-2025-38305 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref. CVE-2025-38307 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one. CVE-2025-38310 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. CVE-2025-38312 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus); CVE-2025-38313 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced. CVE-2025-38319 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach(). Following patch will use this mutex for /proc/net/atm/lec. BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142 CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 lecd_attach net/atm/lec.c:751 [inline] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 lecd_attach net/atm/lec.c:737 [inline] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 free_netdev+0x6c5/0x910 net/core/dev.c:11892 lecd_attach net/atm/lec.c:744 [inline] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 CVE-2025-38323 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which caused blk_mq_freeze_queue() to sleep indefinitely waiting for those requests to complete, causing a hang. This fix cleans out the queue before calling blk_mq_freeze_queue(). CVE-2025-38326 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-38328 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string. CVE-2025-38332 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. The longer story: Pages used by an enclave only get epc_page->poison set in arch_memory_failure() but they currently stay on sgx_active_page_list until sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. epc_page->poison is not checked in the reclaimer logic meaning that, if other conditions are met, an attempt will be made to reclaim an EPC page that was poisoned. This is bad because 1. we don't want that page to end up added to another enclave and 2. it is likely to cause one core to shut down and the kernel to panic. Specifically, reclaiming uses microcode operations including "EWB" which accesses the EPC page contents to encrypt and write them out to non-SGX memory. Those operations cannot handle MCEs in their accesses other than by putting the executing core into a special shutdown state (affecting both threads with HT.) The kernel will subsequently panic on the remaining cores seeing the core didn't enter MCE handler(s) in time. Call sgx_unmark_page_reclaimable() to remove the affected EPC page from sgx_active_page_list on memory error to stop it being considered for reclaiming. Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume it's better to add code in the less likely paths. The affected EPC page is not added to &node->sgx_poison_page_list until later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. Membership on other lists doesn't change to avoid changing any of the lists' semantics except for sgx_active_page_list. There's a "TBD" comment in arch_memory_failure() about pre-emptive actions, the goal here is not to address everything that it may imply. This also doesn't completely close the time window when a memory error notification will be fatal (for a not previously poisoned EPC page) -- the MCE can happen after sgx_reclaim_pages() has selected its candidates or even *inside* a microcode operation (actually easy to trigger due to the amount of time spent in them.) The spinlock in sgx_unmark_page_reclaimable() is safe because memory_failure() runs in process context and no spinlocks are held, explicitly noted in a mm/memory-failure.c comment. CVE-2025-38334 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. CVE-2025-38335 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system when doing ATAPI DMAs without any trace of what happened. Depending on the device attached, it can also prevent the system from booting. In this case, the system hangs when reading the ATIP from optical media with cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an Optiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4, running at UDMA/33. The issue can be reproduced by running the same command with a cygwin build of cdrecord on WinXP, although it requires more attempts to cause it. The hang in that case is also resolved by forcing PIO. It doesn't appear that VIA has produced any drivers for that OS, thus no known workaround exists. HDDs attached to the controller do not suffer from any DMA issues. CVE-2025-38336 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... value changed: 0x00000000 -> 0x00000001 ================================================================== This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added. CVE-2025-38337 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the `PG_locked` flag. Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips `PG_locked` back off: 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio, nfs_return_empty_folio 2. vfs_read, nfs_read_folio, ... netfs_read_collection, netfs_unlock_abandoned_read_pages 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio, nfs_return_empty_folio The problem is that nfs_read_add_folio() is not supposed to unlock the folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is missing in nfs_return_empty_folio(). Rarely this leads to a warning in netfs_read_collection(): ------------[ cut here ]------------ R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 [...] Workqueue: events_unbound netfs_read_collection_worker RIP: 0010:netfs_read_collection+0x7c0/0xf00 [...] Call Trace: <TASK> netfs_read_collection_worker+0x67/0x80 process_one_work+0x12e/0x2c0 worker_thread+0x295/0x3a0 Most of the time, however, processes just get stuck forever in folio_wait_bit_common(), waiting for `PG_locked` to disappear, which never happens because nobody is really holding the folio lock. CVE-2025-38338 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value requires at least '(index + 1) * sizeof(*ref)' bytes but that can not be guaranteed by current OOB check, and may cause OOB for malformed property. Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'. CVE-2025-38342 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA IEEE 802.11 fragmentation can only be applied to unicast frames. Therefore, drop fragments with multicast or broadcast RA. This patch addresses vulnerabilities such as CVE-2020-26145. CVE-2025-38343 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added _OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 I analyzed this memory leak in detail. I found that “Acpi-State” cache and “Acpi-Parse” cache were merged because the size of cache objects was same slab cache size. I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked using SLAB_NEVER_MERGE flag in kmem_cache_create() function. Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added _OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [ 0.372000] ? acpi_terminate+0xa/0x14 [ 0.372000] ? acpi_init+0x2af/0x34f [ 0.372000] ? __class_create+0x4c/0x80 [ 0.372000] ? video_setup+0x7f/0x7f [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? do_one_initcall+0x4e/0x1a0 [ 0.372000] ? kernel_init_freeable+0x189/0x20a [ 0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x3 ---truncated--- CVE-2025-38344 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. CVE-2025-38345 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default. CVE-2025-38348 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the much subtler "next to last" case when somebody *else* may also be dropping their reference and free the ep while we're still using the mutex. Note that this is true even if that other user is also using the same ep mutex: mutexes, unlike spinlocks, can not be used for object ownership, even if they guarantee mutual exclusion. A mutex "unlock" operation is not atomic, and as one user is still accessing the mutex as part of unlocking it, another user can come in and get the now released mutex and free the data structure while the first user is still cleaning up. See our mutex documentation in Documentation/locking/mutex-design.rst, in particular the section [1] about semantics: "mutex_unlock() may access the mutex structure even after it has internally released the lock already - so it's not safe for another context to acquire the mutex and assume that the mutex_unlock() context is not using the structure anymore" So if we drop our ep ref before the mutex unlock, but we weren't the last one, we may then unlock the mutex, another user comes in, drops _their_ reference and releases the 'ep' as it now has no users - all while the mutex_unlock() is still accessing it. Fix this by simply moving the ep refcount dropping to outside the mutex: the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes). CVE-2025-38349 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent. CVE-2025-38350 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses. CVE-2025-38351 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. CVE-2025-38352 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: drm/msm/gpu: Fix crash when throttling GPU immediately during boot There is a small chance that the GPU is already hot during boot. In that case, the call to of_devfreq_cooling_register() will immediately try to apply devfreq cooling, as seen in the following crash: Unable to handle kernel paging request at virtual address 0000000000014110 pc : a6xx_gpu_busy+0x1c/0x58 [msm] lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm] Call trace: a6xx_gpu_busy+0x1c/0x58 [msm] (P) devfreq_simple_ondemand_func+0x3c/0x150 devfreq_update_target+0x44/0xd8 qos_max_notifier_call+0x30/0x84 blocking_notifier_call_chain+0x6c/0xa0 pm_qos_update_target+0xd0/0x110 freq_qos_apply+0x3c/0x74 apply_constraint+0x88/0x148 __dev_pm_qos_update_request+0x7c/0xcc dev_pm_qos_update_request+0x38/0x5c devfreq_cooling_set_cur_state+0x98/0xf0 __thermal_cdev_update+0x64/0xb4 thermal_cdev_update+0x4c/0x58 step_wise_manage+0x1f0/0x318 __thermal_zone_device_update+0x278/0x424 __thermal_cooling_device_register+0x2bc/0x308 thermal_of_cooling_device_register+0x10/0x1c of_devfreq_cooling_register_power+0x240/0x2bc of_devfreq_cooling_register+0x14/0x20 msm_devfreq_init+0xc4/0x1a0 [msm] msm_gpu_init+0x304/0x574 [msm] adreno_gpu_init+0x1c4/0x2e0 [msm] a6xx_gpu_init+0x5c8/0x9c8 [msm] adreno_bind+0x2a8/0x33c [msm] ... At this point we haven't initialized the GMU at all yet, so we cannot read the GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before in commit 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy"): msm_devfreq_init() does call devfreq_suspend_device(), but unlike msm_devfreq_suspend(), it doesn't set the df->suspended flag accordingly. This means the df->suspended flag does not match the actual devfreq state after initialization and msm_devfreq_get_dev_status() will end up accessing GMU registers, causing the crash. Fix this by setting df->suspended correctly during initialization. Patchwork: https://patchwork.freedesktop.org/patch/650772/ CVE-2025-38354 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees [WHY] For non-zero DSC instances it's possible that the HUBP domain required to drive it for sequential ONO ASICs isn't met, potentially causing the logic to the tile to enter an undefined state leading to a system hang. [HOW] Add more checks to ensure that the HUBP domain matching the DSC instance is appropriately powered. (cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec) CVE-2025-38360 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference in mod_hdcp_hdcp2_enable_encryption(). Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. CVE-2025-38362 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. CVE-2025-38363 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC flag is set. This flag is meant to avoid re-allocating in bulk allocation mode, and to detect issues with preallocation calculations. The MA_STATE_PREALLOC flag should also always be set on zero allocations so that detection of underflow allocations will print a WARN_ON() during consumption. User visible effect of this flaw is a WARN_ON() followed by a null pointer dereference when subsequent requests for larger number of nodes is ignored, such as the vma merge retry in mmap_region() caused by drivers altering the vma flags (which happens in v6.6, at least) CVE-2025-38364 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a race between renames and directory logging We have a race between a rename and directory inode logging that if it happens and we crash/power fail before the rename completes, the next time the filesystem is mounted, the log replay code will end up deleting the file that was being renamed. This is best explained following a step by step analysis of an interleaving of steps that lead into this situation. Consider the initial conditions: 1) We are at transaction N; 2) We have directories A and B created in a past transaction (< N); 3) We have inode X corresponding to a file that has 2 hardlinks, one in directory A and the other in directory B, so we'll name them as "A/foo_link1" and "B/foo_link2". Both hard links were persisted in a past transaction (< N); 4) We have inode Y corresponding to a file that as a single hard link and is located in directory A, we'll name it as "A/bar". This file was also persisted in a past transaction (< N). The steps leading to a file loss are the following and for all of them we are under transaction N: 1) Link "A/foo_link1" is removed, so inode's X last_unlink_trans field is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir(); 2) Task A starts a rename for inode Y, with the goal of renaming from "A/bar" to "A/baz", so we enter btrfs_rename(); 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling btrfs_insert_inode_ref(); 4) Because the rename happens in the same directory, we don't set the last_unlink_trans field of directoty A's inode to the current transaction id, that is, we don't cal btrfs_record_unlink_dir(); 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode() (actually the dir index item is added as a delayed item, but the effect is the same); 6) Now before task A adds the new entry "A/baz" to directory A by calling btrfs_add_link(), another task, task B is logging inode X; 7) Task B starts a fsync of inode X and after logging inode X, at btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since inode X has a last_unlink_trans value of N, set at in step 1; 8) At btrfs_log_all_parents() we search for all parent directories of inode X using the commit root, so we find directories A and B and log them. Bu when logging direct A, we don't have a dir index item for inode Y anymore, neither the old name "A/bar" nor for the new name "A/baz" since the rename has deleted the old name but has not yet inserted the new name - task A hasn't called yet btrfs_add_link() to do that. Note that logging directory A doesn't fallback to a transaction commit because its last_unlink_trans has a lower value than the current transaction's id (see step 4); 9) Task B finishes logging directories A and B and gets back to btrfs_sync_file() where it calls btrfs_sync_log() to persist the log tree; 10) Task B successfully persisted the log tree, btrfs_sync_log() completed with success, and a power failure happened. We have a log tree without any directory entry for inode Y, so the log replay code deletes the entry for inode Y, name "A/bar", from the subvolume tree since it doesn't exist in the log tree and the log tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY item that covers the index range for the dentry that corresponds to "A/bar"). Since there's no other hard link for inode Y and the log replay code deletes the name "A/bar", the file is lost. The issue wouldn't happen if task B synced the log only after task A called btrfs_log_new_name(), which would update the log with the new name for inode Y ("A/bar"). Fix this by pinning the log root during renames before removing the old directory entry, and unpinning af ---truncated--- CVE-2025-38365 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Running IDXD workloads in a container with the /dev directory mounted can trigger a call trace or even a kernel panic when the parent process of the container is terminated. This issue occurs because, under certain configurations, Docker does not properly propagate the mount replica back to the original mount point. In this case, when the user driver detaches, the WQ is destroyed but it still calls destroy_workqueue() attempting to completes all pending work. It's necessary to check wq->wq and skip the drain if it no longer exists. CVE-2025-38369 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the G ---truncated--- CVE-2025-38371 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix potential deadlock in MR deregistration The issue arises when kzalloc() is invoked while holding umem_mutex or any other lock acquired under umem_mutex. This is problematic because kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke mmu_notifier_invalidate_range_start(). This function can lead to mlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again, resulting in a deadlock. The problematic flow: CPU0 | CPU1 ---------------------------------------|------------------------------------------------ mlx5_ib_dereg_mr() | -> revoke_mr() | -> mutex_lock(&umem_odp->umem_mutex) | | mlx5_mkey_cache_init() | -> mutex_lock(&dev->cache.rb_lock) | -> mlx5r_cache_create_ent_locked() | -> kzalloc(GFP_KERNEL) | -> fs_reclaim() | -> mmu_notifier_invalidate_range_start() | -> mlx5_ib_invalidate_range() | -> mutex_lock(&umem_odp->umem_mutex) -> cache_ent_find_and_store() | -> mutex_lock(&dev->cache.rb_lock) | Additionally, when kzalloc() is called from within cache_ent_find_and_store(), we encounter the same deadlock due to re-acquisition of umem_mutex. Solve by releasing umem_mutex in dereg_mr() after umr_revoke_mr() and before acquiring rb_lock. This ensures that we don't hold umem_mutex while performing memory allocations that could trigger the reclaim path. This change prevents the deadlock by ensuring proper lock ordering and avoiding holding locks during memory allocation operations that could trigger the reclaim path. The following lockdep warning demonstrates the deadlock: python3/20557 is trying to acquire lock: ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at: mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib] but task is already holding lock: ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at: unmap_vmas+0x7b/0x1a0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x60/0xd0 mem_cgroup_css_alloc+0x6f/0x9b0 cgroup_init_subsys+0xa4/0x240 cgroup_init+0x1c8/0x510 start_kernel+0x747/0x760 x86_64_start_reservations+0x25/0x30 x86_64_start_kernel+0x73/0x80 common_startup_64+0x129/0x138 -> #2 (fs_reclaim){+.+.}-{0:0}: fs_reclaim_acquire+0x91/0xd0 __kmalloc_cache_noprof+0x4d/0x4c0 mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib] mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib] mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib] __mlx5_ib_add+0x4b/0x190 [mlx5_ib] mlx5r_probe+0xd9/0x320 [mlx5_ib] auxiliary_bus_probe+0x42/0x70 really_probe+0xdb/0x360 __driver_probe_device+0x8f/0x130 driver_probe_device+0x1f/0xb0 __driver_attach+0xd4/0x1f0 bus_for_each_dev+0x79/0xd0 bus_add_driver+0xf0/0x200 driver_register+0x6e/0xc0 __auxiliary_driver_register+0x6a/0xc0 do_one_initcall+0x5e/0x390 do_init_module+0x88/0x240 init_module_from_file+0x85/0xc0 idempotent_init_module+0x104/0x300 __x64_sys_finit_module+0x68/0xc0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}: __mutex_lock+0x98/0xf10 __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib] mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib] ib_dereg_mr_user+0x85/0x1f0 [ib_core] ---truncated--- CVE-2025-38373 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. CVE-2025-38375 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume Shawn and John reported a hang issue during system suspend as below: - USB gadget is enabled as Ethernet - There is data transfer over USB Ethernet (scp a big file between host and device) - Device is going in/out suspend (echo mem > /sys/power/state) The root cause is the USB device controller is suspended but the USB bus is still active which caused the USB host continues to transfer data with device and the device continues to queue USB requests (in this case, a delayed TCP ACK packet trigger the issue) after controller is suspended, however the USB controller clock is already gated off. Then if udc driver access registers after that point, the system will hang. The correct way to avoid such issue is to disconnect device from host when the USB bus is not at suspend state. Then the host will receive disconnect event and stop data transfer in time. To continue make USB gadget device work after system resume, this will reconnect device automatically. To make usb wakeup work if USB bus is already at suspend state, this will keep connection for it only when USB device controller has enabled wakeup capability. CVE-2025-38376 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations. CVE-2025-38377 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-38380 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs during log replay At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the next iteration of the loop since victim_name.len was not initialized to the length of the name of the current extref. Fix this by initializing victim_name.len with the current extref's name length. CVE-2025-38382 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak of ECC engine conf Memory allocated for the ECC engine conf is not released during spinand cleanup. Below kmemleak trace is seen for this memory leak: unreferenced object 0xffffff80064f00e0 (size 8): comm "swapper/0", pid 1, jiffies 4294937458 hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace (crc 0): kmemleak_alloc+0x30/0x40 __kmalloc_cache_noprof+0x208/0x3c0 spinand_ondie_ecc_init_ctx+0x114/0x200 nand_ecc_init_ctx+0x70/0xa8 nanddev_ecc_engine_init+0xec/0x27c spinand_probe+0xa2c/0x1620 spi_mem_probe+0x130/0x21c spi_probe+0xf0/0x170 really_probe+0x17c/0x6e8 __driver_probe_device+0x17c/0x21c driver_probe_device+0x58/0x180 __device_attach_driver+0x15c/0x1f8 bus_for_each_drv+0xec/0x150 __device_attach+0x188/0x24c device_initial_probe+0x10/0x20 bus_probe_device+0x11c/0x160 Fix the leak by calling nanddev_ecc_engine_cleanup() inside spinand_cleanup(). CVE-2025-38384 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path. A WARN may be triggered in __netif_napi_del_locked() during USB device disconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350 This happens because netif_napi_del() is called in the disconnect path while NAPI is still enabled. However, it is not necessary to call netif_napi_del() explicitly, since unregister_netdev() will handle NAPI teardown automatically and safely. Removing the redundant call avoids triggering the warning. Full trace: lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV lan78xx 1-1:1.0 enu1: Link is Down lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350 Modules linked in: flexcan can_dev fuse CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT Hardware name: SKOV IMX8MP CPU revC - bd500 (DT) Workqueue: usb_hub_wq hub_event pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __netif_napi_del_locked+0x2b4/0x350 lr : __netif_napi_del_locked+0x7c/0x350 sp : ffffffc085b673c0 x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8 x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000 x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000 x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028 x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8 x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000 x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001 x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000 Call trace: __netif_napi_del_locked+0x2b4/0x350 (P) lan78xx_disconnect+0xf4/0x360 usb_unbind_interface+0x158/0x718 device_remove+0x100/0x150 device_release_driver_internal+0x308/0x478 device_release_driver+0x1c/0x30 bus_remove_device+0x1a8/0x368 device_del+0x2e0/0x7b0 usb_disable_device+0x244/0x540 usb_disconnect+0x220/0x758 hub_event+0x105c/0x35e0 process_one_work+0x760/0x17b0 worker_thread+0x768/0xce8 kthread+0x3bc/0x690 ret_from_fork+0x10/0x20 irq event stamp: 211604 hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98 hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80 softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8 softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20 ---[ end trace 0000000000000000 ]--- lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0 CVE-2025-38385 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a method if the caller attempts to pass fewer arguments than expected to it. CVE-2025-38386 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert The obj_event may be loaded immediately after inserted, then if the list_head is not initialized then we may get a poisonous pointer. This fixes the crash below: mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000 [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] SMP Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E) [last unloaded: mst_pci] CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1 Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023 pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--) pc : dispatch_event_fd+0x68/0x300 [mlx5_ib] lr : devx_event_notifier+0xcc/0x228 [mlx5_ib] sp : ffff80001005bcf0 x29: ffff80001005bcf0 x28: 0000000000000001 x27: ffff244e0740a1d8 x26: ffff244e0740a1d0 x25: ffffda56beff5ae0 x24: ffffda56bf911618 x23: ffff244e0596a480 x22: ffff244e0596a480 x21: ffff244d8312ad90 x20: ffff244e0596a480 x19: fffffffffffffff0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffda56be66d620 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000040 x10: ffffda56bfcafb50 x9 : ffffda5655c25f2c x8 : 0000000000000010 x7 : 0000000000000000 x6 : ffff24545a2e24b8 x5 : 0000000000000003 x4 : ffff80001005bd28 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff244e0596a480 x0 : ffff244d8312ad90 Call trace: dispatch_event_fd+0x68/0x300 [mlx5_ib] devx_event_notifier+0xcc/0x228 [mlx5_ib] atomic_notifier_call_chain+0x58/0x80 mlx5_eq_async_int+0x148/0x2b0 [mlx5_core] atomic_notifier_call_chain+0x58/0x80 irq_int_handler+0x20/0x30 [mlx5_core] __handle_irq_event_percpu+0x60/0x220 handle_irq_event_percpu+0x3c/0x90 handle_irq_event+0x58/0x158 handle_fasteoi_irq+0xfc/0x188 generic_handle_irq+0x34/0x48 ... CVE-2025-38387 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: <4> [239.330153] ------------[ cut here ]------------ <4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count) <4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330942] Call Trace: <4> [239.330944] <TASK> <4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915] <4> [239.331202] i915_driver_release+0x86/0xa0 [i915] <4> [239.331482] devm_drm_dev_init_release+0x61/0x90 <4> [239.331494] devm_action_release+0x15/0x30 <4> [239.331504] release_nodes+0x3d/0x120 <4> [239.331517] devres_release_all+0x96/0xd0 <4> [239.331533] device_unbind_cleanup+0x12/0x80 <4> [239.331543] device_release_driver_internal+0x23a/0x280 <4> [239.331550] ? bus_find_device+0xa5/0xe0 <4> [239.331563] device_driver_detach+0x14/0x20 ... <4> [357.719679] ---[ end trace 0000000000000000 ]--- If the test also unloads the i915 module then that's followed with: <3> [357.787478] ============================================================================= <3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown() <3> [357.788031] ----------------------------------------------------------------------------- <3> [357.788204] Object 0xffff888109e7f480 @offset=29824 <3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244 <4> [357.788994] i915_vma_instance+0xee/0xc10 [i915] <4> [357.789290] init_status_page+0x7b/0x420 [i915] <4> [357.789532] intel_engines_init+0x1d8/0x980 [i915] <4> [357.789772] intel_gt_init+0x175/0x450 [i915] <4> [357.790014] i915_gem_init+0x113/0x340 [i915] <4> [357.790281] i915_driver_probe+0x847/0xed0 [i915] <4> [357.790504] i915_pci_probe+0xe6/0x220 [i915] ... Closer analysis of CI results history has revealed a dependency of the error on a few IGT tests, namely: - igt@api_intel_allocator@fork-simple-stress-signal, - igt@api_intel_allocator@two-level-inception-interruptible, - igt@gem_linear_blits@interruptible, - igt@prime_mmap_coherency@ioctl-errors, which invisibly trigger the issue, then exhibited with first driver unbind attempt. All of the above tests perform actions which are actively interrupted with signals. Further debugging has allowed to narrow that scope down to DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring submission, in particular. If successful then that function, or its execlists or GuC submission equivalent, is supposed to be called only once per GEM context engine, followed by raise of a flag that prevents the function from being called again. The function is expected to unwind its internal errors itself, so it may be safely called once more after it returns an error. In case of ring submission, the function first gets a reference to the engine's legacy timeline and then allocates a VMA. If the VMA allocation fails, e.g. when i915_vma_instance() called from inside is interrupted with a signal, then ring_context_alloc() fails, leaving the timeline held referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the timeline is got, and only that last one is put on successful completion. As a consequence, the legacy timeline, with its underlying engine status page's VMA object, is still held and not released on driver unbind. Get the legacy timeline only after successful allocation of the context engine's VMA. v2: Add a note on other submission methods (Krzysztof Karas): Both execlists and GuC submission use lrc_alloc() which seems free from a similar issue. (cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f) CVE-2025-38389 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicate that its pin assignment capabilities are greater than the maximum value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show will cause a BRK exception due to an out of bounds array access. Prevent for loop in pin_assignment_show from accessing invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop condition. CVE-2025-38391 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: convert control queue mutex to a spinlock With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated on module load: [ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager [ 324.701689] preempt_count: 201, expected: 0 [ 324.701693] RCU nest depth: 0, expected: 0 [ 324.701697] 2 locks held by NetworkManager/1582: [ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0 [ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870 [ 324.701749] Preemption disabled at: [ 324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870 [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary) [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022 [ 324.701774] Call Trace: [ 324.701777] <TASK> [ 324.701779] dump_stack_lvl+0x5d/0x80 [ 324.701788] ? __dev_open+0x3dd/0x870 [ 324.701793] __might_resched.cold+0x1ef/0x23d <..> [ 324.701818] __mutex_lock+0x113/0x1b80 <..> [ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf] [ 324.701935] ? kasan_save_track+0x14/0x30 [ 324.701941] idpf_mb_clean+0x143/0x380 [idpf] <..> [ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf] [ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf] [ 324.702021] ? rcu_is_watching+0x12/0xc0 [ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf] <..> [ 324.702122] __hw_addr_sync_dev+0x1cf/0x300 [ 324.702126] ? find_held_lock+0x32/0x90 [ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf] [ 324.702152] __dev_open+0x3f8/0x870 [ 324.702159] ? __pfx___dev_open+0x10/0x10 [ 324.702174] __dev_change_flags+0x443/0x650 <..> [ 324.702208] netif_change_flags+0x80/0x160 [ 324.702218] do_setlink.isra.0+0x16a0/0x3960 <..> [ 324.702349] rtnl_newlink+0x12fd/0x21e0 The sequence is as follows: rtnl_newlink()-> __dev_change_flags()-> __dev_open()-> dev_set_rx_mode() - > # disables BH and grabs "dev->addr_list_lock" idpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON __dev_uc_sync() -> idpf_add_mac_filter -> idpf_add_del_mac_filters -> idpf_send_mb_msg() -> idpf_mb_clean() -> idpf_ctlq_clean_sq() # mutex_lock(cq_lock) Fix by converting cq_lock to a spinlock. All operations under the new lock are safe except freeing the DMA memory, which may use vunmap(). Fix by requesting a contiguous physical memory for the DMA mapping. CVE-2025-38392 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that this is another race between the waiter and waker similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). Fix it up by applying the advised barrier. CVE-2025-38393 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. CVE-2025-38395 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon() for creating security context manually. This change also fixes a security regression in secretmem where the S_PRIVATE flag was not cleared after alloc_anon_inode(), causing LSM/SELinux checks to be bypassed for secretmem file descriptors. As guest_memfd currently resides in the KVM module, we need to export this symbol for use outside the core kernel. In the future, guest_memfd might be moved to core-mm, at which point the symbols no longer would have to be exported. When/if that happens is still unclear. CVE-2025-38396 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() The function core_scsi3_decode_spec_i_port(), in its error code path, unconditionally calls core_scsi3_lunacl_undepend_item() passing the dest_se_deve pointer, which may be NULL. This can lead to a NULL pointer dereference if dest_se_deve remains unset. SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg Unable to handle kernel paging request at virtual address dfff800000000012 Call trace: core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P) core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod] core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod] target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod] Fix this by adding a NULL check before calling core_scsi3_lunacl_undepend_item() CVE-2025-38399 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection in nfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning is logged as the directory is not empty. Let's handle the error of nfs_fs_proc_net_init() properly. [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174) should_failslab (mm/failslab.c:46) kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204) __proc_create (fs/proc/generic.c:427) proc_create_reg (fs/proc/generic.c:554) proc_create_net_data (fs/proc/proc_net.c:120) nfs_fs_proc_net_init (fs/nfs/client.c:1409) nfs_net_init (fs/nfs/inode.c:2600) ops_init (net/core/net_namespace.c:138) setup_net (net/core/net_namespace.c:443) copy_net_ns (net/core/net_namespace.c:576) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4)) ksys_unshare (kernel/fork.c:3123) __x64_sys_unshare (kernel/fork.c:3190) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> [1]: remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs' WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 Modules linked in: CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00 RSP: 0018:ffffc90003637b08 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8 RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001 RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00 R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000 FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76 ops_exit_list net/core/net_namespace.c:200 [inline] ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253 setup_net+0x2e1/0x510 net/core/net_namespace.c:457 copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574 create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218 ksys_unshare+0x45b/0xa40 kernel/fork.c:3121 __do_sys_unshare kernel/fork.c:3192 [inline] __se_sys_unshare kernel/fork.c:3190 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa1a6b8e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c ---truncated--- CVE-2025-38400 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon after the msdc_prepare_data() fails to prepare it. CVE-2025-38401 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: idpf: return 0 size for RSS key if not supported Returning -EOPNOTSUPP from function returning u32 is leading to cast and invalid size value as a result. -EOPNOTSUPP as a size probably will lead to allocation fail. Command: ethtool -x eth0 It is visible on all devices that don't have RSS caps set. [ 136.615917] Call Trace: [ 136.615921] <TASK> [ 136.615927] ? __warn+0x89/0x130 [ 136.615942] ? __alloc_frozen_pages_noprof+0x322/0x330 [ 136.615953] ? report_bug+0x164/0x190 [ 136.615968] ? handle_bug+0x58/0x90 [ 136.615979] ? exc_invalid_op+0x17/0x70 [ 136.615987] ? asm_exc_invalid_op+0x1a/0x20 [ 136.616001] ? rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616016] ? __alloc_frozen_pages_noprof+0x322/0x330 [ 136.616028] __alloc_pages_noprof+0xe/0x20 [ 136.616038] ___kmalloc_large_node+0x80/0x110 [ 136.616072] __kmalloc_large_node_noprof+0x1d/0xa0 [ 136.616081] __kmalloc_noprof+0x32c/0x4c0 [ 136.616098] ? rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616105] rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616114] ethnl_default_doit+0x107/0x3d0 [ 136.616131] genl_family_rcv_msg_doit+0x100/0x160 [ 136.616147] genl_rcv_msg+0x1b8/0x2c0 [ 136.616156] ? __pfx_ethnl_default_doit+0x10/0x10 [ 136.616168] ? __pfx_genl_rcv_msg+0x10/0x10 [ 136.616176] netlink_rcv_skb+0x58/0x110 [ 136.616186] genl_rcv+0x28/0x40 [ 136.616195] netlink_unicast+0x19b/0x290 [ 136.616206] netlink_sendmsg+0x222/0x490 [ 136.616215] __sys_sendto+0x1fd/0x210 [ 136.616233] __x64_sys_sendto+0x24/0x30 [ 136.616242] do_syscall_64+0x82/0x160 [ 136.616252] ? __sys_recvmsg+0x83/0xe0 [ 136.616265] ? syscall_exit_to_user_mode+0x10/0x210 [ 136.616275] ? do_syscall_64+0x8e/0x160 [ 136.616282] ? __count_memcg_events+0xa1/0x130 [ 136.616295] ? count_memcg_events.constprop.0+0x1a/0x30 [ 136.616306] ? handle_mm_fault+0xae/0x2d0 [ 136.616319] ? do_user_addr_fault+0x379/0x670 [ 136.616328] ? clear_bhb_loop+0x45/0xa0 [ 136.616340] ? clear_bhb_loop+0x45/0xa0 [ 136.616349] ? clear_bhb_loop+0x45/0xa0 [ 136.616359] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 136.616369] RIP: 0033:0x7fd30ba7b047 [ 136.616376] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d bd d5 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44 [ 136.616381] RSP: 002b:00007ffde1796d68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 136.616388] RAX: ffffffffffffffda RBX: 000055d7bd89f2a0 RCX: 00007fd30ba7b047 [ 136.616392] RDX: 0000000000000028 RSI: 000055d7bd89f3b0 RDI: 0000000000000003 [ 136.616396] RBP: 00007ffde1796e10 R08: 00007fd30bb4e200 R09: 000000000000000c [ 136.616399] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d7bd89f340 [ 136.616403] R13: 000055d7bd89f3b0 R14: 000055d78943f200 R15: 0000000000000000 CVE-2025-38402 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure. CVE-2025-38403 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix potential deadlock The deadlock can occur due to a recursive lock acquisition of `cros_typec_altmode_data::mutex`. The call chain is as follows: 1. cros_typec_altmode_work() acquires the mutex 2. typec_altmode_vdm() -> dp_altmode_vdm() -> 3. typec_altmode_exit() -> cros_typec_altmode_exit() 4. cros_typec_altmode_exit() attempts to acquire the mutex again To prevent this, defer the `typec_altmode_exit()` call by scheduling it rather than calling it directly from within the mutex-protected context. CVE-2025-38404 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on bad firmware input If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, print the sizes too. CVE-2025-38406 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: genirq/irq_sim: Initialize work context pointers properly Initialize `ops` member's pointers properly by using kzalloc() instead of kmalloc() when allocating the simulation work context. Otherwise the pointers contain random content leading to invalid dereferencing. CVE-2025-38408 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix another leak in the submit error path put_unused_fd() doesn't free the installed file, if we've already done fd_install(). So we need to also free the sync_file. Patchwork: https://patchwork.freedesktop.org/patch/653583/ CVE-2025-38409 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork: https://patchwork.freedesktop.org/patch/653584/ CVE-2025-38410 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks After retrieving WMI data blocks in sysfs callbacks, check for the validity of them before dereferencing their content. CVE-2025-38412 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 CVE-2025-38414 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize(). CVE-2025-38415 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close the window by exposing tty->disc_data only on the success path, when opening of the NCI device and try_module_get() succeeds. The code differs in error path in one aspect: tty->disc_data won't be ever assigned thus NULL-ified. This however should not be relevant difference, because of "tty->disc_data=NULL" in nci_uart_tty_open(). CVE-2025-38416 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory leak will occur. unreferenced object 0xffff000086a99800 (size 1024): comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s) hex dump (first 32 bytes): 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............ 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............ backtrace: [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230 [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260 [<0000000037818dae>] kmemdup+0x34/0x60 [<00000000610f7f57>] rproc_boot+0x35c/0x56c [<0000000065f8871a>] rproc_add+0x124/0x17c [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4 [<000000003bcaa37d>] platform_probe+0x68/0xd8 [<00000000771577f9>] really_probe+0x110/0x27c [<00000000531fea59>] __driver_probe_device+0x78/0x12c [<0000000080036a04>] driver_probe_device+0x3c/0x118 [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8 [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4 [<000000001a53b53e>] __device_attach+0xfc/0x18c [<00000000d1a2a32c>] device_initial_probe+0x14/0x20 [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4 unreferenced object 0xffff0000864c9690 (size 16): CVE-2025-38418 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() When rproc->state = RPROC_DETACHED and rproc_attach() is used to attach to the remote processor, if rproc_handle_resources() returns a failure, the resources allocated by imx_rproc_prepare() should be released, otherwise the following memory leak will occur. Since almost the same thing is done in imx_rproc_prepare() and rproc_resource_cleanup(), Function rproc_resource_cleanup() is able to deal with empty lists so it is better to fix the "goto" statements in rproc_attach(). replace the "unprepare_device" goto statement with "clean_up_resources" and get rid of the "unprepare_device" label. unreferenced object 0xffff0000861c5d00 (size 128): comm "kworker/u12:3", pid 59, jiffies 4294893509 (age 149.220s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............ backtrace: [<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c [<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0 [<00000000521c0345>] kmalloc_trace+0x40/0x158 [<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8 [<000000002815755e>] imx_rproc_prepare+0xe0/0x180 [<0000000003f61b4e>] rproc_boot+0x2ec/0x528 [<00000000e7e994ac>] rproc_add+0x124/0x17c [<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4 [<00000000efc298a1>] platform_probe+0x68/0xd8 [<00000000110be6fe>] really_probe+0x110/0x27c [<00000000e245c0ae>] __driver_probe_device+0x78/0x12c [<00000000f61f6f5e>] driver_probe_device+0x3c/0x118 [<00000000a7874938>] __device_attach_driver+0xb8/0xf8 [<0000000065319e69>] bus_for_each_drv+0x84/0xe4 [<00000000db3eb243>] __device_attach+0xfc/0x18c [<0000000072e4e1a4>] device_initial_probe+0x14/0x20 CVE-2025-38419 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: do not ping device which has failed to load firmware Syzkaller reports [1, 2] crashes caused by an attempts to ping the device which has failed to load firmware. Since such a device doesn't pass 'ieee80211_register_hw()', an internal workqueue managed by 'ieee80211_queue_work()' is not yet created and an attempt to queue work on it causes null-ptr-deref. [1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff [2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217 CVE-2025-38420 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() Baisheng Gao reported an ARM64 crash, which Mark decoded as being a synchronous external abort -- most likely due to trying to access MMIO in bad ways. The crash further shows perf trying to do a user stack sample while in exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address space it is trying to access. It turns out that we stop perf after we tear down the userspace mm; a receipie for disaster, since perf likes to access userspace for various reasons. Flip this order by moving up where we stop perf in do_exit(). Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER to abort when the current task does not have an mm (exit_mm() makes sure to set current->mm = NULL; before commencing with the actual teardown). Such that CPU wide events don't trip on this same problem. CVE-2025-38424 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes. CVE-2025-38425 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add basic validation for RAS header If RAS header read from EEPROM is corrupted, it could result in trying to allocate huge memory for reading the records. Add some validation to header fields. CVE-2025-38426 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);" CVE-2025-38428 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Update read pointer only after buffer is written Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offset prematurely can lead to the host accessing an uninitialized or incomplete element, resulting in data corruption. Invoke the buffer write before updating rd_offset to ensure the element is fully written before signaling its availability. CVE-2025-38429 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. CVE-2025-38430 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/scheduler: signal scheduled fence when kill job When an entity from application B is killed, drm_sched_entity_kill() removes all jobs belonging to that entity through drm_sched_entity_kill_jobs_work(). If application A's job depends on a scheduled fence from application B's job, and that fence is not properly signaled during the killing process, application A's dependency cannot be cleared. This leads to application A hanging indefinitely while waiting for a dependency that will never be resolved. Fix this issue by ensuring that scheduled fences are properly signaled when an entity is killed, allowing dependent applications to continue execution. CVE-2025-38436 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en] CVE-2025-38439 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] CVE-2025-38441 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation. CVE-2025-38443 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions. CVE-2025-38444 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } } mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } } Fix: reinit conf->r1bio_pool.wait after assigning newpool. CVE-2025-38445 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE CVE-2025-38448 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag CVE-2025-38449 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs in parallel, and so sev_info.es_active can get toggled from false=>true in the destination VM after (or during) svm_vcpu_create(), resulting in an SEV{-ES} VM effectively having a non-SEV{-ES} vCPU. The issue manifests most visibly as a crash when trying to free a vCPU's NULL VMSA page in an SEV-ES VM, but any number of things can go wrong. BUG: unable to handle page fault for address: ffffebde00000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline] RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline] RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] RIP: 0010:PageHead include/linux/page-flags.h:866 [inline] RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067 Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0 RSP: 0018:ffff8984551978d0 EFLAGS: 00010246 RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000 RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000 R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000 R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000 FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <TASK> sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169 svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515 kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396 kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline] kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490 kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895 kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310 kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369 __fput+0x3e4/0x9e0 fs/file_table.c:465 task_work_run+0x1a9/0x220 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x7f0/0x25b0 kernel/exit.c:953 do_group_exit+0x203/0x2d0 kernel/exit.c:1102 get_signal+0x1357/0x1480 kernel/signal.c:3034 arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218 do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f87a898e969 </TASK> Modules linked in: gq(O) gsmi: Log Shutdown Reason 0x03 CR2: ffffebde00000000 ---[ end trace 0000000000000000 ]--- Deliberately don't check for a NULL VMSA when freeing the vCPU, as crashing the host is likely desirable due to the VMSA being consumed by hardware. E.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a bogus VMSA page. Accessing P ---truncated--- CVE-2025-38455 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we haven't called atomic_add_return() so update the if (intf->in_shutdown) path as well. CVE-2025-38456 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ CVE-2025-38457 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-38458 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: <TASK> clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 </TASK> Modules linked in: CVE-2025-38459 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). CVE-2025-38460 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-38461 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-38462 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tcp: Correct signedness in skb remaining space calculation Syzkaller reported a bug [1] where sk->sk_forward_alloc can overflow. When we send data, if an skb exists at the tail of the write queue, the kernel will attempt to append the new data to that skb. However, the code that checks for available space in the skb is flawed: ''' copy = size_goal - skb->len ''' The types of the variables involved are: ''' copy: ssize_t (s64 on 64-bit systems) size_goal: int skb->len: unsigned int ''' Due to C's type promotion rules, the signed size_goal is converted to an unsigned int to match skb->len before the subtraction. The result is an unsigned int. When this unsigned int result is then assigned to the s64 copy variable, it is zero-extended, preserving its non-negative value. Consequently, copy is always >= 0. Assume we are sending 2GB of data and size_goal has been adjusted to a value smaller than skb->len. The subtraction will result in copy holding a very large positive integer. In the subsequent logic, this large value is used to update sk->sk_forward_alloc, which can easily cause it to overflow. The syzkaller reproducer uses TCP_REPAIR to reliably create this condition. However, this can also occur in real-world scenarios. The tcp_bound_to_half_wnd() function can also reduce size_goal to a small value. This would cause the subsequent tcp_wmem_schedule() to set sk->sk_forward_alloc to a value close to INT_MAX. Further memory allocation requests would then cause sk_forward_alloc to wrap around and become negative. [1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47 CVE-2025-38463 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb CVE-2025-38464 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576 CVE-2025-38465 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes. CVE-2025-38466 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this. CVE-2025-38467 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc 2. netem_dequeue calls enqueue on the child qdisc 3. blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase 5. As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/ CVE-2025-38468 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is running: # ip link add bond1 up type bond mode 0 # ethtool -K bond1 rx-vlan-filter off # ip link del dev bond1 When the device is put administratively down the "rx-vlan-filter" feature is disabled, so the 8021q module will not remove VLAN 0 and the memory will be leaked [1]. Another problem that can happen is that the kernel can automatically delete VLAN 0 when the device is put administratively down despite not adding it when the device was put administratively up since during that time the "rx-vlan-filter" feature was disabled. null-ptr-unref or bug_on[2] will be triggered by unregister_vlan_dev() for refcount imbalance if toggling filtering during runtime: $ ip link add bond0 type bond mode 0 $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q $ ethtool -K bond0 rx-vlan-filter off $ ifconfig bond0 up $ ethtool -K bond0 rx-vlan-filter on $ ifconfig bond0 down $ ip link del vlan0 Root cause is as below: step1: add vlan0 for real_dev, such as bond, team. register_vlan_dev vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 step2: disable vlan filter feature and enable real_dev step3: change filter from 0 to 1 vlan_device_event vlan_filter_push_vids ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 step4: real_dev down vlan_device_event vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0 vlan_info_rcu_free //free vlan0 step5: delete vlan0 unregister_vlan_dev BUG_ON(!vlan_info); //vlan_info is null Fix both problems by noting in the VLAN info whether VLAN 0 was automatically added upon NETDEV_UP and based on that decide whether it should be deleted upon NETDEV_DOWN, regardless of the state of the "rx-vlan-filter" feature. [1] unreferenced object 0xffff8880068e3100 (size 256): comm "ip", pid 384, jiffies 4296130254 hex dump (first 32 bytes): 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 81ce31fa): __kmalloc_cache_noprof+0x2b5/0x340 vlan_vid_add+0x434/0x940 vlan_device_event.cold+0x75/0xa8 notifier_call_chain+0xca/0x150 __dev_notify_flags+0xe3/0x250 rtnl_configure_link+0x193/0x260 rtnl_newlink_create+0x383/0x8e0 __rtnl_newlink+0x22c/0xa40 rtnl_newlink+0x627/0xb00 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x11f/0x350 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 [2] kernel BUG at net/8021q/vlan.c:99! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1)) RSP: 0018:ffff88810badf310 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 Call Trace: <TASK ---truncated--- CVE-2025-38470 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) Read of size 4 at addr ffff888013085750 by task tls/13529 CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme Call Trace: kasan_report+0xca/0x100 tls_strp_check_rcv+0x898/0x9a0 [tls] tls_rx_rec_wait+0x2c9/0x8d0 [tls] tls_sw_recvmsg+0x40f/0x1aa0 [tls] inet_recvmsg+0x1c3/0x1f0 Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len"). CVE-2025-38471 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack] [..] The nf_conn struct is marked as allocated from slab but appears to be in a partially initialised state: ct hlist pointer is garbage; looks like the ct hash value (hence crash). ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected ct->timeout is 30000 (=30s), which is unexpected. Everything else looks like normal udp conntrack entry. If we ignore ct->status and pretend its 0, the entry matches those that are newly allocated but not yet inserted into the hash: - ct hlist pointers are overloaded and store/cache the raw tuple hash - ct->timeout matches the relative time expected for a new udp flow rather than the absolute 'jiffies' value. If it were not for the presence of IPS_CONFIRMED, __nf_conntrack_find_get() would have skipped the entry. Theory is that we did hit following race: cpu x cpu y cpu z found entry E found entry E E is expired <preemption> nf_ct_delete() return E to rcu slab init_conntrack E is re-inited, ct->status set to 0 reply tuplehash hnnode.pprev stores hash value. cpu y found E right before it was deleted on cpu x. E is now re-inited on cpu z. cpu y was preempted before checking for expiry and/or confirm bit. ->refcnt set to 1 E now owned by skb ->timeout set to 30000 If cpu y were to resume now, it would observe E as expired but would skip E due to missing CONFIRMED bit. nf_conntrack_confirm gets called sets: ct->status |= CONFIRMED This is wrong: E is not yet added to hashtable. cpu y resumes, it observes E as expired but CONFIRMED: <resumes> nf_ct_expired() -> yes (ct->timeout is 30s) confirmed bit set. cpu y will try to delete E from the hashtable: nf_ct_delete() -> set DYING bit __nf_ct_delete_from_lists Even this scenario doesn't guarantee a crash: cpu z still holds the table bucket lock(s) so y blocks: wait for spinlock held by z CONFIRMED is set but there is no guarantee ct will be added to hash: "chaintoolong" or "clash resolution" logic both skip the insert step. reply hnnode.pprev still stores the hash value. unlocks spinlock return NF_DROP <unblocks, then crashes on hlist_nulls_del_rcu pprev> In case CPU z does insert the entry into the hashtable, cpu y will unlink E again right away but no crash occurs. Without 'cpu y' race, 'garbage' hlist is of no consequence: ct refcnt remains at 1, eventually skb will be free'd and E gets destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy. To resolve this, move the IPS_CONFIRMED assignment after the table insertion but before the unlock. Pablo points out that the confirm-bit-store could be reordered to happen before hlist add resp. the timeout fixup, so switch to set_bit and before_atomic memory barrier to prevent this. It doesn't matter if other CPUs can observe a newly inserted entry right before the CONFIRMED bit was set: Such event cannot be distinguished from above "E is the old incarnation" case: the entry will be skipped. Also change nf_ct_should_gc() to first check the confirmed bit. The gc sequence is: 1. Check if entry has expired, if not skip to next entry 2. Obtain a reference to the expired entry. 3. Call nf_ct_should_gc() to double-check step 1. nf_ct_should_gc() is thus called only for entries that already failed an expiry check. After this patch, once the confirmed bit check pas ---truncated--- CVE-2025-38472 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 CVE-2025-38473 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. CVE-2025-38474 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) lwtunnel_input (net/core/lwtunnel.c:459) ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) __netif_receive_skb_one_core (net/core/dev.c:5967) process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) __napi_poll.constprop.0 (net/core/dev.c:7452) net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:407) __dev_queue_xmit (net/core/dev.c:4740) ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) ip6_send_skb (net/ipv6/ip6_output.c:1983) rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) __x64_sys_sendto (net/socket.c:2231) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK> Allocated by task 1543: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) __alloc_skb (net/core/skbuff.c:669) __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) ip6_ ---truncated--- CVE-2025-38476 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats. CVE-2025-38477 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. CVE-2025-38478 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. CVE-2025-38480 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1. CVE-2025-38481 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. CVE-2025-38482 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. CVE-2025-38483 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [...] _find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c irq_thread_fn from irq_thread+0x110/0x1f4 irq_thread from kthread+0xe0/0xfc kthread from ret_from_fork+0x14/0x2c CVE-2025-38485 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE ... [ 120.679543] Call trace: [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38 [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200 ... CVE-2025-38487 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. CVE-2025-38488 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment. CVE-2025-38489 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: libwx: remove duplicate page_pool_put_full_page() page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] </IRQ> [ 876.949838] <TASK> [ 876.949840] asm_common_interrupt+0x22/0x40 [ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 [ 876.949852] ? cpuidle_enter_state+0xb3/0x420 [ 876.949855] cpuidle_enter+0x29/0x40 [ 876.949857] cpuidle_idle_call+0xfd/0x170 [ 876.949859] do_idle+0x7a/0xc0 [ 876.949861] cpu_startup_entry+0x25/0x30 [ 876.949862] start_secondary+0x117/0x140 [ 876.949864] common_startup_64+0x13e/0x148 [ 876.949867] </TASK> [ 876.949868] ---[ end trace 0000000000000000 ]--- [ 876.949869] ------------[ cut here ]------------ [ 876.949870] list_del corruption, ffffead40445a348->next is NULL [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120 [ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E) [ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120 [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 [ 876.949942] RDX: 0000000000000105 RSI: 00000 ---truncated--- CVE-2025-38490 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: <IRQ> tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 process_backlog+0x301/0x1360 net/core/dev.c:6440 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 napi_poll net/core/dev.c:7517 [inline] net_rx_action+0xb44/0x1010 net/core/dev.c:7644 handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 do_softirq+0x3f/0x90 kernel/softirq.c:480 </IRQ> <TASK> __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 local_bh_enable include/linux/bottom_half.h:33 [inline] inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 inet_release+0xed/0x200 net/ipv4/af_inet.c:435 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xd4 ---truncated--- CVE-2025-38491 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. CVE-2025-38494 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. CVE-2025-38495 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: dm-bufio: fix sched in atomic context If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit: BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970 #1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970 #2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dm_bufio_cache do_global_cleanup Call Trace: <TASK> dump_stack_lvl+0x53/0x70 __might_resched+0x360/0x4e0 do_global_cleanup+0x2f5/0x710 process_one_work+0x7db/0x1970 worker_thread+0x518/0xea0 kthread+0x359/0x690 ret_from_fork+0xf3/0x1b0 ret_from_fork_asm+0x1a/0x30 </TASK> That can be reproduced by: veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 try_verify_in_tasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes [read files in /mnt] CVE-2025-38496 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately. CVE-2025-38497 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). CVE-2025-38498 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above. CVE-2025-38499 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] </TASK> CVE-2025-38500 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1102! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 sp : ffff8000a4ce7600 x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8 x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001 x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160 x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00 x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e Call trace: populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P) btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337 btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfs_remount_rw fs/btrfs/super.c:1319 [inline] btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfigure_super+0x1d4/0x6f0 fs/super.c:1083 do_remount fs/namespace.c:3365 [inline] path_mount+0xb34/0xde0 fs/namespace.c:4200 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: f0047182 91178042 528089c3 9771d47b (d4210000) ---[ end trace 0000000000000000 ]--- This happens because we are processing an empty block group, which has no extents allocated from it, there are no items for this block group, including the block group item since block group items are stored in a dedicated tree when using the block group tree feature. It also means this is the block group with the highest start offset, so there are no higher keys in the extent root, hence btrfs_search_slot_for_read() returns 1 (no higher key found). Fix this by asserting 'ret' is 0 only if the block group tree feature is not enabled, in which case we should find a block group item for the block group since it's stored in the extent root and block group item keys are greater than extent item keys (the value for BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively). In case 'ret' is 1, we just need to add a record to the free space tree which spans the whole block group, and we can achieve this by making 'ret == 0' as the while loop's condition. CVE-2025-38503 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: Allow CPU to reschedule while setting per-page memory attributes When running an SEV-SNP guest with a sufficiently large amount of memory (1TB+), the host can experience CPU soft lockups when running an operation in kvm_vm_set_mem_attributes() to set memory attributes on the whole range of guest memory. watchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372] CPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary) Hardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024 RIP: 0010:xas_create+0x78/0x1f0 Code: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 <74> 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87 RSP: 0018:ffffad890a34b940 EFLAGS: 00000286 RAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000 RDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868 R13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868 FS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> xas_store+0x58/0x630 __xa_store+0xa5/0x130 xa_store+0x2c/0x50 kvm_vm_set_mem_attributes+0x343/0x710 [kvm] kvm_vm_ioctl+0x796/0xab0 [kvm] __x64_sys_ioctl+0xa3/0xd0 do_syscall_64+0x8c/0x7a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f5578d031bb Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb RDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b RBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000 R10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120 R13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0 While looping through the range of memory setting the attributes, call cond_resched() to give the scheduler a chance to run a higher priority task on the runqueue if necessary and avoid staying in kernel mode long enough to trigger the lockup. CVE-2025-38506 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). CVE-2025-38510 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a mesh network that uses an empty Mesh Address Extension field, i.e., when four addresses are used, and when using a 12-byte Mesh Address Extension field, i.e., when six addresses are used. Functionality of normal MSDUs and A-MSDUs was also tested, and confirmed working, when using both an empty and 12-byte Mesh Address Extension field. It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh networks keep being detected and prevented. Note that the vulnerability being patched, and the defense being implemented, was also discussed in the following paper and in the following IEEE 802.11 presentation: https://papers.mathyvanhoef.com/wisec2025.pdf https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx CVE-2025-38512 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38513 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. CVE-2025-38514 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, in which spsc_queue_push may return not-first while the run-job worker has already idled due to the job count being zero. If this race occurs, job scheduling stops, leading to hangs while waiting on the job's DMA fences. Seal this race by incrementing the job count before appending to the SPSC queue. This race was observed on a drm-tip 6.16-rc1 build with the Xe driver in an SVM test case. CVE-2025-38515 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for example: `gpiomon -c 0 113` on RB2. The exact culprit is requesting pins whose intr_detection_width setting is not 1 or 2 for interrupts. This hits a BUG() in msm_gpio_irq_set_type(). Potentially crashing the kernel due to an invalid request from user-space is not optimal, so let's go through the pins and mark those that would fail the check as invalid for the irq chip as we should not even register them as available irqs. This function can be extended if we determine that there are more corner-cases like this. CVE-2025-38516 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7) CVE-2025-38520 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. CVE-2025-38524 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside of the LAG event handler code. This results in the lag->upper_netdev being NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a check before it is dereferenced. CVE-2025-38526 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock(&cinode->open_file_lock) <- OK [later] i_callback() cifs_free_inode() kmem_cache_free(cinode) spin_unlock(&cinode->open_file_lock) <- UAF cifs_done_oplock_break(cinode) <- UAF The issue occurs when umount has already released its reference to the superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifs_oplock_break() continues to access the cinode after this point, resulting in use-after-free. Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes. CVE-2025-38527 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 This happens because bpf_bprintf_prepare skips over the second %, detected as punctuation, while processing %p. This patch fixes it by not skipping over punctuation. %\x00 is then processed in the next iteration and rejected. CVE-2025-38528 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. CVE-2025-38529 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. CVE-2025-38530 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: common: st_sensors: Fix use of uninitialize device structs Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable() when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with the uninitialized device. This seems to only cause a panic with dev_err_probe(), dev_err(), dev_warn() and dev_info() don't seem to cause a panic, but are fixed as well. The issue is reported and traced here: [1] CVE-2025-38531 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavior, including DMA errors or use-after-free, if the uninitialized 'dma' was used. Althrough such error has not yet occurred, it is worth fixing in the code. CVE-2025-38533 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to an incorrect attempt to disable a regulator which is not enabled. This can result in warnings such as: [ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004 _regulator_disable+0xe4/0x1a0 [ 250.155652] unbalanced disables for VIN_SYS_5V0 To fix this, we move the regulator control logic into tegra186_xusb_padctl_id_override() function since it's directly related to the ID override state. The regulator is now only disabled when the role transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID register. This ensures that regulator enable/disable operations are properly balanced and only occur when actually transitioning to/from host mode. CVE-2025-38535 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: phy: Don't register LEDs for genphy If a PHY has no driver, the genphy driver is probed/removed directly in phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the LEDs will be (un)registered when probing/removing the genphy driver. This could occur if the leds are for a non-generic driver that isn't loaded for whatever reason. Synchronously removing the PHY device in phy_detach leads to the following deadlock: rtnl_lock() ndo_close() ... phy_detach() phy_remove() phy_leds_unregister() led_classdev_unregister() led_trigger_set() netdev_trigger_deactivate() unregister_netdevice_notifier() rtnl_lock() There is a corresponding deadlock on the open/register side of things (and that one is reported by lockdep), but it requires a race while this one is deterministic. Generic PHYs do not support LEDs anyway, so don't bother registering them. CVE-2025-38537 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this case, we're copying data from the irqbuf[] array into the nbpf->chan[] array. If the data in irqbuf[i] is the error IRQ then we skip it, so the iterators are not in sync. I added a check to ensure that we don't go beyond the end of the irqbuf[] array. I'm pretty sure this can't happen, but it seemed harmless to add a check. On the other hand, after the loop has ended there is a check to ensure that the "chan" iterator is where we expect it to be. In the original code we went one element beyond the end of the array so the iterator wasn't in the correct place and it would always return -EINVAL. However, now it will always be in the correct place. I deleted the check since we know the result. CVE-2025-38538 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. Add these 2 devices to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. CVE-2025-38540 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38541 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc_coherent error check Check for NULL return value with dma_alloc_coherent, in line with Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'. CVE-2025-38543 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix bug due to prealloc collision When userspace is using AF_RXRPC to provide a server, it has to preallocate incoming calls and assign to them call IDs that will be used to thread related recvmsg() and sendmsg() together. The preallocated call IDs will automatically be attached to calls as they come in until the pool is empty. To the kernel, the call IDs are just arbitrary numbers, but userspace can use the call ID to hold a pointer to prepared structs. In any case, the user isn't permitted to create two calls with the same call ID (call IDs become available again when the call ends) and EBADSLT should result from sendmsg() if an attempt is made to preallocate a call with an in-use call ID. However, the cleanup in the error handling will trigger both assertions in rxrpc_cleanup_call() because the call isn't marked complete and isn't marked as having been released. Fix this by setting the call state in rxrpc_service_prealloc_one() and then marking it as being released before calling the cleanup function. CVE-2025-38544 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak. Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atmarp() to prevent memleak. CVE-2025-38546 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd(). CVE-2025-38548 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. CVE-2025-38550 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in the sk_buff struct. Considered too specific a use case to extend such a struct, though this would be a resilient fix and address other previous and potential future DOS bugs like the one described in loopy fun [2]. 2) Restrict netem_enqueue recursion depth like in act_mirred with a per cpu variable. However, netem_dequeue can call enqueue on its child, and the depth restriction could be bypassed if the child is a netem. 3) Use the same approach as in 2, but add metadata in netem_skb_cb to handle the netem_dequeue case and track a packet's involvement in duplication. This is an overly complex approach, and Jamal notes that the skb cb can be overwritten to circumvent this safeguard. 4) Prevent the addition of a netem to a qdisc tree if its ancestral path contains a netem. However, filters and actions can cause a packet to change paths when re-enqueued to the root from netem duplication, leading us to the current solution: prevent a duplicating netem from inhabiting the same tree as other netems. [1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ [2] https://lwn.net/Articles/719297/ CVE-2025-38553 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will lead to a use-after-free issue. BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 Read of size 8 at addr 0000004827837a00 by task init/1 CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 kasan_report+0x188/0x1cc __asan_load8+0xb4/0xbc composite_dev_cleanup+0xf4/0x2c0 configfs_composite_bind+0x210/0x7ac udc_bind_to_driver+0xb4/0x1ec usb_gadget_probe_driver+0xec/0x21c gadget_dev_desc_UDC_store+0x264/0x27c CVE-2025-38555 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. CVE-2025-38556 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being validated. There is no need to perform the mitigation when performing a page state change to shared and rescinding validation. CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that, when set, indicates that the software mitigation for this vulnerability is not needed. Implement the mitigation and invoke it when validating memory (making it private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest is vulnerable. CVE-2025-38560 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent that a related mapping is split via mmap(2), munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, which take reference counts, but then the subsequent perf_mmap_close() calls are not longer fulfilling the offset and size checks. This leads to reference count leaks. As perf already has the requirement for subsequent mappings to match the initial mapping, the obvious consequence is that VMA splits, caused by resizing of a mapping or partial unmapping, have to be prevented. Implement the vm_operations_struct::may_split() callback and return unconditionally -EINVAL. That ensures that the mapping offsets and sizes cannot be changed after the fact. Remapping to a different fixed address with the same size is still possible as it takes the references for the new mapping and drops those of the old mapping. CVE-2025-38563 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. CVE-2025-38566 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated using NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in the fp[] array, which only has room for 16 elements (0-15). Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1. CVE-2025-38568 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed control buffer and read in the control message such as a TLS alert. Scott found that a msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. CVE-2025-38571 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 CVE-2025-38572 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot. BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x893/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709 CVE-2025-38574 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: Make EEH driver device hotplug safe Multiple race conditions existed between the PCIe hotplug driver and the EEH driver, leading to a variety of kernel oopses of the same general nature: <pcie device unplug> <eeh driver trigger> <hotplug removal trigger> <pcie tree reconfiguration> <eeh recovery next step> <oops in EEH driver bus iteration loop> A second class of oops is also seen when the underlying bus disappears during device recovery. Refactor the EEH module to be PCI rescan and remove safe. Also clean up a few minor formatting / readability issues. CVE-2025-38576 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X. CVE-2025-38581 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix double destruction of rsv_qp rsv_qp may be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Fix it by moving the free_mr_init() call into hns_roce_v2_init(). list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 ... Call trace: __list_del_entry_valid+0x148/0x240 hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] hclge_notify_roce_client+0x6c/0x160 [hclge] hclge_reset_rebuild+0x150/0x5c0 [hclge] hclge_reset+0x10c/0x140 [hclge] hclge_reset_subtask+0x80/0x104 [hclge] hclge_reset_service_task+0x168/0x3ac [hclge] hclge_service_task+0x50/0x100 [hclge] process_one_work+0x250/0x9a0 worker_thread+0x324/0x990 kthread+0x190/0x210 ret_from_fork+0x10/0x18 CVE-2025-38582 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr : clk_hw_unregister_fixed_factor+0x18/0x30 sp : ffff800011923850 ... Call trace: clk_hw_unregister+0xc/0x20 clk_hw_unregister_fixed_factor+0x18/0x30 xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu] xvcu_probe+0x2bc/0x53c [xlnx_vcu] CVE-2025-38583 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives. CVE-2025-38584 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates *out_len to the required buffer size but writes no data to the output buffer. However, due to bug #1, gmin_get_var_int() believes the call succeeded. The caller gmin_get_var_int() then performs: - Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack - Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64 - If EFI variable is >64 bytes, efi.get_variable() sets len=required_size - Due to bug #1, thinks call succeeded with len=required_size - Executes val[len] = 0, writing past end of 65-byte stack buffer This creates a stack buffer overflow when EFI variables are larger than 64 bytes. Since EFI variables can be controlled by firmware or system configuration, this could potentially be exploited for code execution. Fix the bug by returning proper error codes from gmin_get_config_var() based on EFI status instead of stale 'ret' value. The gmin_get_var_int() function is called during device initialization for camera sensor configuration on Intel Bay Trail and Cherry Trail platforms using the atomisp camera stack. CVE-2025-38585 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop. CVE-2025-38587 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list. Restart the loop if f6i->fib6_nsiblings is zero. CVE-2025-38588 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check() attempt to access fields such as xfrm_input_state(skb)->xso.type (which dereferences sp->xvec[sp->len - 1]) without first validating sp->len. This leads to a crash when dereferencing an invalid state pointer. This patch prevents the crash by explicitly removing the secpath extension from the skb if the xfrm state is not found after hardware decryption. This ensures downstream functions do not operate on a zero-length secpath. BUG: unable to handle page fault for address: ffffffff000002c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 282e067 P4D 282e067 PUD 0 Oops: Oops: 0000 [#1] SMP CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:__xfrm_policy_check+0x61a/0xa30 Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa RSP: 0018:ffff88885fb04918 EFLAGS: 00010297 RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353 R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8 R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00 FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? try_to_wake_up+0x108/0x4c0 ? udp4_lib_lookup2+0xbe/0x150 ? udp_lib_lport_inuse+0x100/0x100 ? __udp4_lib_lookup+0x2b0/0x410 __xfrm_policy_check2.constprop.0+0x11e/0x130 udp_queue_rcv_one_skb+0x1d/0x530 udp_unicast_rcv_skb+0x76/0x90 __udp4_lib_rcv+0xa64/0xe90 ip_protocol_deliver_rcu+0x20/0x130 ip_local_deliver_finish+0x75/0xa0 ip_local_deliver+0xc1/0xd0 ? ip_protocol_deliver_rcu+0x130/0x130 ip_sublist_rcv+0x1f9/0x240 ? ip_rcv_finish_core+0x430/0x430 ip_list_rcv+0xfc/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x200/0x360 ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core] gro_receive_skb+0xfd/0x210 mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core] mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core] ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core] mlx5e_napi_poll+0x114/0xab0 [mlx5_core] __napi_poll+0x25/0x170 net_rx_action+0x32d/0x3a0 ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core] ? notifier_call_chain+0x33/0xa0 handle_softirqs+0xda/0x250 irq_exit_rcu+0x6d/0xc0 common_interrupt+0x81/0xa0 </IRQ> CVE-2025-38590 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list. CVE-2025-38591 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_filter_clear()' kfree(uuids); // DOUBLE FREE <-------------------------preempted--------------------------------> uuids = NULL; To fix it let's add locking around 'kfree()' call and NULL pointer assignment. Otherwise the following backtrace fires: [ ] ------------[ cut here ]------------ [ ] kernel BUG at mm/slub.c:547! [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 [ ] Tainted: [O]=OOT_MODULE [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ ] pc : __slab_free+0xf8/0x348 [ ] lr : __slab_free+0x48/0x348 ... [ ] Call trace: [ ] __slab_free+0xf8/0x348 [ ] kfree+0x164/0x27c [ ] start_service_discovery+0x1d0/0x2c0 [ ] hci_sock_sendmsg+0x518/0x924 [ ] __sock_sendmsg+0x54/0x60 [ ] sock_write_iter+0x98/0xf8 [ ] do_iter_readv_writev+0xe4/0x1c8 [ ] vfs_writev+0x128/0x2b0 [ ] do_writev+0xfc/0x118 [ ] __arm64_sys_writev+0x20/0x2c [ ] invoke_syscall+0x68/0xf0 [ ] el0_svc_common.constprop.0+0x40/0xe0 [ ] do_el0_svc+0x1c/0x28 [ ] el0_svc+0x30/0xd0 [ ] el0t_64_sync_handler+0x100/0x12c [ ] el0t_64_sync+0x194/0x198 [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) [ ] ---[ end trace 0000000000000000 ]--- CVE-2025-38593 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the objects destroyed on close - starting with gntdev_dmabuf itself. Fix that by doing reserving descriptor before anything else and do fd_install() only when everything had been set up. CVE-2025-38595 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port Each window of a vop2 is usable by a specific set of video ports, so while binding the vop2, we look through the list of available windows trying to find one designated as primary-plane and usable by that specific port. The code later wants to use drm_crtc_init_with_planes with that found primary plane, but nothing has checked so far if a primary plane was actually found. For whatever reason, the rk3576 vp2 does not have a usable primary window (if vp0 is also in use) which brought the issue to light and ended in a null-pointer dereference further down. As we expect a primary-plane to exist for a video-port, add a check at the end of the window-iteration and fail probing if none was found. CVE-2025-38597 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). CVE-2025-38601 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer. CVE-2025-38602 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0 </IRQ> Tested on RTL8187BvE device. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38604 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to retrieve the ab pointer. In vdev delete sequence the arvif->ar could become NULL and that would trigger kernel panic. Since the caller ath12k_dp_tx() already has a valid ab pointer, pass it directly to avoid panic and unnecessary dereferencing. PC points to "ath12k_dp_tx+0x228/0x988 [ath12k]" LR points to "ath12k_dp_tx+0xc8/0x988 [ath12k]". The Backtrace obtained is as follows: ath12k_dp_tx+0x228/0x988 [ath12k] ath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k] ieee80211_process_measurement_req+0x320/0x348 [mac80211] ieee80211_tx_dequeue+0x9ac/0x1518 [mac80211] ieee80211_tx_dequeue+0xb14/0x1518 [mac80211] ieee80211_tx_prepare_skb+0x224/0x254 [mac80211] ieee80211_xmit+0xec/0x100 [mac80211] __ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211] ieee80211_subif_start_xmit+0x2e8/0x308 [mac80211] netdev_start_xmit+0x150/0x18c dev_hard_start_xmit+0x74/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 CVE-2025-38605 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete "Application Data" packet, leading to errors on the receiving end when parsing TLS record. CVE-2025-38608 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor before using governor->name Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") removes governor_name and uses governor->name to replace it. But devfreq->governor may be NULL and directly using devfreq->governor->name may cause null pointer exception. Move the check of governor to before using governor->name. CVE-2025-38609 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() The get_pd_power_uw() function can crash with a NULL pointer dereference when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible during runtime, causing get_cpu_device() to return NULL, which propagates through em_cpu_get() and leads to a crash when em_span_cpus() dereferences the NULL pointer. Add a NULL check after em_cpu_get() and return 0 if unavailable, matching the existing fallback behavior in __dtpm_cpu_setup(). [ rjw: Drop an excess empty code line ] CVE-2025-38610 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() In the error paths after fb_info structure is successfully allocated, the memory allocated in fb_deferred_io_init() for info->pagerefs is not freed. Fix that by adding the cleanup function on the error path. CVE-2025-38612 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges. CVE-2025-38614 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place. CVE-2025-38616 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history. CVE-2025-38617 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY. CVE-2025-38618 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: md: make rdev_addable usable for rcu mode Our testcase trigger panic: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Workqueue: md_misc md_start_sync RIP: 0010:rdev_addable+0x4d/0xf0 ... Call Trace: <TASK> md_start_sync+0x329/0x480 process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x14d/0x180 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: raid10 CR2: 00000000000000e0 ---[ end trace 0000000000000000 ]--- RIP: 0010:rdev_addable+0x4d/0xf0 md_spares_need_change in md_start_sync will call rdev_addable which protected by rcu_read_lock/rcu_read_unlock. This rcu context will help protect rdev won't be released, but rdev->mddev will be set to NULL before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by using READ_ONCE and check does rdev->mddev still alive. CVE-2025-38621 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen. ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:4572! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_pull_rcsum+0x8e/0xa0 Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000 RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001 R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 Call Trace: <TASK> udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 napi_complete_done+0x78/0x180 net/core/dev.c:6580 tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909 tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984 vfs_write+0x300/0x420 fs/read_write.c:593 ksys_write+0x60/0xd0 fs/read_write.c:686 do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63 </TASK> To trigger gso segment in udp_queue_rcv_skb(), we should also set option UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try to pull udphdr, but the skb size has been segmented to gso size, which leads to this crash. Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") introduces segmentation in UDP receive path only for GRO, which was never intended to be used for UFO, so drop UFO packets in udp_rcv_segment(). CVE-2025-38622 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE. 2) When a device is removed from a slot, regardless of surprise or programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot. Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. [bhelgaas: tidy comments] CVE-2025-38623 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 low In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Clean up allocated IRQs on unplug When the root of a nested PCIe bridge configuration is unplugged, the pnv_php driver leaked the allocated IRQ resources for the child bridges' hotplug event notifications, resulting in a panic. Fix this by walking all child buses and deallocating all its IRQ resources before calling pci_hp_remove_devices(). Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so that it is only destroyed in pnv_php_free_slot(), instead of pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will now be called by workers triggered by hot unplug interrupts, so the workqueue needs to stay allocated. The abridged kernel panic that occurs without this patch is as follows: WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 Call Trace: msi_device_data_release+0x34/0x9c (unreliable) release_nodes+0x64/0x13c devres_release_all+0xc0/0x140 device_del+0x2d4/0x46c pci_destroy_dev+0x5c/0x194 pci_hp_remove_devices+0x90/0x128 pci_hp_remove_devices+0x44/0x128 pnv_php_disable_slot+0x54/0xd4 power_write_file+0xf8/0x18c pci_slot_attr_store+0x40/0x5c sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x3bc/0x50c ksys_write+0x84/0x140 system_call_exception+0x124/0x230 system_call_vectored_common+0x15c/0x2ec [bhelgaas: tidy comments] CVE-2025-38624 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot allocate a struct fb_modelist. If that happens, the modelist stays empty but the driver continues to register. Add a check for its return value to prevent poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var"). CVE-2025-38630 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pinmux: fix race causing mux_owner NULL with active mux_usecount commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer. The issue occurs due to the following interleaving: cpu0 (process A) cpu1 (process B) pin_request() { pin_free() { mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock() mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux) mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux) This sequence leads to a state where the pin appears to be in use (`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can cause NULL pointer on next pin_request on the same pin. Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned. CVE-2025-38632 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-charger: Fix null check for power_supply_get_by_name In the cpcap_usb_detect() function, the power_supply_get_by_name() function may return `NULL` instead of an error pointer. To prevent potential null pointer dereferences, Added a null check. CVE-2025-38634 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in davinci_lpsc_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, davinci_lpsc_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensuring no resources are left allocated. CVE-2025-38635 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't assume acct name is null-terminated BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..] string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..] nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 nfnl_acct_find_get() handles non-null input, but the error printk relied on its presence. CVE-2025-38639 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Disable migration in nf_hook_run_bpf(). syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path. Then the assertion in __bpf_prog_run() fails, triggering the splat below. [0] Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf(). [0]: BUG: assuming non migratable context at ./include/linux/filter.h:703 in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session 3 locks held by sshd-session/5829: #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline] #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395 #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470 #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241 CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __cant_migrate kernel/sched/core.c:8860 [inline] __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834 __bpf_prog_run include/linux/filter.h:703 [inline] bpf_prog_run include/linux/filter.h:725 [inline] nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623 nf_hook+0x370/0x680 include/linux/netfilter.h:272 NF_HOOK_COND include/linux/netfilter.h:305 [inline] ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:459 [inline] ip_local_out net/ipv4/ip_output.c:129 [inline] __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527 __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479 tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline] tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838 __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021 tcp_push+0x225/0x700 net/ipv4/tcp.c:759 tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x4aa/0x5b0 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x6c7/0x1150 fs/read_write.c:686 ksys_write+0x1f8/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe7d365d407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: CVE-2025-38640 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985 CVE-2025-38643 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state like sdata->u.mgd.tdls_peer uninitialized, leading to a WARN_ON() in code paths that assumed it was valid. Reject the operation early if not in station mode or not associated. CVE-2025-38644 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory pointer before usage Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails. CVE-2025-38645 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band With a quite rare chance, RX report might be problematic to make SW think a packet is received on 6 GHz band even if the chip does not support 6 GHz band actually. Since SW won't initialize stuffs for unsupported bands, NULL dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -> rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it. The following is a crash log for this case. BUG: kernel NULL pointer dereference, address: 0000000000000032 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024 RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)] __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)] rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)] rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)] CVE-2025-38646 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: <TASK> hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 cont_expand_zero fs/buffer.c:2383 [inline] cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 notify_change+0xe38/0x10f0 fs/attr.c:420 do_truncate+0x1fb/0x2e0 fs/open.c:65 do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") unlock extree before hfsplus_free_extents(), and add check wheather extree is locked in hfsplus_free_extents(). However, when operations such as hfsplus_file_release, hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed concurrently in different files, it is very likely to trigger the WARN_ON, which will lead syzbot and xfstest to consider it as an abnormality. The comment above this warning also describes one of the easy triggering situations, which can easily trigger and cause xfstest&syzbot to report errors. [task A] [task B] ->hfsplus_file_release ->hfsplus_file_truncate ->hfs_find_init ->mutex_lock ->mutex_unlock ->hfsplus_write_begin ->hfsplus_get_block ->hfsplus_file_extend ->hfsplus_ext_read_extent ->hfs_find_init ->mutex_lock ->hfsplus_free_extents WARN_ON(mutex_is_locked) !!! Several threads could try to lock the shared extents tree. And warning can be triggered in one thread when another thread has locked the tree. This is the wrong behavior of the code and we need to remove the warning. CVE-2025-38650 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() Preserve the error code if iwl_setup_deferred_work() fails. The current code returns ERR_PTR(0) (which is NULL) on this path. I believe the missing error code potentially leads to a use after free involving debugfs. CVE-2025-38656 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: gfs2: No more self recovery When a node withdraws and it turns out that it is the only node that has the filesystem mounted, gfs2 currently tries to replay the local journal to bring the filesystem back into a consistent state. Not only is that a very bad idea, it has also never worked because gfs2_recover_func() will refuse to do anything during a withdraw. However, before even getting to this point, gfs2_recover_func() dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") and is a NULL pointer dereference since then. Simply get rid of self recovery to fix that. CVE-2025-38659 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that... CVE-2025-38660 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a filesystem error. CVE-2025-38663 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. CVE-2025-38664 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by default) To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space. As an additional safety measure let can_restart() return an error if can_priv::do_set_mode is not set instead of dereferencing it unchecked. CVE-2025-38665 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on coupling metadata. For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers a panic in regulator_lock_recursive() due to stale coupling state. Ensure n_coupled is set to 0 to prevent access to invalid pointers. CVE-2025-38668 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF. CVE-2025-38670 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and return to the caller with -ETIMEDOUT. CVE-2025-38671 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. CVE-2025-38676 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 CVE-2025-38678 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. CVE-2025-38679 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). CVE-2025-38680 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. CVE-2025-38681 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] <TASK> [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. CVE-2025-38683 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 </TASK> [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ CVE-2025-38684 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point console and new frame buffer are mapped and sets display vars. Despite failure still it continue to proceed updating the screen at later stages where vc_data is related to previous frame buffer and frame buffer info and display vars are mapped to new frame buffer and eventully leading to out-of-bounds write in fast_imageblit(). This bheviour is excepted only when fg_console is equal to requested console which is a visible console and updates screen with invalid struct references in fbcon_putcs(). CVE-2025-38685 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. CVE-2025-38687 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server. During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again. CVE-2025-38691 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: add cluster chain loop check for dir An infinite loop may occur if the following conditions occur due to file system corruption. (1) Condition for exfat_count_dir_entries() to loop infinitely. - The cluster chain includes a loop. - There is no UNUSED entry in the cluster chain. (2) Condition for exfat_create_upcase_table() to loop infinitely. - The cluster chain of the root directory includes a loop. - There are no UNUSED entry and up-case table entry in the cluster chain of the root directory. (3) Condition for exfat_load_bitmap() to loop infinitely. - The cluster chain of the root directory includes a loop. - There are no UNUSED entry and bitmap entry in the cluster chain of the root directory. (4) Condition for exfat_find_dir_entry() to loop infinitely. - The cluster chain includes a loop. - The unused directory entries were exhausted by some operation. (5) Condition for exfat_check_dir_empty() to loop infinitely. - The cluster chain includes a loop. - The unused directory entries were exhausted by some operation. - All files and sub-directories under the directory are deleted. This commit adds checks to break the above infinite loop. CVE-2025-38692 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2025-38693 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2025-38694 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and early return because this situation means there must have been an error during port initialization. CVE-2025-38695 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. CVE-2025-38697 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. CVE-2025-38698 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate(). CVE-2025-38701 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. CVE-2025-38702 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix null pointer access Writing a string without delimiters (' ', '\n', '\0') to the under gpu_od/fan_ctrl sysfs or pp_power_profile_mode for the CUSTOM profile will result in a null pointer dereference. CVE-2025-38705 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On module removal the soc_tplg_remove_link() would call snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, no runtime was created. CVE-2025-38706 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: loop: Avoid updating block size under exclusive owner Syzbot came up with a reproducer where a loop device block size is changed underneath a mounted filesystem. This causes a mismatch between the block device block size and the block size stored in the superblock causing confusion in various places such as fs/buffer.c. The particular issue triggered by syzbot was a warning in __getblk_slow() due to requested buffer size not matching block device block size. Fix the problem by getting exclusive hold of the loop device to change its block size. This fails if somebody (such as filesystem) has already an exclusive ownership of the block device and thus prevents modifying the loop device under some exclusive owner which doesn't expect it. CVE-2025-38709 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_create_attributes_file() is called. Replace this BUG_ON() with -EIO error with a message to suggest running fsck tool. CVE-2025-38712 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) [ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 667.124890][ T9805] Call Trace: [ 667.124893][ T9805] <TASK> [ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 [ 667.124911][ T9805] print_report+0xd0/0x660 [ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 [ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 [ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124942][ T9805] kasan_report+0xc6/0x100 [ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 [ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 [ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 [ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 [ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 [ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 [ 667.125022][ T9805] ? lock_acquire+0x30/0x80 [ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 [ 667.125044][ T9805] ? putname+0x154/0x1a0 [ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 [ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 [ 667.125069][ T9805] iterate_dir+0x296/0xb20 [ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 [ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 [ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 [ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 [ 667.125143][ T9805] do_syscall_64+0xc9/0x480 [ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 [ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 [ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 [ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 [ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 [ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 [ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 [ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 667.125207][ T9805] </TASK> [ 667.125210][ T9805] [ 667.145632][ T9805] Allocated by task 9805: [ 667.145991][ T9805] kasan_save_stack+0x20/0x40 [ 667.146352][ T9805] kasan_save_track+0x14/0x30 [ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 [ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 [ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 [ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 [ 667.148174][ T9805] iterate_dir+0x296/0xb20 [ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.148937][ T9805] do_syscall_64+0xc9/0x480 [ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.149809][ T9805] [ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 [ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 [ 667.151282][ T9805] The buggy address is located 0 bytes to the right of [ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) [ 667.1 ---truncated--- CVE-2025-38713 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 [ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 [ 174.854059][ T9784] [ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) [ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 174.854286][ T9784] Call Trace: [ 174.854289][ T9784] <TASK> [ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 [ 174.854305][ T9784] print_report+0xd0/0x660 [ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 [ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 [ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854337][ T9784] kasan_report+0xc6/0x100 [ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 [ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 [ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 [ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 [ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 [ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 [ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 [ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 174.854436][ T9784] ? __asan_memset+0x23/0x50 [ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 [ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 [ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 [ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 [ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 [ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 [ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 [ 174.854525][ T9784] ? down_write+0x148/0x200 [ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 [ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 [ 174.854549][ T9784] do_unlinkat+0x490/0x670 [ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 [ 174.854565][ T9784] ? __might_fault+0xbc/0x130 [ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 [ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 [ 174.854592][ T9784] do_syscall_64+0xc9/0x480 [ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 [ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 [ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 [ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 [ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 [ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 [ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 174.854658][ T9784] </TASK> [ 174.854661][ T9784] [ 174.879281][ T9784] Allocated by task 9784: [ 174.879664][ T9784] kasan_save_stack+0x20/0x40 [ 174.880082][ T9784] kasan_save_track+0x14/0x30 [ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 [ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 [ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 [ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 [ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 [ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3 ---truncated--- CVE-2025-38714 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocated memory and triggering the crash. CVE-2025-38715 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps prevents cnet->count from dropping back to 0. This will then block the netns dismantle (or conntrack rmmod) as nf_conntrack_cleanup_net_list() will wait forever. This can be reproduced by running conntrack_resize.sh selftest in a loop. It takes ~20 minutes for me on a preemptible kernel on average before I see a runaway kworker spinning in nf_conntrack_cleanup_net_list. One fix would to change this to: if (res < 0) { if (ct != last) nf_conntrack_get(&ct->ct_general); But this reference counting isn't needed in the first place. We can just store a cookie value instead. A followup patch will do the same for ctnetlink_exp_dump_table, it looks to me as if this has the same problem and like ctnetlink_dump_table, we only need a 'skip hint', not the actual object so we can apply the same cookie strategy there as well. CVE-2025-38721 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: habanalabs: fix UAF in export_dmabuf() As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). habanalabs export_dmabuf() calls it and then proceeds to access the objects destroyed on close. In particular, it grabs an extra reference to another struct file that will be dropped as part of ->release() for ours; that "will be" is actually "might have already been". Fix that by reserving descriptor before anything else and do fd_install() only when everything had been set up. As a side benefit, we no longer have the failure exit with file already created, but reference to underlying file (as well as ->dmabuf_export_cnt, etc.) not grabbed yet; unlike dma_buf_fd(), fd_install() can't fail. CVE-2025-38722 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked(). CVE-2025-38724 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phydev->drv for non-main phy devices. Then NULL pointer dereference issue will occur. Due to only external phy or internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud the issue. CVE-2025-38725 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. CVE-2025-38729 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: io_uring/net: commit partial buffers on retry Ring provided buffers are potentially only valid within the single execution context in which they were acquired. io_uring deals with this and invalidates them on retry. But on the networking side, if MSG_WAITALL is set, or if the socket is of the streaming type and too little was processed, then it will hang on to the buffer rather than recycle or commit it. This is problematic for two reasons: 1) If someone unregisters the provided buffer ring before a later retry, then the req->buf_list will no longer be valid. 2) If multiple sockers are using the same buffer group, then multiple receives can consume the same memory. This can cause data corruption in the application, as either receive could land in the same userspace buffer. Fix this by disallowing partial retries from pinning a provided buffer across multiple executions, if ring provided buffers are used. CVE-2025-38730 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Call Trace: nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline] .. This is because blamed commit forgot about loopback packets. Such packets already have a dst_entry attached, even at PRE_ROUTING stage. Instead of checking hook just check if the skb already has a route attached to it. CVE-2025-38732 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2 [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4 [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0 [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6 [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0 [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0 [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5 [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0 [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0 [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0 [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3 [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0 [ 16.456459] PKRU: 5555555 4 [ 16.456654] Call Trace : [ 16.456832] <TASK > [ 16.456989] ? __die+0x23/0x7 0 [ 16.457215] ? page_fault_oops+0x180/0x4c 0 [ 16.457508] ? __lock_acquire+0x3e6/0x249 0 [ 16.457801] ? exc_page_fault+0x68/0x20 0 [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0 [ 16.458389] ? smc_listen_work+0xc02/0x159 0 [ 16.458689] ? smc_listen_work+0xc02/0x159 0 [ 16.458987] ? lock_is_held_type+0x8f/0x10 0 [ 16.459284] process_one_work+0x1ea/0x6d 0 [ 16.459570] worker_thread+0x1c3/0x38 0 [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0 [ 16.460144] kthread+0xe0/0x11 0 [ 16.460372] ? __pfx_kthread+0x10/0x1 0 [ 16.460640] ret_from_fork+0x31/0x5 0 [ 16.460896] ? __pfx_kthread+0x10/0x1 0 [ 16.461166] ret_from_fork_asm+0x1a/0x3 0 [ 16.461453] </TASK > [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ] [ 16.462134] CR2: 000000000000003 0 [ 16.462380] ---[ end trace 0000000000000000 ]--- [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590 The direct cause of this issue is that after smc_listen_out_connected(), newclcsock->sk may be NULL since it will releases the smcsk. Therefore, if the application closes the socket immediately after accept, newclcsock->sk can be NULL. A possible execution order could be as follows: smc_listen_work | userspace ----------------------------------------------------------------- lock_sock(sk) | smc_listen_out_connected() | | \- smc_listen_out | | | \- release_sock | | |- sk->sk_data_ready() | | fd = accept(); | close(fd); | \- socket->sk = NULL; /* newclcsock->sk is NULL now */ SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk)) Since smc_listen_out_connected() will not fail, simply swapping the order of the code can easily fix this issue. CVE-2025-38734 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation is dispatched after shutdown(), it will dereference freed or NULL pointers, leading to a kernel panic. While graceful shutdown normally quiesces userspace before invoking the reboot syscall, forced shutdowns (as observed on GCP VMs) can still trigger this path. Fix by calling netif_device_detach() in shutdown(). This marks the device as detached so the ethtool ioctl handler will skip dispatching operations to the driver. CVE-2025-38735 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range. CVE-2025-38736 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. This is similar to the commit c3e9826a2202 ("drm/amd/display: Add null pointer check for get_first_active_display()"). (cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893) CVE-2025-39675 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and fq_pie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisc_tree_reduce_backlog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued, which accounts for both qlen and backlog. However, in the case of qdisc_dequeue_internal, ONLY qlen is accounted for when pulling from gso_skb. This means that these qdiscs are missing a qdisc_qstats_backlog_dec when dropping packets to satisfy the new limit in their change handlers. One can observe this issue with the following (with tc patched to support a limit of 0): export TARGET=fq tc qdisc del dev lo root tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 echo ''; echo 'add child'; tc -s -d qdisc show dev lo ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null echo ''; echo 'after ping'; tc -s -d qdisc show dev lo tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo tc qdisc replace dev lo handle 2: parent 1:1 sfq echo ''; echo 'post graft'; tc -s -d qdisc show dev lo The second to last show command shows 0 packets but a positive number (74) of backlog bytes. The problem becomes clearer in the last show command, where qdisc_purge_queue triggers qdisc_tree_reduce_backlog with the positive backlog and causes an underflow in the tbf parent's backlog (4096 Mb instead of 0). To fix this issue, the codepath for all clients of qdisc_dequeue_internal has been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel. qdisc_dequeue_internal handles the backlog adjustments for all cases that do not directly use the dequeue handler. The old fq_codel_change limit adjustment loop accumulated the arguments to the subsequent qdisc_tree_reduce_backlog call through the cstats field. However, this is confusing and error prone as fq_codel_dequeue could also potentially mutate this field (which qdisc_dequeue_internal calls in the non gso_skb case), so we have unified the code here with other qdiscs. CVE-2025-39677 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL If metric table address is not allocated, accessing metrics_bin will result in a NULL pointer dereference, so add a check. CVE-2025-39678 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor(). When the nvif_vmm_type is invalid, we will return error directly without freeing the args in nvif_vmm_ctor(), which leading a memory leak. Fix it by setting the ret -EINVAL and goto done. CVE-2025-39679 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ] CVE-2025-39681 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length. CVE-2025-39682 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer. CVE-2025-39684 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below. CVE-2025-39685 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers. CVE-2025-39686 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch(). CVE-2025-39691 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9) CVE-2025-39693 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first page of the identity mapping. Fix this by introducing a function that handles the NULL case before address translation. CVE-2025-39694 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw: Changelog edits ] CVE-2025-39701 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef) [ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0 <snip registers, remove unreliable trace> [ 45.402911] Call Trace: [ 45.403105] <IRQ> [ 45.404470] skb_push+0xcd/0xf0 [ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0 [ 45.406513] br_forward_finish+0x128/0x260 [ 45.408483] __br_forward+0x42d/0x590 [ 45.409464] maybe_deliver+0x2eb/0x420 [ 45.409763] br_flood+0x174/0x4a0 [ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0 [ 45.411618] br_handle_frame+0xac3/0x1230 [ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0 [ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0 [ 45.424478] __netif_receive_skb+0x22/0x170 [ 45.424806] process_backlog+0x242/0x6d0 [ 45.425116] __napi_poll+0xbb/0x630 [ 45.425394] net_rx_action+0x4d1/0xcc0 [ 45.427613] handle_softirqs+0x1a4/0x580 [ 45.427926] do_softirq+0x74/0x90 [ 45.428196] </IRQ> This issue was found by syzkaller. The panic happens in br_dev_queue_push_xmit() once it receives a corrupted skb with ETH header already pushed in linear data. When it attempts the skb_push() call, there's not enough headroom and skb_push() panics. The corrupted skb is put on the queue by HSR layer, which makes a sequence of unintended transformations when it receives a specific corrupted HSR frame (with incomplete TAG). Fix it by dropping and consuming frames that are not long enough to contain both ethernet and hsr headers. Alternative fix would be to check for enough headroom before skb_push() in br_dev_queue_push_xmit(). In the reproducer, this is injected via AF_PACKET, but I don't easily see why it couldn't be sent over the wire from adjacent network. Further Details: In the reproducer, the following network interface chain is set up: ────────────────┐ ────────────────┐ | veth0_to_hsr ├───┤ hsr_slave0 ┼───┐ ────────────────┘ ────────────────┘ | | ──────┐ ├─┤ hsr0 ├───┐ | ──────┘ | ────────────────┐ ────────────────┐ | | ────────┐ | veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ ┤ | ────────────────┘ ────────────────┘ ┼ bridge | || | | ────────┘ | ───────┐ | | ... ├──────┘ ───────┘ To trigger the events leading up to crash, reproducer sends a corrupted HSR fr ---truncated--- CVE-2025-39703 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a Null pointer dereference vulnerability [Why] A null pointer dereference vulnerability exists in the AMD display driver's (DC module) cleanup function dc_destruct(). When display control context (dc->ctx) construction fails (due to memory allocation failure), this pointer remains NULL. During subsequent error handling when dc_destruct() is called, there's no NULL check before dereferencing the perf_trace member (dc->ctx->perf_trace), causing a kernel null pointer dereference crash. [How] Check if dc->ctx is non-NULL before dereferencing. (Updated commit text and removed unnecessary error message) (cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404) CVE-2025-39705 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line debugfs_remove_recursive(entry->proc_dentry); tries to remove /sys/kernel/debug/kfd/proc/<pid> while /sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel NULL pointer. (cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233) CVE-2025-39706 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2. CVE-2025-39709 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. CVE-2025-39710 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow. Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock. This possible bug was found by an experimental static analysis tool developed by our team. CVE-2025-39713 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] CVE-2025-39714 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). CVE-2025-39718 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. CVE-2025-39719 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qat_misc_wq`) across all devices and owned by intel_qat.ko, a deferred routine from the device-specific driver may still be pending in the queue. If this routine executes after the driver is unloaded, it can dereference freed memory, resulting in a page fault and kernel crash like the following: BUG: unable to handle page fault for address: ffa000002e50a01c #PF: supervisor read access in kernel mode RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] Call Trace: pm_bh_handler+0x1d2/0x250 [intel_qat] process_one_work+0x171/0x340 worker_thread+0x277/0x3a0 kthread+0xf0/0x120 ret_from_fork+0x2d/0x50 To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded. Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability. CVE-2025-39721 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 CVE-2025-39724 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rectify that. This problem was discovered based on Aliaksei's bug report which states that for certain workloads the ISM functions end up entering error state (with PEC 2 as seen from the logs) after a while and as a consequence connections handled by the respective function break, and for future connection requests the ISM device is not considered -- given it is in a dysfunctional state. During further debugging PEC 3A was observed as well. A kernel message like [ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a is a reliable indicator of the stated function entering error state with PEC 2. Let me also point out that a kernel message like [ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery is a reliable indicator that the ISM function won't be auto-recovered because the ISM driver currently lacks support for it. On a technical level, without this synchronization, commands (inputs to the FW) may be partially or fully overwritten (corrupted) by another CPU trying to issue commands on the same function. There is hard evidence that this can lead to DMB token values being used as DMB IOVAs, leading to PEC 2 PCI events indicating invalid DMA. But this is only one of the failure modes imaginable. In theory even completely losing one command and executing another one twice and then trying to interpret the outputs as if the command we intended to execute was actually executed and not the other one is also possible. Frankly, I don't feel confident about providing an exhaustive list of possible consequences. CVE-2025-39726 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() The function needs to check the minimal filehandle length before it can access the embedded filehandle. CVE-2025-39730 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to ieee80211_iterate_stations_atomic(). Note in this case the iterator is required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does not follow it as it might sleep. Consequently below warning is seen: BUG: sleeping function called from invalid context at wmi.c:304 Call Trace: <TASK> dump_stack_lvl __might_resched.cold ath11k_wmi_cmd_send ath11k_wmi_set_peer_param ath11k_mac_disable_peer_fixed_rate ieee80211_iterate_stations_atomic ath11k_mac_op_set_bitrate_mask.cold Change to ieee80211_iterate_stations_mtx() to fix this issue. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 CVE-2025-39732 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7 item 86 key (594558976 169 0) itemoff 12566 itemsize 33 extent refs 1 gen 197522 flags 2 ref#0: tree block backref root 7 ... BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0 BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -117) WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs] And btrfs check doesn't report anything wrong related to the extent tree. [CAUSE] The cause is a little complex, firstly the extent tree indeed doesn't have the backref for 594526208. The extent tree only have the following two backrefs around that bytenr on-disk: item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33 refs 1 gen 197740 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33 refs 1 gen 197522 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE But the such missing backref item is not an corruption on disk, as the offending delayed ref belongs to subvolume 934, and that subvolume is being dropped: item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439 generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328 last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0 drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2 level 2 generation_v2 198229 And that offending tree block 594526208 is inside the dropped range of that subvolume. That explains why there is no backref item for that bytenr and why btrfs check is not reporting anything wrong. But this also shows another problem, as btrfs will do all the orphan subvolume cleanup at a read-write mount. So half-dropped subvolume should not exist after an RW mount, and balance itself is also exclusive to subvolume cleanup, meaning we shouldn't hit a subvolume half-dropped during relocation. The root cause is, there is no orphan item for this subvolume. In fact there are 5 subvolumes from around 2021 that have the same problem. It looks like the original report has some older kernels running, and caused those zombie subvolumes. Thankfully upstream commit 8d488a8c7ba2 ("btrfs: fix subvolume/snapshot deletion not triggered on mount") has long fixed the bug. [ENHANCEMENT] For repairing such old fs, btrfs-progs will be enhanced. Considering how delayed the problem will show up (at run delayed ref time) and at that time we have to abort transaction already, it is too late. Instead here we reject any half-dropped subvolume for reloc tree at the earliest time, preventing confusion and extra time wasted on debugging similar bugs. CVE-2025-39738 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu-qcom: Add SM6115 MDSS compatible Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround. Without this workaround, for example, QRB4210 RB2 which is based on SM4250/SM6115 generates a lot of smmu unhandled context faults during boot: arm_smmu_context_fault: 116854 callbacks suppressed arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 arm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1] arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 and also failed initialisation of lontium lt9611uxc, gpu and dpu is observed: (binding MDSS components triggered by lt9611uxc have failed) ------------[ cut here ]------------ !aspace WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm] Modules linked in: ... (long list of modules) CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : msm_gem_vma_init+0x150/0x18c [msm] lr : msm_gem_vma_init+0x150/0x18c [msm] sp : ffff80008144b280 ... Call trace: msm_gem_vma_init+0x150/0x18c [msm] (P) get_vma_locked+0xc0/0x194 [msm] msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm] msm_gem_kernel_new+0x48/0x160 [msm] msm_gpu_init+0x34c/0x53c [msm] adreno_gpu_init+0x1b0/0x2d8 [msm] a6xx_gpu_init+0x1e8/0x9e0 [msm] adreno_bind+0x2b8/0x348 [msm] component_bind_all+0x100/0x230 msm_drm_bind+0x13c/0x3d0 [msm] try_to_bring_up_aggregate_device+0x164/0x1d0 __component_add+0xa4/0x174 component_add+0x14/0x20 dsi_dev_attach+0x20/0x34 [msm] dsi_host_attach+0x58/0x98 [msm] devm_mipi_dsi_attach+0x34/0x90 lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc] lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc] i2c_device_probe+0x148/0x2a8 really_probe+0xbc/0x2c0 __driver_probe_device+0x78/0x120 driver_probe_device+0x3c/0x154 __driver_attach+0x90/0x1a0 bus_for_each_dev+0x68/0xb8 driver_attach+0x24/0x30 bus_add_driver+0xe4/0x208 driver_register+0x68/0x124 i2c_register_driver+0x48/0xcc lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc] do_one_initcall+0x60/0x1d4 do_init_module+0x54/0x1fc load_module+0x1748/0x1c8c init_module_from_file+0x74/0xa0 __arm64_sys_finit_module+0x130/0x2f8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x2c/0x80 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22 msm_dpu 5e01000.display-controller: failed to load adreno gpu platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19 msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22 msm_dpu 5e01000.display-controller: adev bind failed: -22 lt9611uxc 0-002b: failed to attach dsi to host lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22 CVE-2025-39739 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. This implies a possibility to get and divide-by-zero runtime error. Fix it by moving the check prior to division. This also helps to save one indentation level. CVE-2025-39742 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode() because nrpages is greater than 0. CVE-2025-39743 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up. This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly. irq_exit() __irq_exit_rcu() /* in_hardirq() returns false after this */ preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() /* a bpf prog is hooked on this trace point */ __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() /* will send a IPI to itself */ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch: static inline void tick_irq_exit(void) { + rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); + [neeraj: Apply Frederic's suggested fix for PREEMPT_RT] CVE-2025-39744 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: shutdown driver when hardware is unreliable In rare cases, ath10k may lose connection with the PCIe bus due to some unknown reasons, which could further lead to system crashes during resuming due to watchdog timeout: ath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardware ath10k_pci 0000:01:00.0: already restarting ath10k_pci 0000:01:00.0: failed to stop WMI vdev 0: -11 ath10k_pci 0000:01:00.0: failed to stop vdev 0: -11 ieee80211 phy0: PM: **** DPM device timeout **** Call Trace: panic+0x125/0x315 dpm_watchdog_set+0x54/0x54 dpm_watchdog_handler+0x57/0x57 call_timer_fn+0x31/0x13c At this point, all WMI commands will timeout and attempt to restart device. So set a threshold for consecutive restart failures. If the threshold is exceeded, consider the hardware is unreliable and all ath10k operations should be skipped to avoid system crash. fail_cont_count and pending_recovery are atomic variables, and do not involve complex conditional logic. Therefore, even if recovery check and reconfig complete are executed concurrently, the recovery mechanism will not be broken. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1 CVE-2025-39746 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code [1], it will invoke rcu_read_unlock_special(), which uses an irq-work handler to force the system to notice when the RCU read-side critical section actually ends. That end won't happen until interrupts are enabled at the soonest. In some kernels, such as those booted with rcutree.use_softirq=y, the irq-work handler is used unconditionally. The per-CPU rcu_data structure's ->defer_qs_iw_pending field is updated by the irq-work handler and is both read and updated by rcu_read_unlock_special(). This resulted in the following KCSAN splat: ------------------------------------------------------------------------ BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: rcu_read_unlock_special+0x175/0x260 __rcu_read_unlock+0x92/0xa0 rt_spin_unlock+0x9b/0xc0 __local_bh_enable+0x10d/0x170 __local_bh_enable_ip+0xfb/0x150 rcu_do_batch+0x595/0xc40 rcu_cpu_kthread+0x4e9/0x830 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: rcu_preempt_deferred_qs_handler+0x1e/0x30 irq_work_single+0xaf/0x160 run_irq_workd+0x91/0xc0 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 no locks held by irq_work/8/88. irq event stamp: 200272 hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320 hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70 softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0 softirqs last disabled at (0): [<0000000000000000>] 0x0 ------------------------------------------------------------------------ The problem is that irq-work handlers run with interrupts enabled, which means that rcu_preempt_deferred_qs_handler() could be interrupted, and that interrupt handler might contain an RCU read-side critical section, which might invoke rcu_read_unlock_special(). In the strict KCSAN mode of operation used by RCU, this constitutes a data race on the ->defer_qs_iw_pending field. This commit therefore disables interrupts across the portion of the rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending field. This suffices because this handler is not a fast path. CVE-2025-39749 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Correct tid cleanup when tid setup fails Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), the tid value is already incremented, even though the corresponding TID is not actually allocated. Proceed to ath12k_dp_rx_peer_tid_delete() starting from unallocated tid, which might leads to freeing unallocated TID and cause potential crash or out-of-bounds access. Hence, fix by correctly decrementing tid before cleanup to match only the successfully allocated TIDs. Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(), as decrementing the tid before cleanup in loop will take care of this. Compile tested only. CVE-2025-39750 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-39751 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). The race is as follows. smaps_hugetlb_range migrate_pages huge_ptep_get remove_migration_ptes folio_unlock pfn_swap_entry_folio BUG_ON To fix it, hold ptl lock in smaps_hugetlb_range(). CVE-2025-39754 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. CVE-2025-39757 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), we have been doing this: static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, size_t size) [...] /* Calculate the number of bytes we need to push, for this page * specifically */ size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); /* If we can't splice it, then copy it in, as normal */ if (!sendpage_ok(page[i])) msg.msg_flags &= ~MSG_SPLICE_PAGES; /* Set the bvec pointing to the page, with len $bytes */ bvec_set_page(&bvec, page[i], bytes, offset); /* Set the iter to $size, aka the size of the whole sendpages (!!!) */ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); try_page_again: lock_sock(sk); /* Sendmsg with $size size (!!!) */ rv = tcp_sendmsg_locked(sk, &msg, size); This means we've been sending oversized iov_iters and tcp_sendmsg calls for a while. This has a been a benign bug because sendpage_ok() always returned true. With the recent slab allocator changes being slowly introduced into next (that disallow sendpage on large kmalloc allocations), we have recently hit out-of-bounds crashes, due to slight differences in iov_iter behavior between the MSG_SPLICE_PAGES and "regular" copy paths: (MSG_SPLICE_PAGES) skb_splice_from_iter iov_iter_extract_pages iov_iter_extract_bvec_pages uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere skb_splice_from_iter gets a "short" read (!MSG_SPLICE_PAGES) skb_copy_to_page_nocache copy=iov_iter_count [...] copy_from_iter /* this doesn't help */ if (unlikely(iter->count < len)) len = iter->count; iterate_bvec ... and we run off the bvecs Fix this by properly setting the iov_iter's byte count, plus sending the correct byte count to tcp_sendmsg_locked. CVE-2025-39758 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. CVE-2025-39759 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. CVE-2025-39760 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Decrement TID on RX peer frag setup error handling Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to out-of-bounds access in peer->rx_tid[]. Hence, add a decrement operation for TID, before peer cleanup to ensures proper cleanup and prevents out-of-bounds access issues when the RX peer frag setup fails. Found during code review. Compile tested only. CVE-2025-39761 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered If a synchronous error is detected as a result of user-space process triggering a 2-bit uncorrected error, the CPU will take a synchronous error exception such as Synchronous External Abort (SEA) on Arm64. The kernel will queue a memory_failure() work which poisons the related page, unmaps the page, and then sends a SIGBUS to the process, so that a system wide panic can be avoided. However, no memory_failure() work will be queued when abnormal synchronous errors occur. These errors can include situations like invalid PA, unexpected severity, no memory failure config support, invalid GUID section, etc. In such a case, the user-space process will trigger SEA again. This loop can potentially exceed the platform firmware threshold or even trigger a kernel hard lockup, leading to a system reboot. Fix it by performing a force kill if no memory_failure() work is queued for synchronous errors. [ rjw: Changelog edits ] CVE-2025-39763 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak. CVE-2025-39764 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion. CVE-2025-39766 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers. The current GSO logic violates this contract by failing to disable the feature for packets with extension headers, such as those used in GREoIPv6 tunnels. This violation results in the device being asked to perform an operation it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse of network throughput. While device TSO/USO is correctly bypassed in favor of software GSO for these packets, the GSO stack must be explicitly told not to request checksum offload. Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4 in gso_features_check if the IPv6 header contains extension headers to compute checksum in software. The exception is a BIG TCP extension, which, as stated in commit 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"): "The feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices." kernel log output (truncated): WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140 ... Call Trace: <TASK> skb_checksum_help+0x12a/0x1f0 validate_xmit_skb+0x1a3/0x2d0 validate_xmit_skb_list+0x4f/0x80 sch_direct_xmit+0x1a2/0x380 __dev_xmit_skb+0x242/0x670 __dev_queue_xmit+0x3fc/0x7f0 ip6_finish_output2+0x25e/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel] ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre] dev_hard_start_xmit+0x63/0x1c0 __dev_queue_xmit+0x6d0/0x7f0 ip6_finish_output2+0x214/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 inet6_csk_xmit+0xeb/0x150 __tcp_transmit_skb+0x555/0xa80 tcp_write_xmit+0x32a/0xe90 tcp_sendmsg_locked+0x437/0x1110 tcp_sendmsg+0x2f/0x50 ... skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00 skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00 skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00 skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00 skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00 skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9 skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01 skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a CVE-2025-39770 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything. CVE-2025-39772 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: <IRQ> __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue. CVE-2025-39773 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_resched() is true to avoid softlockups during prolonged operations. But jbd2_log_do_checkpoint() only exits its loop when need_resched() is true, relying on potentially sleeping functions like __flush_batch() or wait_on_buffer() to trigger rescheduling. If those functions do not sleep, the kernel may hit a softlockup. watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 Workqueue: writeback wb_workfn (flush-7:2) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : native_queued_spin_lock_slowpath+0x358/0x418 lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] Call trace: native_queued_spin_lock_slowpath+0x358/0x418 jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] add_transaction_credits+0x3bc/0x418 [jbd2] start_this_handle+0xf8/0x560 [jbd2] jbd2__journal_start+0x118/0x228 [jbd2] __ext4_journal_start_sb+0x110/0x188 [ext4] ext4_do_writepages+0x3dc/0x740 [ext4] ext4_writepages+0xa4/0x190 [ext4] do_writepages+0x94/0x228 __writeback_single_inode+0x48/0x318 writeback_sb_inodes+0x204/0x590 __writeback_inodes_wb+0x54/0xf8 wb_writeback+0x2cc/0x3d8 wb_do_writeback+0x2e0/0x2f8 wb_workfn+0x80/0x2a8 process_one_work+0x178/0x3e8 worker_thread+0x234/0x3b8 kthread+0xf0/0x108 ret_from_fork+0x10/0x20 So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid softlockup. CVE-2025-39782 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driver which has a configfs attribute group is torn down: ================================================================== BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE Hardware name: Radxa ROCK 5B (DT) Call trace: show_stack+0x2c/0x84 (C) dump_stack_lvl+0x70/0x98 print_report+0x17c/0x538 kasan_report+0xb8/0x190 __asan_report_store8_noabort+0x20/0x2c pci_epf_remove_cfs+0x17c/0x198 pci_epf_unregister_driver+0x18/0x30 nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] __arm64_sys_delete_module+0x264/0x424 invoke_syscall+0x70/0x260 el0_svc_common.constprop.0+0xac/0x230 do_el0_svc+0x40/0x58 el0_svc+0x48/0xdc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ... Remove this incorrect list_del() call from pci_epf_remove_cfs(). CVE-2025-39783 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate over the header. e_phentsize and e_shentsize are validated as well, to ensure that the assumptions about step size in the traversal are valid. CVE-2025-39787 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message] CVE-2025-39790 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers the kernel function xfrm_alloc_spi(). This function is expected to ensure uniqueness of the Security Parameter Index (SPI) for inbound Security Associations (SAs). However, it can return success even when the requested SPI is already in use, leading to duplicate SPIs assigned to multiple inbound SAs, differentiated only by their destination addresses. This behavior causes inconsistencies during SPI lookups for inbound packets. Since the lookup may return an arbitrary SA among those with the same SPI, packet processing can fail, resulting in packet drops. According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA is uniquely identified by the SPI and optionally protocol. Reproducing the Issue Reliably: To consistently reproduce the problem, restrict the available SPI range in charon.conf : spi_min = 0x10000000 spi_max = 0x10000002 This limits the system to only 2 usable SPI values. Next, create more than 2 Child SA. each using unique pair of src/dst address. As soon as the 3rd Child SA is initiated, it will be assigned a duplicate SPI, since the SPI pool is already exhausted. With a narrow SPI range, the issue is consistently reproducible. With a broader/default range, it becomes rare and unpredictable. Current implementation: xfrm_spi_hash() lookup function computes hash using daddr, proto, and family. So if two SAs have the same SPI but different destination addresses, then they will: a. Hash into different buckets b. Be stored in different linked lists (byspi + h) c. Not be seen in the same hlist_for_each_entry_rcu() iteration. As a result, the lookup will result in NULL and kernel allows that Duplicate SPI Proposed Change: xfrm_state_lookup_spi_proto() does a truly global search - across all states, regardless of hash bucket and matches SPI and proto. CVE-2025-39797 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again. CVE-2025-39798 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. CVE-2025-39800 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_interrupt ->dwc3_ep0_interrupt ->configfs_composite_setup ->composite_setup ->usb_ep_queue ->dwc3_gadget_ep0_queue ->__dwc3_gadget_ep0_queue ->__dwc3_ep0_do_control_data ->dwc3_send_gadget_ep_cmd 2. Disconnect ========== ->dwc3_thread_interrupt ->dwc3_gadget_disconnect_interrupt ->dwc3_ep0_reset_state ->dwc3_ep0_end_control_data ->dwc3_send_gadget_ep_cmd In the issue scenario, in Exynos platforms, we observed that control transfers for the previous connect have not yet been completed and end transfer command sent as a part of the disconnect sequence and processing of USB_ENDPOINT_HALT feature request from the host timeout. This maybe an expected scenario since the controller is processing EP commands sent as a part of the previous connect. It maybe better to remove WARN_ON in all places where device endpoint commands are sent to avoid unnecessary kernel panic due to warn. CVE-2025-39801 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] <TASK> [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] CVE-2025-39806 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned when usb_rcvctrlpipe() use usb_dev,it trigger page fault error for address(0xffffffffffffff58) add null check logic to ntrig_report_version() before calling hid_to_usb_dev() CVE-2025-39808 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix memory corruption when FW resources change during ifdown bnxt_set_dflt_rings() assumes that it is always called before any TC has been created. So it doesn't take bp->num_tc into account and assumes that it is always 0 or 1. In the FW resource or capability change scenario, the FW will return flags in bnxt_hwrm_if_change() that will cause the driver to reinitialize and call bnxt_cancel_reservations(). This will lead to bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc may be greater than 1. This will cause bp->tx_ring[] to be sized too small and cause memory corruption in bnxt_alloc_cp_rings(). Fix it by properly scaling the TX rings by bp->num_tc in the code paths mentioned above. Add 2 helper functions to determine bp->tx_nr_rings and bp->tx_nr_rings_per_tc. CVE-2025-39810 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels. CVE-2025-39823 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device. This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees. 0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection Below is the KASAN splat after triggering the UAF: [ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] <TASK> [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfre ---truncated--- CVE-2025-39824 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename(2) Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them from deferring closes, which increases the race window for potential concurrent opens on the target file. Fix this by unhashing the dentry in advance to prevent any concurrent opens on the target. CVE-2025-39825 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues. This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically. CVE-2025-39826 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot. CVE-2025-39827 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 important In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix lockdep assertion on sync reset unload event Fix lockdep assertion triggered during sync reset unload event. When the sync reset flow is initiated using the devlink reload fw_activate option, the PF already holds the devlink lock while handling unload event. In this case, delegate sync reset unload event handling back to the devlink callback process to avoid double-locking and resolve the lockdep warning. Kernel log: WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40 [...] Call Trace: <TASK> mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core] mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core] process_one_work+0x222/0x640 worker_thread+0x199/0x350 kthread+0x10b/0x230 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x8e/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> CVE-2025-39832 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mISDN: hfcpci: Fix warning when deleting uninitialized timer With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads to the following splat: [ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0 [ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0 [ 250.218775] Modules linked in: hfcpci(-) mISDN_core [ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary) [ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0 [ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d [ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286 [ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95 [ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0 [ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39 [ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001 [ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8 [ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000 [ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0 [ 250.236117] Call Trace: [ 250.236599] <TASK> [ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130 [ 250.237920] debug_object_assert_init+0x1f6/0x310 [ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10 [ 250.239658] ? __lock_acquire+0xdea/0x1c70 [ 250.240369] __try_to_del_timer_sync+0x69/0x140 [ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10 [ 250.242058] ? __timer_delete_sync+0xc6/0x120 [ 250.242842] ? lock_acquire+0x30/0x80 [ 250.243474] ? __timer_delete_sync+0xc6/0x120 [ 250.244262] __timer_delete_sync+0x98/0x120 [ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci] [ 250.245704] __do_sys_delete_module+0x348/0x510 [ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10 [ 250.247338] do_syscall_64+0xc1/0x360 [ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f Fix this by initializing hfc_tl timer with DEFINE_TIMER macro. Also, use mod_timer instead of manual timeout update. CVE-2025-39833 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape to userspace as "attribute not found" when in fact it's an IO (disk) error. At worst, we may oops in xfs_attr_leaf_get() when we do: error = xfs_attr_leaf_hasname(args, &bp); if (error == -ENOATTR) { xfs_trans_brelse(args->trans, bp); return error; } because an ENODATA/ENOATTR error from disk leaves us with a null bp, and the xfs_trans_brelse will then null-deref it. As discussed on the list, we really need to modify the lower level IO functions to trap all disk errors and ensure that we don't let unique errors like this leak up into higher xfs functions - many like this should be remapped to EIO. However, this patch directly addresses a reported bug in the xattr code, and should be safe to backport to stable kernels. A larger-scope patch to handle more unique errors at lower levels can follow later. (Note, prior to 07120f1abdff we did not oops, but we did return the wrong error code to userspace.) CVE-2025-39835 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and returns NULL early to prevent dereferencing NULL pointer. Found by Linux Verification Center (linuxtesting.org) with SVACE CVE-2025-39838 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. CVE-2025-39839 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocfs2_clear_inode()-> jbd2_journal_release_jbd_inode(osb->journal->j_journal, Adding osb->journal checks will prevent null-ptr-deref during the above execution path. CVE-2025-39842 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // sync top level page tables in x86 r = vmemmap_populate(start, end, nid, altmap); In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c synchronizes the top level page table (See commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so that all tasks in the system can see the new vmemmap area. However, when vmemmap_can_optimize() returns true, the optimized path skips synchronization of top-level page tables. This is because vmemmap_populate_compound_pages() is implemented in core MM code, which does not handle synchronization of the top-level page tables. Instead, the core MM has historically relied on each architecture to perform this synchronization manually. We're not the first party to encounter a crash caused by not-sync'd top level page tables: earlier this year, Gwan-gyeong Mun attempted to address the issue [1] [2] after hitting a kernel panic when x86 code accessed the vmemmap area before the corresponding top-level entries were synced. At that time, the issue was believed to be triggered only when struct page was enlarged for debugging purposes, and the patch did not get further updates. It turns out that current approach of relying on each arch to handle the page table sync manually is fragile because 1) it's easy to forget to sync the top level page table, and 2) it's also easy to overlook that the kernel should not access the vmemmap and direct mapping areas before the sync. # The solution: Make page table sync more code robust and harder to miss To address this, Dave Hansen suggested [3] [4] introducing {pgd,p4d}_populate_kernel() for updating kernel portion of the page tables and allow each architecture to explicitly perform synchronization when installing top-level entries. With this approach, we no longer need to worry about missing the sync step, reducing the risk of future regressions. The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK, PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by vmalloc and ioremap to synchronize page tables. pgd_populate_kernel() looks like this: static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, p4d_t *p4d) { pgd_populate(&init_mm, pgd, p4d); if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) arch_sync_kernel_mappings(addr, addr); } It is worth noting that vmalloc() and apply_to_range() carefully synchronizes page tables by calling p*d_alloc_track() and arch_sync_kernel_mappings(), and thus they are not affected by ---truncated--- CVE-2025-39844 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] CVE-2025-39845 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. CVE-2025-39846 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if allocation and compression succeed. At the call site, use the new_skb variable so the original skb is not lost when pad_compress_skb() fails. CVE-2025-39847 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or not. Many thanks to Bernard Pidoux for his help, diagnosis and tests. We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()"). CVE-2025-39848 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking. CVE-2025-39849 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry is configured on the VXLAN device whose MAC address is not behind the "any" remote (0.0.0.0 / ::). The code currently assumes that the FDB entry for the neighbor's MAC address points to a valid remote destination, but this is incorrect if the entry is associated with an FDB nexthop group. This can result in a NPD [1][3] which can be reproduced using [2][4]. Fix by checking that the remote destination exists before dereferencing it. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 4 UID: 0 PID: 365 Comm: arping Not tainted 6.17.0-rc2-virtme-g2a89cb21162c #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:vxlan_xmit+0xb58/0x15f0 [...] Call Trace: <TASK> dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 packet_sendmsg+0x113a/0x1850 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] #!/bin/bash ip address add 192.0.2.1/32 dev lo ip nexthop add id 1 via 192.0.2.2 fdb ip nexthop add id 10 group 1 fdb ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 4789 proxy ip neigh add 192.0.2.3 lladdr 00:11:22:33:44:55 nud perm dev vx0 bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 arping -b -c 1 -s 192.0.2.1 -I vx0 192.0.2.3 [3] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] CPU: 13 UID: 0 PID: 372 Comm: ndisc6 Not tainted 6.17.0-rc2-virtmne-g6ee90cb26014 #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1v996), BIOS 1.17.0-4.fc41 04/01/2x014 RIP: 0010:vxlan_xmit+0x803/0x1600 [...] Call Trace: <TASK> dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 ip6_finish_output2+0x210/0x6c0 ip6_finish_output+0x1af/0x2b0 ip6_mr_output+0x92/0x3e0 ip6_send_skb+0x30/0x90 rawv6_sendmsg+0xe6e/0x12e0 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f383422ec77 [4] #!/bin/bash ip address add 2001:db8:1::1/128 dev lo ip nexthop add id 1 via 2001:db8:1::1 fdb ip nexthop add id 10 group 1 fdb ip link add name vx0 up type vxlan id 10010 local 2001:db8:1::1 dstport 4789 proxy ip neigh add 2001:db8:1::3 lladdr 00:11:22:33:44:55 nud perm dev vx0 bridge fdb add 00:11:22:33:44:55 dev vx0 self static nhid 10 ndisc6 -r 1 -s 2001:db8:1::1 -w 1 2001:db8:1::3 vx0 CVE-2025-39850 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry. CVE-2025-39853 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_use in ice_ll_ts_intr Recent versions of the E810 firmware have support for an extra interrupt to handle report of the "low latency" Tx timestamps coming from the specialized low latency firmware interface. Instead of polling the registers, software can wait until the low latency interrupt is fired. This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx timestamps complete. Unfortunately, the ice_ll_ts_intr() function does not check if the tracker is initialized before its first access. This results in NULL dereference or use-after-free bugs similar to the issues fixed in the ice_ptp_ts_irq() function. Fix this by only checking the in_use bitmap (and other fields) if the tracker is marked as initialized. The reset flow will clear the init field under lock before it tears the tracker down, thus preventing any use-after-free or NULL access. CVE-2025-39854 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: smc_hs_wq smc_listen_work [smc] RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] ... Call Trace: <TASK> smcr_buf_map_link+0x211/0x2a0 [smc] __smc_buf_create+0x522/0x970 [smc] smc_buf_create+0x3a/0x110 [smc] smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] smc_listen_find_device+0x1dd/0x2b0 [smc] smc_listen_work+0x30f/0x580 [smc] process_one_work+0x18c/0x340 worker_thread+0x242/0x360 kthread+0xe7/0x220 ret_from_fork+0x13a/0x160 ret_from_fork_asm+0x1a/0x30 </TASK> If the software RoCE device is used, ibdev->dma_device is a null pointer. As a result, the problem occurs. Null pointer detection is added to prevent problems. CVE-2025-39857 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in bt_accept_dequeue(): CPU1 CPU2 (close()) ---- ---- sock_hold(sk) sock_hold(sk); lock_sock(sk) <-- block close() sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- refcnt by bt_accept_enqueue() release_sock(sk) lock_sock(sk) sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- last refcnt bt_accept_unlink(sk) <-- UAF Depending on the timing, the other thread could show up in the "Freed by task" part. Let's call l2cap_sock_cleanup_listen() under lock_sock() in l2cap_sock_release(). [0]: BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:356 [inline] release_sock+0x21/0x220 net/core/sock.c:3746 bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x3ff/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 </TASK> Allocated by task 5326: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4365 [inline] __kmalloc_nopro ---truncated--- CVE-2025-39860 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed. Previously, debugfs files such as "force_suspend", "force_wakeup", and others were created under hdev->debugfs but not removed in vhci_release(). Since vhci_release() frees the backing vhci_data structure, any access to these files after release would result in use-after-free errors. Although hdev->debugfs is later freed in hci_release_dev(), user can access files after vhci_data is freed but before hdev->debugfs is released. CVE-2025-39861 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() - such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false. CVE-2025-39863 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. CVE-2025-39864 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 CVE-2025-39865 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_map[i][1] = i; The bug manifested as kernel crashes with "Oops - undefined instruction" on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the memory corruption triggered kernel hardening features on Clang. Change the allocation to use sizeof(*queue_priority_map) which automatically gets the correct size for the 2D array structure. CVE-2025-39869 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when "conf_dev" hasn't been initialized. 2) If kzalloc_node() fails then again "conf_dev" is invalid. It's either uninitialized or it points to the "conf_dev" from the previous iteration so it leads to a double free. It's better to free partial loop iterations within the loop and then the unwinding at the end can handle whole loop iterations. I also renamed the labels to describe what the goto does and not where the goto was located. CVE-2025-39870 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace: <TASK> idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload. CVE-2025-39871 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb() after the code is done touching the SKB. The tx_lock is held for the entire xcan_write_frame() execution and also on the can_get_echo_skb() side so the order of operations does not matter. An earlier fix commit 3d3c817c3a40 ("can: xilinx_can: Fix usage of skb memory") did not move the can_put_echo_skb() call far enough. [mkl: add "commit" in front of sha1 in patch description] [mkl: fix indention] CVE-2025-39873 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: fix potential OF node use-after-free The for_each_child_of_node() helper drops the reference it takes to each node as it iterates over children and an explicit of_node_put() is only needed when exiting the loop early. Drop the recently introduced bogus additional reference count decrement at each iteration that could potentially lead to a use-after-free. CVE-2025-39882 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 __down_write_common kernel/locking/rwsem.c:1317 [inline] __down_write kernel/locking/rwsem.c:1326 [inline] down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 do_page_mkwrite+0x14d/0x310 mm/memory.c:3361 wp_page_shared mm/memory.c:3762 [inline] do_wp_page+0x268d/0x5800 mm/memory.c:3981 handle_pte_fault mm/memory.c:6068 [inline] __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline] RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline] RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline] RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26 Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 copy_to_user include/linux/uaccess.h:225 [inline] fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145 ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532 __do_sys_ioctl fs/ioctl.c:596 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f13850fd9 RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the extent list of this running mmap executable. The user supplied buffer to hold the fiemap information page faults calling ocfs2_page_mkwrite() which will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same semaphore. This recursive semaphore will hold filesystem locks and causes a hang of the fileystem. The ip_alloc_sem protects the inode extent list and size. Release the read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap() and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock on the last extent but simplifies the error path. CVE-2025-39885 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size. Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)WildCard: Exists(gt) Length: [8 (0x0008)] Destination CID: (lt)WildCard: Exists(gt) Source CID: [64 (0x0040)] Result: [3 (0x0003)] Connection refused - Security block Status: (lt)WildCard: Exists(gt), but received:Connection Response: Code: [3 (0x03)] Code Identifier: [1 (0x01)] Length: [8 (0x0008)] Destination CID: [64 (0x0040)] Source CID: [64 (0x0040)] Result: [0 (0x0000)] Connection Successful Status: [0 (0x0000)] No further information available And HCI logs: < HCI Command: Read Encrypti.. (0x05|0x0008) plen 2 Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) > HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) Key size: 7 > ACL Data RX: Handle 14 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 1 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 14 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 1 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) CVE-2025-39889 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak. Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc(). CVE-2025-39891 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Avoid below overlapping mappings by using a contiguous non-cacheable buffer. [ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST, overlapping mappings aren't supported [ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300 [ 4.097071] Modules linked in: [ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1 [ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT) [ 4.118824] Workqueue: events_unbound deferred_probe_work_func [ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.131624] pc : add_dma_entry+0x23c/0x300 [ 4.135658] lr : add_dma_entry+0x23c/0x300 [ 4.139792] sp : ffff800009dbb490 [ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000 [ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8 [ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20 [ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006 [ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e [ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec [ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58 [ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000 [ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40 [ 4.214185] Call trace: [ 4.216605] add_dma_entry+0x23c/0x300 [ 4.220338] debug_dma_map_sg+0x198/0x350 [ 4.224373] __dma_map_sg_attrs+0xa0/0x110 [ 4.228411] dma_map_sg_attrs+0x10/0x2c [ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc [ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174 [ 4.242127] nand_read_oob+0x1d4/0x8e0 [ 4.245861] mtd_read_oob_std+0x58/0x84 [ 4.249596] mtd_read_oob+0x90/0x150 [ 4.253231] mtd_read+0x68/0xac CVE-2025-39907 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: pcmcia: Add error handling for add_interval() in do_validate_mem() In the do_validate_mem(), the call to add_interval() does not handle errors. If kmalloc() fails in add_interval(), it could result in a null pointer being inserted into the linked list, leading to illegal memory access when sub_interval() is called next. This patch adds an error handling for the add_interval(). If add_interval() returns an error, the function will return early with the error code. CVE-2025-39920 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees When we don't have a clock specified in the device tree, we have no way to ensure the BAM is on. This is often the case for remotely-controlled or remotely-powered BAM instances. In this case, we need to read num-channels from the DT to have all the necessary information to complete probing. However, at the moment invalid device trees without clock and without num-channels still continue probing, because the error handling is missing return statements. The driver will then later try to read the number of channels from the registers. This is unsafe, because it relies on boot firmware and lucky timing to succeed. Unfortunately, the lack of proper error handling here has been abused for several Qualcomm SoCs upstream, causing early boot crashes in several situations [1, 2]. Avoid these early crashes by erroring out when any of the required DT properties are missing. Note that this will break some of the existing DTs upstream (mainly BAM instances related to the crypto engine). However, clearly these DTs have never been tested properly, since the error in the kernel log was just ignored. It's safer to disable the crypto engine for these broken DTBs. [1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/ [2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/ CVE-2025-39923 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: can: j1939: implement NETDEV_UNREGISTER notification handler syzbot is reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 problem, for j1939 protocol did not have NETDEV_UNREGISTER notification handler for undoing changes made by j1939_sk_bind(). Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") expects that a call to j1939_priv_put() can be unconditionally delayed until j1939_sk_sock_destruct() is called. But we need to call j1939_priv_put() against an extra ref held by j1939_sk_bind() call (as a part of undoing changes made by j1939_sk_bind()) as soon as NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct() is called via j1939_sk_release()). Otherwise, the extra ref on "struct j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from dropping the usage count to 1; making it impossible for unregister_netdevice() to continue. [mkl: remove space in front of label] CVE-2025-39925 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] CVE-2025-40300 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:kernel-default-6.4.0-150600.23.73.1 moderate When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped. CVE-2025-4435 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 important There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError. CVE-2025-4516 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 moderate Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links. CVE-2025-4517 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 important jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. CVE-2025-48060 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:jq-1.6-150000.3.9.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libjq1-1.6-150000.3.9.1 moderate libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. CVE-2025-4947 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. CVE-2025-50181 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-urllib3-1.25.10-150300.4.18.1 moderate libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. CVE-2025-5025 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability. CVE-2025-53905 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-9.1.1629-150500.20.33.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-data-common-9.1.1629-150500.20.33.1 moderate Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability. CVE-2025-53906 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-9.1.1629-150500.20.33.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-data-common-9.1.1629-150500.20.33.1 moderate Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS libcurl-using application. CVE-2025-5399 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 moderate Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3. CVE-2025-54388 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:docker-28.3.3_ce-150000.230.1 moderate Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim's internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been patched in version 9.1.1400. CVE-2025-55157 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-9.1.1629-150500.20.33.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-data-common-9.1.1629-150500.20.33.1 moderate Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim's internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406. CVE-2025-55158 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-9.1.1629-150500.20.33.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:vim-data-common-9.1.1629-150500.20.33.1 moderate libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. CVE-2025-59375 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libexpat1-2.7.1-150400.3.31.1 important The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. CVE-2025-6069 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 moderate A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). CVE-2025-6395 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libgnutls30-3.8.3-150600.4.9.1 moderate Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876. CVE-2025-6442 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libruby2_5-2_5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-2.5.9-150000.4.49.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:ruby2.5-stdlib-2.5.9-150000.4.49.1 moderate There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVE-2025-6965 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libsqlite3-0-3.50.2-150000.3.33.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:sqlite3-tcl-3.50.2-150000.3.33.1 important A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. CVE-2025-7425 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libxml2-2-2.10.3-150500.5.32.1 important A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly. CVE-2025-7519 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libpolkit-agent-1-0-121-150500.3.6.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libpolkit-gobject-1-0-121-150500.3.6.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:polkit-121-150500.3.6.1 moderate The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library. CVE-2025-8058 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:glibc-2.38-150600.14.37.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:glibc-i18ndata-2.38-150600.14.37.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:glibc-locale-2.38-150600.14.37.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:glibc-locale-base-2.38-150600.14.37.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:nscd-2.38-150600.14.37.1 moderate A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash. CVE-2025-8114 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libssh-config-0.9.8-150600.11.6.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libssh4-0.9.8-150600.11.6.1 moderate There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 CVE-2025-8194 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-3.6.15-150300.10.97.2 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:python3-curses-3.6.15-150300.10.97.2 moderate A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability. CVE-2025-8277 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libssh-config-0.9.8-150600.11.6.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libssh4-0.9.8-150600.11.6.1 low 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. CVE-2025-9086 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:curl-8.14.1-150600.4.28.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libcurl4-8.14.1-150600.4.28.1 important Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. CVE-2025-9230 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libopenssl1_1-1.1.1w-150600.5.18.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:libopenssl3-3.1.4-150600.5.39.1 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:openssl-3-3.1.4-150600.5.39.1 important A flaw was found in Samba, in the vfs_streams_xattr module, where uninitialized heap memory could be written into alternate data streams. This allows an authenticated user to read residual memory content that may include sensitive data, resulting in an information disclosure vulnerability. CVE-2025-9640 Public Cloud Image google/sles-15-sp6-byos-v20251022-arm64:samba-client-libs-4.19.8+git.435.78ced6cf30d-150600.3.21.1 moderate