SUSE-IU-2025:950-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2025:950-1 Interim 1 1 2025-11-28T07:18:51Z current 2025-04-08T01:00:00Z 2025-04-08T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2025:950-1 / google/sles-15-sp6-byos-v20250408-x86-64 This image update for google/sles-15-sp6-byos-v20250408-x86-64 contains the following changes: Package apparmor was updated: - Allow dovecot-auth to execute unix_chkpwd from /sbin, not only from /usr/bin (bsc#1234452) * Update dovecot-unix_chkpwd.diff Package branding-SLE was updated: - Update plymouth theme to fix splash screen element placement issue. (bsc#1236818) Package ca-certificates-mozilla was updated: - explit remove distruted certs, as the distrust does not get exported correctly and the SSL certs are still trusted. (bsc#1240343) - Entrust.net Premium 2048 Secure Server CA - Entrust Root Certification Authority - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - GlobalSign Root E46 - GLOBALTRUST 2020 - remove-distrusted.patch: apply to certdata.txt - Fix awk to compare (missing a =) and give the following output: [#] NSS_BUILTINS_LIBRARY_VERSION &quot;2.74&quot; - pass file argument to awk (bsc#1240009) - update to 2.74 state of Mozilla SSL root CAs: Removed: * SwissSign Silver CA - G2 Added: * D-TRUST BR Root CA 2 2023 * D-TRUST EV Root CA 2 2023 - remove extensive signature printing in comments of the cert bundle - Define two macros to break a build cycle with p11-kit. - Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798) Removed: - SecureSign RootCA11 - Security Communication RootCA3 Added: - TWCA CYBER Root CA - TWCA Global Root CA G2 - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15 Package crash was updated: - In some kernel modules such as libie.ko, the mem[MOD_TEXT].size may be zero, currently crash will only check its value to determine if the module is valid, otherwise it fails to load kernel module with the following warning and error: mod: cannot access vmalloc'd module memory Lets count the module size to check if the module is valid, that will avoid the current failure. (bsc#1237501) - crash-fix-for-failing-to-load-kernel-module.patch Package crypto-policies was updated: - Fix fips-mode-setup in EFI or Secure Boot mode. [bsc#1227637] * Rebase crypto-policies-FIPS.patch - fips-mode-setup: tolerate fips dracut module presence w/o FIPS * Fixes the &quot;Inconsistent state detected&quot; warning when disabling the FIPS mode [bsc#1236165] * Upstream commit [gl#redhat-crypto/fedora-crypto-policies#78773542] * Add crypto-policies-fips-mode-setup-dracut.patch Package docker was updated: - Don't use the new container-selinux conditional requires on SLE-12, as the RPM version there doesn't support it. Arguably the change itself is a bit suspect but we can fix that later. bsc#1237367 - Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185 + 0006-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322 + 0007-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Refresh patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Make container-selinux requirement conditional on selinux-policy (bsc#1237367) - Update to Docker 27.5.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/27/#2741&gt; bsc#1237335 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Update to docker-buildx 0.20.1. See upstream changelog online at &lt;https://github.com/docker/buildx/releases/tag/v0.20.1&gt; - Update to Docker 27.4.1-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/27/#2741&gt; - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Update to docker-buildx 0.19.3. See upstream changelog online at &lt;https://github.com/docker/buildx/releases/tag/v0.19.3&gt; - Update to Docker 27.4.0-ce. See upstream changelog online at &lt;https://docs.docker.com/engine/release-notes/27/#274&gt; - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Remove upstreamed patches: - 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch Package dracut was updated: - Update to version 059+suse.557.gccd6ab94: * fix(iscsi): make sure services are shut down when switching root (bsc#1237695) * fix(iscsi): don't require network setup for qedi * fix(network-legacy): do not require pgrep when using wicked (bsc#1236982) Package gettext-runtime was updated: - Fix crash while handling po files with malformed header and process them properly (0003-Fix-malformed-header-processing.patch, boo#1227316). Package google-guest-agent was updated: - Update to version 20250327.01 (bsc#1239763, bsc#1239866) * Remove error messages from gce_workload_cert_refresh and metadata script runner (#527) - from version 20250327.00 * Update guest-logging-go dependency (#526) * Add 'created-by' metadata, and pass it as option to logging library (#508) * Revert &quot;oslogin: Correctly handle newlines at the end of modified files (#520)&quot; (#523) * Re-enable disabled services if the core plugin was enabled (#522) * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) - from version 20250326.00 * Re-enable disabled services if the core plugin was enabled (#521) - from version 20250324.00 * Enable guest services on package upgrade (#519) * oslogin: Correctly handle newlines at the end of modified files (#520) * Fix core plugin path (#518) * Fix package build issues (#517) * Fix dependencies ran go mod tidy -v (#515) * Fix debian build path (#514) * Bundle compat metadata script runner binary in package (#513) * Bump golang.org/x/net from 0.27.0 to 0.36.0 (#512) * Update startup/shutdown services to launch compat manager (#503) * Bundle new gce metadata script runner binary in agent package (#502) * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250317.00 * Revert &quot;Revert bundling new binaries in the package (#509)&quot; (#511) * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250312.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250305.00 * Revert bundling new binaries in the package (#509) * Fix typo in windows build script (#501) * Include core plugin binary for all packages (#500) * Update crypto library to fix CVE-2024-45337 (#499) * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250304.01 * Fix typo in windows build script (#501) - from version 20250214.01 * Include core plugin binary for all packages (#500) - from version 20250214.00 * Update crypto library to fix CVE-2024-45337 (#499) - from version 20250212.00 * Start packaging compat manager (#498) * Start bundling ggactl_plugin_cleanup binary in all agent packages (#492) - from version 20250211.00 * scripts: introduce a wrapper to locally build deb package (#490) * Introduce compat-manager systemd unit (#497) - from version 20250207.00 * vlan: toggle vlan configuration in debian packaging (#495) * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) * Include interfaces in lists even if it has an invalid MAC. (#489) * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250204.02 * force concourse to move version forward. - from version 20250204.01 * vlan: toggle vlan configuration in debian packaging (#495) - from version 20250204.00 * vlan: move config out of unstable section (#494) * Add clarification to comments regarding invalid NICs and the `invalid` tag. (#493) - from version 20250203.01 * Include interfaces in lists even if it has an invalid MAC. (#489) - from version 20250203.00 * Fix windows package build failures (#491) * vlan: don't index based on the vlan ID (#486) * Revert PR #482 (#488) * Remove Amy and Zach from OWNERS (#487) * Skip interfaces in interfaceNames() instead of erroring if there is an (#482) * Fix Debian packaging if guest agent manager is not checked out (#485) - from version 20250122.00 * networkd(vlan): remove the interface in addition to config (#468) * Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465) * Update logging library (#479) * Remove Pat from owners file. (#478) - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch - Update to version 20250116.00: (bsc#1236403) * networkd(vlan): remove the interface in addition to config (#468) * Implement support for vlan dynamic removal, update dhclient to remove only if configured (#465) * Update logging library (#479) * Remove Pat from owners file. (#478) - Update to version 20241209.01: (bsc#1235664) * readme: add notes about plugin manager (#476) * Update metadata script runner to honor cloud logging config flag (#475) * Fixing fallback from systemd-networkd to dhclient (#471) * network: fix nmcli check pattern (#472) * Update readme with guest agent manager (#469) * Add missing packaging spec (#466) * Bring back side-by-side packaging (#464) * Avoid changing permissions of directory if parent is / (#463) * network: force NetworkManager to connect to primary nic (#461) * Revert plugin manager packaging (#460) * Add GOPATH to PATH in debian build (#459) * Add plugin manager to debian build (#457) * rpm packaging: fix plugin manager assumptions (#458) * packaging: add plugin manager to rhel packaging (#454) Package google-guest-oslogin was updated: - Rework SELinux support (bsc#1232553) * Add pkgconfig(systemd) to BuildRequires for SELinux builds * Add policycoreutils to BuildRequires * Build and install SELinux module on older distributions as well to allow users to use the module with their own SELinux policies * Make checkpolicy build dependency unconditional * Move oslogin.pp SELinux module into %{selinuxtype} subdirectory * Own %{_datadir}/selinux{,/packages} on older distributions * Split SELinux support into separate -selinux package * Use SELinux RPM macros to install and uninstall SELinux module * Use RPM conditional builds to enable SELinux on newer distributions - Build and install SELinux module (bsc#1232553) Package google-osconfig-agent was updated: - Add patch to fix unexpected memory consumption during token parsing in golang.org/x/oauth2 (bsc#1239197, CVE-2025-22868) * CVE-2025-22868.patch Package grub2 was updated: - Fix zfs.mo not found message when booting on legacy BIOS (bsc#1237865) * 0001-autofs-Ignore-zfs-not-found.patch - Cherry-pick upstream XFS fixes * 0001-fs-xfs-Add-new-superblock-features-added-in-Linux-6..patch * 0002-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch - Fix &quot;attempt to read of write outside of partition&quot; error message (bsc#1237844) * 0003-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch Package hwinfo was updated: - merge gh#openSUSE/hwinfo#152- avoid reporting of spurious usb storage devices (bsc#1223330) - 21.87 - merge gh#openSUSE/hwinfo#151 - do not overdo usb device de-duplication (bsc#1239663) - 21.86 Package kdump was updated: - upgrade to version kdump-2.0.6+git25.g1dbf786 * fix bonding options (bsc#1235933) * don't use wicked to read bond and bridge config (bsc#1235933) * prevent KDUMP_NET_TIMEOUT busy loop when DNS fails * limit dump file permissions (bsc#1237497, bsc#1237529) Package kernel-default was updated: - initcall_blacklist: Does not allow kernel_lockdown be blacklisted (bsc#1237521). - commit c830a3e - drm/amd/display: Fix null check for pipe_ctx-&gt;plane_state in resource_build_scaling_params (git-fixes). - drm/sched: Fix preprocessor guard (git-fixes). - wifi: cfg80211: regulatory: improve invalid hints checking (git-fixes). - wifi: iwlwifi: limit printed string from FW file (git-fixes). - wifi: iwlwifi: mvm: don't try to talk to a dead firmware (git-fixes). - wifi: nl80211: reject cooked mode if it is set along with other flags (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() (git-fixes). - bluetooth: btusb: Initialize .owner field of force_poll_sync_fops (git-fixes). - commit ba6baa3 - net: hns3: fix oops when unload drivers paralleling (CVE-2025-21802 bsc#1238751). - commit 1e9156e - NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795 bsc#1238759). - commit b38b339 - vxlan: check vxlan_vnigroup_init() return value (CVE-2025-21790 bsc#1238753). - commit f088d3b - clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context (CVE-2025-21767 bsc#1238509). - commit 63a12d3 - vxlan: Fix uninit-value in vxlan_vnifilter_dump() (CVE-2025-21716 bsc#1237891). - commit dd55756 - mptcp: handle fastopen disconnect correctly (CVE-2025-21705 bsc#1238525). - commit fd8b648 - exfat: fix timing of synchronizing bitmap and inode (bsc#1237356). - exfat: fix appending discontinuous clusters to empty file (bsc#1237356). - commit 7d766d0 - smb: client: fix oops due to unset link speed (CVE-2025-21725 bsc#1238877). - commit b5023ae - exfat: do not zero the extended part (bsc#1237356). - commit 156857e - ipmr: do not call mr_mfc_uses_dev() for unres entries (CVE-2025-21719 bsc#1238860). - commit d4d6c1b - net: davicom: fix UAF in dm9000_drv_remove (CVE-2025-21715 bsc#1237889). - commit 0308747 - iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (CVE-2025-21724 bsc#1238863). - commit fa2cf3e - net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() (CVE-2025-21799 bsc#1238739). - commit b9602c4 - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - commit 8be63c4 - scsi: hisi_sas: Remove redundant checks for automatic debugfs dump (git-fixes). - scsi: hisi_sas: Fix a deadlock issue related to automatic dump (git-fixes). - commit 2531f6e - scsi: core: Do not retry I/Os during depopulation (git-fixes). - commit 4c3f2b6 - scsi: mpi3mr: Fix possible crash when setting up bsg fails (git-fixes). - commit f1f6d56 - scsi: myrb: Remove dead code (git-fixes). - commit 11c2ac0 - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request (git-fixes). - commit 3d258a5 - scsi: scsi_debug: Fix hrtimer support for ndelay (git-fixes). - commit 6998b85 - scsi: mpi3mr: Start controller indexing from 0 (git-fixes). - commit 13d0e59 - scsi: megaraid_sas: Fix for a potential deadlock (git-fixes). - commit 330c415 - scsi: qla1280: Fix hw revision numbering for ISP1020/1040 (git-fixes). - commit f2ba519 - scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset (git-fixes). - commit 1ead6e0 - scsi: st: Don't modify unknown block number in MTIOCGET (git-fixes). - commit fb5d2a0 - scsi: sg: Enable runtime power management (git-fixes). - Refresh patches.suse/scsi-sg-Fix-slab-use-after-free-read-in-sg_release.patch. - commit 89afcac - scsi: hisi_sas: Enable all PHYs that are not disabled by user during controller reset (git-fixes). - commit 27a4afa - scsi: mpi3mr: Use ida to manage mrioc ID (git-fixes). - commit 782dd6e - scsi: hisi_sas: Allocate DFX memory during dump trigger (git-fixes). - Refresh patches.suse/scsi-hisi_sas-Create-all-dump-files-during-debugfs-initialization.patch - commit 9b4cb76 - scsi: hisi_sas: Directly call register snapshot instead of using workqueue (git-fixes). - commit 1286dd4 - scsi: qedi: Fix potential deadlock on &amp;qedi_percpu-&gt;p_work_lock (git-fixes). - commit 7c8c098 - ice: pass VSI pointer into ice_vc_isvalid_q_id (bsc#1237848 bsc#1230497). - commit df06d93 - packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 (&quot;Use gcc-13 for build on SLE16 (jsc#PED-10028).&quot;) - commit 011d54b - arm64: hugetlb: Fix flush_hugetlb_tlb_range() invalidation level (git-fixes) - commit 1ccb01b - arm64: hugetlb: enable __HAVE_ARCH_FLUSH_HUGETLB_TLB_RANGE (git-fixes) - commit a9f56ff - arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes (git-fixes) - commit 85cc91e - mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() (git-fixes) - commit 67ea9f3 - mm: hugetlb: add huge page size param to set_huge_pte_at() (git-fixes). Refresh patches.suse/s390-mm-Fix-clearing-storage-keys-for-huge-pages.patch. - commit f491ee9 - RDMA/mana_ib: Allocate PAGE aligned doorbell index (git-fixes). - KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (git-fixes). - commit 82bdecd - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - commit 1f1e842 - Update patches.suse/s390-pci-Fix-SR-IOV-for-PFs-initially-in-standby.patch (git-fixes bsc#1236752 bsc#1238368). - commit bf69596 - s390/pci: Fix handling of isolated VFs (git-fixes bsc#1238368). - s390/pci: Pull search for parent PF out of zpci_iov_setup_virtfn() (git-fixes bsc#1238368). - commit 0745d9f - bpf: Send signals asynchronously if !preemptible (git-fixes bsc#1237879 CVE-2025-21728). - commit 180a0da - rxrpc: Fix missing locking causing hanging calls (git-fixes bsc#1233483 CVE-2024-50294). - commit d2475e0 - scsi: lpfc: Copyright updates for 14.4.0.8 patches (bsc#1238347). - scsi: lpfc: Update lpfc version to 14.4.0.8 (bsc#1238347). - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (bsc#1238347). - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (bsc#1238347). - scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails (bsc#1238347). - scsi: lpfc: Reduce log message generation during ELS ring clean up (bsc#1238347). - commit 0a7ad68 - nvme/ioctl: add missing space in err message (git-fixes). - nvme-tcp: fix connect failure on receiving partial ICResp PDU (git-fixes). - nvme: tcp: Fix compilation warning with W=1 (git-fixes). - nvmet: Fix crash when a namespace is disabled (git-fixes). - nvme-fc: use ctrl state getter (git-fixes). - nvme: make nvme_tls_attrs_group static (git-fixes). - nvme: handle connectivity loss in nvme_set_queue_count (git-fixes). - nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk (git-fixes). - nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk (git-fixes). - commit 7d2a8bd - Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync (CVE-2024-50029 bsc#1231949). - commit 64f3840 - gup: make the stack expansion warning a bit more targeted (bsc#1238214). - commit feae374 - phy: tegra: xusb: reset VBUS &amp; ID OVERRIDE (git-fixes). - phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk (git-fixes). - phy: rockchip: naneng-combphy: compatible reset with old DT (git-fixes). - commit 92e733c - i2c: ls2x: Fix frequency division register access (git-fixes). - i2c: npcm: disable interrupt enable bit before devm_request_irq (git-fixes). - commit 6c35b3b - drm/amdgpu: disable BAR resize on Dell G5 SE (git-fixes). - amdgpu/pm/legacy: fix suspend/resume issues (git-fixes). - commit d778b71 - soc/mediatek: mtk-devapc: Convert to platform remove callback returning void (stable-fixes). - Refresh patches.suse/soc-mediatek-mtk-devapc-Fix-leaking-IO-map-on-error-.patch. - commit b320307 - smb: client: Fix netns refcount imbalance causing leaks and use-after-free (git-fixes). - commit 7fb2f0e - scsi: core: Clear driver private data when retrying request (git-fixes). - md/md-bitmap: add 'sync_size' into struct md_bitmap_stats (git-fixes). - md/md-cluster: fix spares warnings for __le64 (git-fixes). - md/md-bitmap: replace md_bitmap_status() with a new helper md_bitmap_get_stats() (git-fixes). - scsi: core: Handle depopulation and restoration in progress (git-fixes). - commit 72dfeb6 - cifs: Fix parsing reparse point with native symlink in SMB1 non-UNICODE session (git-fixes). - commit 37da1d3 - ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2 (stable-fixes). - commit 1b4de08 - usbnet: gl620a: fix endpoint checking in genelink_bind() (git-fixes). - Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response (git-fixes). - ASoC: es8328: fix route from DAC to output (git-fixes). - ALSA: hda/realtek: Fix microphone regression on ASUS N705UD (git-fixes). - ALSA: hda/realtek: Fix wrong mic setup for ASUS VivoBook 15 (git-fixes). - ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports (git-fixes). - soc: loongson: loongson2_guts: Add check for devm_kstrdup() (git-fixes). - drm/i915/dp: Fix error handling during 128b/132b link training (stable-fixes). - drm/i915: Make sure all planes in use by the joiner have their crtc included (stable-fixes). - soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove (git-fixes). - drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() (git-fixes). - drm/msm/gem: Demote userspace errors to DRM_UT_DRIVER (stable-fixes). - commit 73ebe5d - md/raid5: Wait sync io to finish before changing group cnt (git-fixes). - md/md-bitmap: Add missing destroy_work_on_stack() (git-fixes). - md: Don't flush sync_work in md_write_start() (git-fixes). - md: convert comma to semicolon (git-fixes). - md/raid1: don't free conf on raid0_run failure (git-fixes). - md/raid0: don't free conf on raid0_run failure (git-fixes). - commit b66645f - kabi: hide adding RCU head into struct netdev_name_node (bsc#1233749). - net: free altname using an RCU callback (bsc#1233749). - net: fix removing a namespace with conflicting altnames (bsc#1233749). - net: do not send a MOVE event when netdev changes netns (bsc#1233749). - net: Fix undefined behavior in netdev name allocation (bsc#1233749). - net: remove else after return in dev_prep_valid_name() (bsc#1233749). - net: remove dev_valid_name() check from __dev_alloc_name() (bsc#1233749). - net: trust the bitmap in __dev_alloc_name() (bsc#1233749). - net: reduce indentation of __dev_alloc_name() (bsc#1233749). - net: make dev_alloc_name() call dev_prep_valid_name() (bsc#1233749). - net: don't use input buffer of __dev_alloc_name() as a scratch space (bsc#1233749). - net: move altnames together with the netdevice (bsc#1233749). - net: avoid UAF on deleted altname (bsc#1233749). - net: check for altname conflicts when changing netdev's netns (bsc#1233749). - net: fix ifname in netlink ntf during netns move (bsc#1233749). - net: core: Use the bitmap API to allocate bitmaps (bsc#1233749). - commit ff5990f - smb: client: handle STATUS_IO_REPARSE_TAG_NOT_HANDLED (git-fixes). - commit 23d3ebd - smb: client: handle path separator of created SMB symlinks (git-fixes). - Refresh patches.suse/smb-client-move-most-of-reparse-point-handling-code-to-common-file.patch. - commit c241ea6 - smb: client: ignore unhandled reparse tags (git-fixes). - commit f2d26a5 - smb: client: fix double put of @cfile in smb2_rename_path() (git-fixes). - commit 4ac349c - smb: client: fix double put of @cfile in smb2_set_path_size() (git-fixes). - commit 647e9ab - cifs: Remove intermediate object of failed create reparse call (git-fixes). - commit fa14b80 - ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() (CVE-2024-57994 bsc#1237901). - commit e5a0226 - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX (bsc#1237950). - commit 1ff6bc3 - add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE. - commit f9b0903 - af_packet: do not call packet_read_pending() from tpacket_destruct_skb() (bsc#1237849). - commit 4ff6762 - zram: fix potential UAF of zram table (git-fixes). - commit b9770a4 - Fix memory-hotplug regression (bsc#1237504) Refreshed patches.suse/mm-memory_hotplug-add-missing-mem_hotplug_lock.patch - commit 248260f - kernel-source: Also replace bin/env - commit dc2037c - net: do not delay dst_entries_add() in dst_release() (CVE-2024-50036 bsc#1231912). - commit 1203cd1 - RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers (git-fixes) - commit 72d0292 - RDMA/mlx5: Fix bind QP error cleanup flow (git-fixes) - commit a50daa9 - RDMA/mlx5: Fix AH static rate parsing (git-fixes) - commit d0d2370 - RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes) - commit c4c267b - RDMA/bnxt_re: Fix the statistics for Gen P7 VF (git-fixes) - commit 2106458 - RDMA/hns: Fix mbox timing out by adding retry mechanism (git-fixes) - commit a795049 - RDMA/mlx5: Fix a WARN during dereg_mr for DM type (git-fixes) - commit 8f2604e - RDMA/mlx5: Fix a race for DMABUF MR which can lead to CQE with error (git-fixes) - commit d076f6b - IB/mlx5: Set and get correct qp_num for a DCT QP (git-fixes) - commit 92c60dc - RDMA/mlx5: Fix the recovery flow of the UMR QP (git-fixes) - commit 06e0da5 - zram: fix uninitialized ZRAM not releasing backing device (git-fixes). - zram: refuse to use zero sized block device as backing device (git-fixes). - zram: clear IDLE flag in mark_idle() (git-fixes). - zram: clear IDLE flag after recompression (git-fixes). - zram: do not mark idle slots that cannot be idle (git-fixes). - commit ef8009a - blk-cgroup: Properly propagate the iostat update up the hierarchy (bsc#1225606). - commit fb4fada - Refresh patches.suse/btrfs-fix-extent-map-merging-not-happening-for-adjacent-ex.patch. Fix the `-Wparentheses` build warning. ../fs/btrfs/extent_map.c: In function 'mergable_maps': ../fs/btrfs/extent_map.c:219:48: warning: suggest parentheses around comparison in operand of '&amp;' [-Wparentheses] - commit a88d495 - smb: client: fix corruption in cifs_extend_writeback (bsc#1235609). - commit 7111675 - Move upstreamed ACPI patch into sorted section - commit 34b98f4 - btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1237232). - btrfs: fix extent map merging not happening for adjacent extents (bsc#1237232). - commit a57c147 - zram: split memory-tracking and ac-time tracking (git-fixes). - Update config files. - commit d2eb9a9 - KVM: arm64: Fix alignment of kvm_hyp_memcache allocations (git-fixes). - commit 0b597f1 - KVM: arm64: Flush hyp bss section after initialization of variables in bss (git-fixes). - commit 7a0da9b - KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR (git-fixes). - commit 361bd1c - KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (git-fixes). - commit eb69c06 - KVM: arm64: Don't eagerly teardown the vgic on init error (git-fixes). - commit 09d2069 - KVM: nSVM: Enter guest mode before initializing nested NPT MMU (git-fixes). - commit b54256b - KVM: x86: Avoid double RDPKRU when loading host/guest PKRU (git-fixes). - commit 497fc9a - KVM: x86: Zero out PV features cache when the CPUID leaf is not present (git-fixes). - commit b3e323a - KVM: x86: Account for KVM-reserved CR4 bits when passing through CR4 on VMX (git-fixes). - commit fe0be3a - padata: Clean up in padata_do_multithreaded() (bsc#1237563). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - cpu/hotplug: Don't offline the last non-isolated CPU (bsc#1237562). - cpu/hotplug: Prevent self deadlock on CPU hot-unplug (bsc#1237562). - commit 285ec7d - KVM: VMX: Fix comment of handle_vmx_instruction() (git-fixes). - commit 986c213 - KVM: VMX: Allow toggling bits in MSR_IA32_RTIT_CTL when enable bit is cleared (git-fixes). - commit 19b003b - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init (git-fixes). - commit c214d6b - KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB (git-fixes). - commit 08a45f2 - KVM: x86: Fix a comment inside __kvm_set_or_clear_apicv_inhibit() (git-fixes). - commit dc6e2e8 - blk-cgroup: Fix class @block_class's subsystem refcount leakage (bsc#1237558). - commit 908404a - KVM: x86/mmu: Skip the &quot;try unsync&quot; path iff the old SPTE was a leaf SPTE (git-fixes). - commit d7ef6bb - KVM: x86: Unconditionally set irr_pending when updating APICv state (jsc#PED-348). - commit 7089ba6 - KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled (jsc#PED-348 git-fixes). - commit ce778dd - KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset() (jsc#PED-348 git-fixes). - commit 57ae6ea - vhost/net: Set num_buffers for virtio 1.0 (git-fixes). - commit 3cc9281 - virtio_blk: reverse request order in virtio_queue_rqs (git-fixes). - commit 08ef4d5 - x86/xen: allow larger contiguous memory regions in PV guests (git-fixes). - commit cbf742d - xen/swiotlb: relax alignment requirements (git-fixes). - commit 85ac962 - x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes). - commit 23eecda - x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes). - commit e343881 - Grab mm lock before grabbing pt lock (git-fixes). - commit ae619e6 - platform/x86/intel-uncore-freq: Increase minor number support (bsc#1237452). - commit 43ac95b - platform/x86/intel-uncore-freq: Ignore minor version change (bsc#1237452). - commit 6b5df6d - x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (git-fixes). - commit 904b0d7 - platform/x86: ISST: Ignore minor version change (bsc#1237452). - commit 17cda63 - platform/x86/intel/tpmi: Add defines to get version information (bsc#1237452). - commit 1c56c6e - KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (git-fixes). - commit 129191d - x86/bugs: Add SRSO_USER_KERNEL_NO support (git-fixes). - commit 1052c36 - RDMA/efa: Reset device on probe failure (git-fixes) - commit c120211 - selftest: hugetlb_dio: fix test naming (git-fixes). - commit 303d120 - selftests: hugetlb_dio: fixup check for initial conditions to skip in the start (git-fixes). - commit 35f33c3 - selftests: hugetlb_dio: check for initial conditions to skip in the start (git-fixes). - commit 89353b1 - selftest: mm: Test if hugepage does not get leaked during __bio_release_pages() (git-fixes). - commit 56d43b6 - mtd: rawnand: cadence: fix unchecked dereference (git-fixes). - commit f3e10b9 - drm/msm/dpu: Don't leak bits_per_component into random DSC_ENC fields (git-fixes). - drm/msm/dpu: Disable dither in phys encoder cleanup (git-fixes). - drm/msm: Avoid rounding up to one jiffy (git-fixes). - drm/nouveau/pmu: Fix gp10b firmware guard (git-fixes). - nouveau/svm: fix missing folio unlock + put after make_device_exclusive_range() (git-fixes). - mtd: rawnand: cadence: fix incorrect device in dma_unmap_single (git-fixes). - mtd: rawnand: cadence: use dma_map_resource for sdma address (git-fixes). - mtd: rawnand: cadence: fix error code in cadence_nand_init() (git-fixes). - USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist (stable-fixes). - USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone (stable-fixes). - USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI (stable-fixes). - USB: serial: option: drop MeiG Smart defines (stable-fixes). - USB: serial: option: fix Telit Cinterion FN990A name (stable-fixes). - USB: serial: option: add Telit Cinterion FN990B compositions (stable-fixes). - USB: serial: option: add MeiG Smart SLM828 (stable-fixes). - USB: hub: Ignore non-compliant devices with too many configs or interfaces (stable-fixes). - usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI bind retries (git-fixes). - gpiolib: acpi: Add a quirk for Acer Nitro ANV14 (stable-fixes). - efi: Avoid cold plugged memory for placing the kernel (stable-fixes). - drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (stable-fixes). - batman-adv: Drop unmanaged ELP metric worker (git-fixes). - batman-adv: Ignore neighbor throughput metrics in error case (stable-fixes). - HID: hid-steam: Don't use cancel_delayed_work_sync in IRQ context (git-fixes). - HID: hid-steam: Move hidraw input (un)registering to work (git-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V (stable-fixes). - ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V (stable-fixes). - selftests: gpio: gpio-sim: Fix missing chip disablements (stable-fixes). - PCI: switchtec: Add Microchip PCI100X device IDs (stable-fixes). - PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P (stable-fixes). - media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread (stable-fixes). - media: uvcvideo: Add Kurokesu C1 PRO camera (stable-fixes). - media: uvcvideo: Add new quirk definition for the Sonix Technology Co. 292a camera (stable-fixes). - media: uvcvideo: Implement dual stream quirk to fix loss of usb packets (stable-fixes). - media: cxd2841er: fix 64-bit division on gcc-9 (stable-fixes). - soc/tegra: fuse: Update Tegra234 nvmem keepout list (stable-fixes). - fbdev: omap: use threaded IRQ for LCD DMA (stable-fixes). - HID: hid-steam: Make sure rumble work is canceled on removal (stable-fixes). - selftests: rtnetlink: update netdevsim ipsec output format (stable-fixes). - HID: hid-steam: Add Deck IMU support (stable-fixes). - HID: hid-steam: Fix cleanup in probe() (git-fixes). - HID: hid-steam: remove pointless error message (stable-fixes). - HID: hid-steam: Add gamepad-only mode switched to by holding options (stable-fixes). - HID: hid-steam: Update list of identifiers from SDL (stable-fixes). - HID: hid-steam: Clean up locking (stable-fixes). - HID: hid-steam: Disable watchdog instead of using a heartbeat (stable-fixes). - HID: hid-steam: Avoid overwriting smoothing parameter (stable-fixes). - commit df6a4bb - block: avoid to reuse `hctx` not removed from cpuhp callback list (git-fixes). - block: use the right type for stub rq_integrity_vec() (git-fixes). - block: Fix page refcounts for unaligned buffers in __bio_release_pages() (git-fixes). - commit 27674be - devlink: avoid potential loop in devlink_rel_nested_in_notify_work() (bsc#1237234). - commit 3a39566 - power: supply: da9150-fg: fix potential overflow (git-fixes). - commit 859fe45 - ocfs2: fix incorrect CPU endianness conversion causing mount failure (bsc#1236138). re-enable patch ocfs2-fix-UBSAN-warning-in-ocfs2_verify_volume.patch (bsc#1236138). - commit 1f4d40a - iommu/arm-smmu-v3: Clean up more on probe failure (stable-fixes). - commit f5873b7 - ice: fold ice_ptp_read_time into ice_ptp_gettimex64 (bsc#1237415). - ice: avoid the PTP hardware semaphore in gettimex64 path (bsc#1237415). - ice: add ice_adapter for shared data across PFs on the same NIC (bsc#1237415). - commit 9bb3389 - Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 (&quot;Use gcc-13 for build on SLE16 (jsc#PED-10028).&quot;) - commit 07542ae - kasan: don't call find_vm_area() in a PREEMPT_RT kernel (git-fixes). - lib/iov_iter: fix import_iovec_ubuf iovec management (git-fixes). - lib: stackinit: hide never-taken branch from compiler (stable-fixes). - commit 08ac036 - KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state (git-fixes) - commit 484a6fb - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (git-fixes) - commit d8f1799 - arm64: Handle .ARM.attributes section in linker scripts (git-fixes) - commit 44f383d - arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes) - commit 13bd685 - block: copy back bounce buffer to user-space correctly in case of split (git-fixes). - partitions: ldm: remove the initial kernel-doc notation (git-fixes). - nbd: don't allow reconnect after disconnect (git-fixes). - block: retry call probe after request_module in blk_request_module (git-fixes). - block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (git-fixes). - blk-iocost: Avoid using clamp() on inuse in __propagate_weights() (git-fixes). - blk-mq: move cpuhp callback registering out of q-&gt;sysfs_lock (git-fixes). - blk-mq: register cpuhp callback after hctx is added to xarray table (git-fixes). - ublk: fix error code for unsupported command (git-fixes). - block: return unsigned int from bdev_io_min (git-fixes). - block: fix bio_split_rw_at to take zone_write_granularity into account (git-fixes). - ublk: fix ublk_ch_mmap() for 64K page size (git-fixes). - blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long (git-fixes). - block: fix ordering between checking BLK_MQ_S_STOPPED request adding (git-fixes). - block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding (git-fixes). - block: fix missing dispatching request when queue is started or unquiesced (git-fixes). - Revert &quot;blk-throttle: Fix IO hang for a corner case&quot; (git-fixes). - block: fix sanity checks in blk_rq_map_user_bvec (git-fixes). - block: Fix elevator_get_default() checking for NULL q-&gt;tag_set (git-fixes). - blk_iocost: remove some duplicate irq disable/enables (git-fixes). - block: fix integer overflow in BLKSECDISCARD (git-fixes). - ublk: move zone report data out of request pdu (git-fixes). - bio-integrity: don't restrict the size of integrity metadata (git-fixes). - block: Fix lockdep warning in blk_mq_mark_tag_wait (git-fixes). - rbd: don't assume rbd_is_lock_owner() for exclusive mappings (git-fixes). - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings (git-fixes). - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (git-fixes). - loop: don't set QUEUE_FLAG_NOMERGES (git-fixes). - block: change rq_integrity_vec to respect the iterator (git-fixes). - block: remove the blk_flush_integrity call in blk_integrity_unregister (git-fixes). - block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() (git-fixes). - null_blk: fix validation of block size (git-fixes). - null_blk: Do not allow runt zone with zone capacity smaller then zone size (git-fixes). - null_blk: Print correct max open zones limit in null_init_zoned_dev() (git-fixes). - nbd: Fix signal handling (git-fixes). - nbd: Improve the documentation of the locking assumptions (git-fixes). - block: support to account io_ticks precisely (git-fixes). - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() (git-fixes). - block: fix and simplify blkdevparts= cmdline parsing (git-fixes). - block: add a partscan sysfs attribute for disks (git-fixes). - block: add a disk_has_partscan helper (git-fixes). - null_blk: Fix missing mutex_destroy() at module removal (git-fixes). - block: propagate partition scanning errors to the BLKRRPART ioctl (git-fixes). - block: Clear zone limits for a non-zoned stacked queue (git-fixes). - rbd: don't move requests to the running list on errors (git-fixes). - commit 267ddd1 - null_blk: Remove usage of the deprecated ida_simple_xx() API (git-fixes). - Refresh patches.suse/null_blk-fix-null-ptr-dereference-while-configuring-.patch. - commit cea38e9 - kabi: fix group_cpus_evenly (bsc#1236897). - kabi: fix bus type (bsc#1236896). - commit 175404f - PCI: imx6: Simplify clock handling by using clk_bulk*() function (git-fixes). - Refresh patches.suse/PCI-imx6-Fix-suspend-resume-support-on-i.MX6QDL.patch. - Refresh patches.suse/PCI-imx6-Skip-controller_id-generation-logic-for-i.M.patch. - commit f03d03e - PCI: Use downstream bridges for distributing resources (bsc#1237325). - commit 7c0294f - usb: quirks: Add NO_LPM quirk for TOSHIBA TransMemory-Mx device (git-fixes). - commit bbb24b0 - ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED (stable-fixes). - commit 5d15622 - ALSA: seq: Drop UMP events when no UMP-conversion is set (git-fixes). - ALSA: hda/cirrus: Correct the full scale volume set logic (git-fixes). - ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() (git-fixes). - ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close (git-fixes). - ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (git-fixes). - ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB] (git-fixes). - ASoC: fsl_micfil: Enable default case in micfil_set_quality() (git-fixes). - ALSA: hda/realtek: Fixup ALC225 depop procedure (git-fixes). - commit 6fb0aa0 - block: ensure we hold a queue reference when using queue limits (git-fixes). - Refresh patches.suse/block-Fix-where-bio-IO-priority-gets-set.patch. - commit 36d897c - null_blk: don't cap max_hw_sectors to BLK_DEF_MAX_SECTORS (git-fixes). - block: add check of 'minors' and 'first_minor' in device_add_disk() (git-fixes). - block: Set memalloc_noio to false on device_add_disk() error path (git-fixes). - block: Remove special-casing of compound pages (git-fixes). - blk-mq: don't count completed flush data request as inflight in case of quiesce (git-fixes). - ublk: move ublk_cancel_dev() out of ub-&gt;mutex (git-fixes). - block: Provide bdev_open_* functions (git-fixes). - commit 3e547cf - doc: update managed_irq documentation (bsc#1236897). - blk-mq: issue warning when offlining hctx with online isolcpus (bsc#1236897). - blk-mq: use hk cpus only when isolcpus=managed_irq is enabled (bsc#1236897). - lib/group_cpus: honor housekeeping config when grouping CPUs (bsc#1236897). - virtio: blk/scsi: use block layer helpers to calculate num of queues (bsc#1236897). - scsi: use block layer helpers to calculate num of queues (bsc#1236897). - nvme-pci: use block layer helpers to calculate num of queues (bsc#1236897). - blk-mq: add number of queue calc helper (bsc#1236897). - lib/group_cpus: let group_cpu_evenly return number initialized masks (bsc#1236897). - commit 3a935fa - blk-mq: create correct map for fallback case (bsc#1236896). - virtio: blk/scsi: replace blk_mq_virtio_map_queues with blk_mq_map_hw_queues (bsc#1236896). - nvme: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - blk-mq: introduce blk_mq_map_hw_queues (bsc#1236896). - virtio: hookup irq_get_affinity callback (bsc#1236896). - PCI: hookup irq_get_affinity callback (bsc#1236896). - driver core: bus: add irq_get_affinity callback to bus_type (bsc#1236896). - commit 1f8d7a5 - Update patches.suse/USB-serial-quatech2-fix-null-ptr-deref-in-qt2_proces.patch (CVE-2025-21689 bsc#1237017). - Update patches.suse/drm-v3d-Assign-job-pointer-to-NULL-before-signaling-.patch (CVE-2025-21688 bsc#1237007 - Update patches.suse/drm-v3d-Ensure-job-pointer-is-set-to-NULL-after-job-.patch (CVE-2025-21697 bsc#1237132) - Update patches.suse/gfs2-Truncate-address-space-when-flipping-GFS2_DIF_JDATA-flag.patch (CVE-2025-21699 bsc#1237139) - Update patches.suse/gpio-xilinx-Convert-gpio_lock-to-raw-spinlock.patch (CVE-2025-21684 bsc#1236952) - Update patches.suse/msft-hv-3155-scsi-storvsc-Ratelimit-warning-logs-to-prevent-VM-de.patch (CVE-2025-21690 bsc#1237025) - commit a20ee68 - kABI fix for mptcp: fix inconsistent state on fastopen race (CVE-2024-26708 bsc#1222672). Upstream commit 4fd19a307016 (&quot;mptcp: fix inconsistent state on fastopen race&quot;) introduced three breaking changes, which are handled in this patch. * a new variable `pending_state` was added to `struct mptcp_sock`, which is now moved into a hole. * a new define replaces an old one, so renumber the new one and re-add the old one. * an API function was removed, so re-add it again. ``` u8 in_accept_queue:1; /* 1562: 4 1 */ /* XXX 3 bits hole, try to pack */ /* XXX 5 bytes hole, try to pack */ struct work_struct work; /* 1568 32 */ ``` - commit a4771c0 - bpf, sockmap: Several fixes to bpf_msg_pop_data (CVE-2024-56720 bsc#1235592). - commit a218d9d - net: Fix icmp host relookup triggering ip_rt_bug (CVE-2024-56647 bsc#1235435). - commit 713c9c9 - USB: Fix the issue of task recovery failure caused by USB status when S4 wakes up (git-fixes). - commit 686e836 - powerpc/64s/mm: Move __real_pte stubs into hash-4k.h (bsc#1215199). - commit 73fb25c - powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC (bsc#1215199). - powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline (bsc#1215199). - powerpc/code-patching: Disable KASAN report during patching via temporary mm (bsc#1215199). - commit cb15126 - usbnet: ipheth: document scope of NCM implementation (stable-fixes). - wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() (stable-fixes). - wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH (stable-fixes). - wifi: rtw88: sdio: Fix disconnection after beacon loss (stable-fixes). - wifi: iwlwifi: avoid memory leak (stable-fixes). - wifi: brcmfmac: Check the return value of of_property_read_string_index() (stable-fixes). - wifi: rtw89: add crystal_cap check to avoid setting as overflow value (stable-fixes). - wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (stable-fixes). - commit b67568f - acct: block access to kernel internal filesystems (git-fixes). - acct: perform last write from workqueue (git-fixes). - drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes (stable-fixes). - drm/i915: Fix page cleanup on DMA remap failure (git-fixes). - Revert &quot;drm/amd/display: Use HW lock mgr for PSR1&quot; (stable-fixes). - selftests: mptcp: connect: -f: no reconnect (git-fixes). - net: rose: lock the socket in rose_bind() (git-fixes). - scripts/gdb: fix aarch64 userspace detection in get_current_task (stable-fixes). - drm/amdkfd: only flush the validate MES contex (stable-fixes). - drm/amd/pm: Mark MM activity as unsupported (stable-fixes). - ata: libata-sff: Ensure that we cannot write outside the allocated buffer (stable-fixes). - cpufreq: s3c64xx: Fix compilation warning (stable-fixes). - drm/modeset: Handle tiled displays in pan_display_atomic (stable-fixes). - efi: libstub: Use '-std=gnu11' to fix build with GCC 15 (stable-fixes). - ASoC: amd: Add ACPI dependency to fix build error (stable-fixes). - platform/x86: acer-wmi: Ignore AC events (stable-fixes). - Input: allocate keycode for phone linking (stable-fixes). - platform/x86: int3472: Check for adev == NULL (stable-fixes). - tomoyo: don't emit warning in tomoyo_write_control() (stable-fixes). - HID: Wacom: Add PCI Wacom device support (stable-fixes). - APEI: GHES: Have GHES honor the panic= setting (stable-fixes). - clk: sunxi-ng: a100: enable MMC clock reparenting (git-fixes). - clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg (git-fixes). - clk: qcom: clk-alpha-pll: fix alpha mode configuration (git-fixes). - clk: qcom: dispcc-sm6350: Add missing parent_map for a clock (git-fixes). - clk: qcom: gcc-sm6350: Add missing parent_map for two clocks (git-fixes). - clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate (git-fixes). - clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable() (git-fixes). - clk: mediatek: mt2701-img: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-mm: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-bdp: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe (git-fixes). - clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe (git-fixes). - i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz (stable-fixes). - mmc: sdhci-msm: Correctly set the load for the regulator (stable-fixes). - mmc: core: Respect quirk_max_rate for non-UHS SDIO card (stable-fixes). - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id (stable-fixes). - spi: atmel-qspi: Memory barriers after memory-mapped I/O (git-fixes). - spi: atmel-quadspi: Create `atmel_qspi_ops` to support newer SoC families (stable-fixes). - selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() (stable-fixes). - Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (stable-fixes). - net: wwan: iosm: Fix hibernation by re-binding the driver around it (stable-fixes). - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor (stable-fixes). - drm/bridge: it6505: fix HDCP CTS KSV list wait timer (stable-fixes). - drm/bridge: it6505: fix HDCP CTS compare V matching (stable-fixes). - drm/bridge: it6505: fix HDCP encryption when R0 ready (stable-fixes). - drm/bridge: it6505: fix HDCP Bstatus check (stable-fixes). - drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT (stable-fixes). - drm/virtio: New fence for every plane update (stable-fixes). - lockdep: Fix upper limit for LOCKDEP_*_BITS configs (stable-fixes). - commit 32eeef9 - net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700 bsc#1237159). - commit fd65855 - sctp: sysctl: cookie_hmac_alg: avoid using current-&gt;nsproxy (CVE-2025-21640 bsc#1236123) - commit 7a3b711 - sctp: sysctl: rto_min/max: avoid using current-&gt;nsproxy (CVE-2025-21639 bsc#1236122) - commit e818833 - pktgen: Avoid out-of-bounds access in get_imix_entries (CVE-2025-21680 bsc#1236700). - commit 8cb9ad2 - sctp: sysctl: auth_enable: avoid using current-&gt;nsproxy (CVE-2025-21638 bsc#1236115) - commit e4e9666 - sctp: sysctl: udp_port: avoid using current-&gt;nsproxy (CVE-2025-21637 bsc#1236114) - commit b35279d - sctp: sysctl: plpmtud_probe_interval: avoid using current-&gt;nsproxy (CVE-2025-21636 bsc#1236113) - commit 3f71e7d - add bug reference to hv_storvsc change (bsc#1237025 CVE-2025-21690). - commit 45e9861 - kABI fix for mptcp: handle consistently DSS corruption (CVE-2024-50185 bsc#1233109) - commit d478aac - idpf: fix VF dynamic interrupt ctl register initialization (git-fixes). - Refresh patches.suse/idpf-add-support-for-SW-triggered-interrupts.patch. - commit da462e1 - igc: Set buffer type for empty frames in igc_init_empty_frame (git-fixes). - igc: Fix HW RX timestamp when passed by ZC XDP (git-fixes). - idpf: call set_real_num_queues in idpf_open (bsc#1236661). - idpf: fix handling rsc packet with a single segment (git-fixes). - ice: stop storing XDP verdict within ice_rx_buf (git-fixes). - ice: gather page_count()'s of each frag right before XDP prog call (git-fixes). - ice: put Rx buffers after being done with current frame (git-fixes). - iavf: allow changing VLAN state without calling PF (git-fixes). - idpf: convert workqueues to unbound (git-fixes). - idpf: add read memory barrier when checking descriptor done bit (git-fixes). - net/mlx5e: Always start IPsec sequence number from 1 (git-fixes). - net/mlx5e: Rely on reqid in IPsec tunnel mode (git-fixes). - net/mlx5: SF, Fix add port error handling (git-fixes). - net/mlx5: Fix RDMA TX steering prio (git-fixes). - igc: return early when failing to read EECD register (git-fixes). - ice: fix incorrect PHY settings for 100 GB/s (git-fixes). - ice: fix max values for dpll pin phase adjust (git-fixes). - eth: gve: use appropriate helper to set xdp_features (git-fixes). - cxgb4: Avoid removal of uninserted tid (git-fixes). - bnxt_en: Fix possible memory leak when hwrm_req_replace fails (git-fixes). - net: sfc: Correct key_len for efx_tc_ct_zone_ht_params (git-fixes). - net/mlx5e: macsec: Maintain TX SA from encoding_sa (git-fixes). - chelsio/chtls: prevent potential integer overflow on 32bit (git-fixes). - cxgb4: use port number to set mac addr (git-fixes). - bnxt_en: Unregister PTP during PCI shutdown and suspend (git-fixes). - bnxt_en: Refactor bnxt_ptp_init() (git-fixes). - net/mlx5: Verify support for scheduling element and TSAR type (git-fixes). - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset (git-fixes). - ice: use internal pf id instead of function number (git-fixes). - ice: Skip PTP HW writes during PTP reset procedure (git-fixes). - net/mlx5: Correct TASR typo into TSAR (git-fixes). - commit a2c0ed6 - Use gcc-13 for build on SLE16 (jsc#PED-10028). - commit 51dacec - kbuild: userprogs: fix bitsize and target detection on clang (git-fixes). - tools: fix annoying &quot;mkdir -p ...&quot; logs when building tools in parallel (git-fixes). - serial: 8250: Fix fifo underflow on flush (git-fixes). - usb: roles: set switch registered flag early on (git-fixes). - usb: gadget: core: flush gadget workqueue after device removal (git-fixes). - USB: gadget: f_midi: f_midi_complete to call queue_work (git-fixes). - usb: core: fix pipe creation for get_bMaxPacketSize0 (git-fixes). - usb: dwc3: Fix timeout issue during controller enter/exit from halt state (git-fixes). - USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk (git-fixes). - usb: cdc-acm: Fix handling of oversized fragments (git-fixes). - usb: cdc-acm: Check control transfer buffer size before access (git-fixes). - usb: gadget: f_midi: fix MIDI Streaming descriptor lengths (git-fixes). - usb: dwc2: gadget: remove of_node reference upon udc_stop (git-fixes). - usb: gadget: udc: renesas_usb3: Fix compiler warning (git-fixes). - commit f681ca5 - gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock (git-fixes). - gpio: bcm-kona: Add missing newline to dev_err format string (git-fixes). - gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ (git-fixes). - gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 (git-fixes). - commit 72e2a5f - exfat: fix file being changed by unaligned direct write (git-fixes). - commit c5a2490 - exfat: fix zero the unwritten part for dio read (git-fixes). - commit ab0ec4f - hfs: Sanity check the root record (git-fixes). - commit 6977b91 - dlm: fix srcu_read_lock() return type to int (git-fixes). - commit 3303370 - exfat: fix out-of-bounds access of directory entries (bsc#1234857 CVE-2024-53147). - commit 8127e11 - exfat: change to get file size from DataLength (bsc#1234857 CVE-2024-53147). - commit 34f63a5 - exfat: convert to ctime accessor functions (git-fixes). - commit 430eb66 - mmc: mtk-sd: Fix register settings for hs400(es) mode (git-fixes). - commit 0e84651 - smb: client: instantiate when creating SFU files (git-fixes). - commit 1658f01 - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support (git-fixes). - commit eacadae - smb: client: return reparse type in /proc/mounts (git-fixes). - commit 5c949e8 - smb: client: set correct d_type for reparse DFS/DFSR and mount point (git-fixes). - commit 99477ce - smb: client: Fix a NULL vs IS_ERR() check in wsl_set_xattrs() (git-fixes). - commit dcd4483 - smb: client: parse uid, gid, mode and dev from WSL reparse points (git-fixes). - commit 86b1707 - smb: client: introduce SMB2_OP_QUERY_WSL_EA (git-fixes). - Refresh patches.suse/smb-client-fix-potential-UAF-in-cifs_debug_files_proc_show-.patch. - commit 6f30059 - smb: client: get rid of smb311_posix_query_path_info() (git-fixes). - commit 08f4b23 - smb: client: add support for WSL reparse points (git-fixes). - commit 4773bbe - smb: client: reduce number of parameters in smb2_compound_op() (git-fixes). - commit 5bf06b7 - smb: client: retry compound request without reusing lease (git-fixes). - commit 44ecf42 - smb: client: reuse file lease key in compound operations (git-fixes). - commit e1d39cc - smb: client: parse owner/group when creating reparse points (git-fixes). - commit 2b1f34d - cifs: open_cached_dir(): add FILE_READ_EA to desired access (git-fixes). - commit f59c050 - cifs: update the same create_guid on replay (git-fixes). - commit 651496d - smb: client: reduce stack usage in smb2_query_reparse_point() (git-fixes). - commit a2f52a1 - cifs: update desired access while requesting for directory lease (git-fixes). - commit 3577933 - smb: client: move most of reparse point handling code to common file (git-fixes). - commit 90c5825 - smb: client: handle special files and symlinks in SMB3 POSIX (git-fixes). - commit 7ddb775 - smb: client: cleanup smb2_query_reparse_point() (git-fixes). - commit 56a04ed - smb: client: fix OOB in smb2_query_reparse_point() (git-fixes). - commit a9edfbd - smb: client: allow creating symlinks via reparse points (git-fixes). - commit 93e7dee - smb: client: fix hardlinking of reparse points (git-fixes). - commit 6805b33 - drm/i915/selftests: avoid using uninitialized context (git-fixes). - drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() (git-fixes). - spi: sn-f-ospi: Fix division by zero (git-fixes). - regmap-irq: Add missing kfree() (git-fixes). - batman-adv: fix panic during interface removal (git-fixes). - can: etas_es58x: fix potential NULL pointer dereference on udev-&gt;serial (git-fixes). - can: c_can: fix unbalanced runtime PM disable in error path (git-fixes). - can: ctucanfd: handle skb allocation failure (git-fixes). - can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero (git-fixes). - wifi: ath12k: fix handling of 6 GHz rules (git-fixes). - commit 30daf36 - smb: client: fix missing mode bits for SMB symlinks (git-fixes). - commit 8fa207f - smb: client: stop revalidating reparse points unnecessarily (git-fixes). - commit ce08be7 - smb: client: fix potential broken compound request (git-fixes). - commit a4415de - smb: client: fix renaming of reparse points (git-fixes). - commit 32e853e - smb: client: optimise reparse point querying (git-fixes). - commit a53eec6 - smb: client: allow creating special files via reparse points (git-fixes). - commit 74e26d4 - smb: client: introduce cifs_sfu_make_node() (git-fixes). - commit 39b0787 - smb: client: set correct file type from NFS reparse points (git-fixes). - Delete patches.suse/cifs-Fix-buffer-overflow-when-parsing-NFS-reparse-points.patch. (deleted patch will be added later) - commit 7b28133 - smb: client: introduce -&gt;parse_reparse_point() (git-fixes). - commit 5e66e50 - smb3: fix creating FIFOs when mounting with &quot;sfu&quot; mount option (git-fixes). - commit 82c7e6d - mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow (CVE-2024-50085 bsc#1232508) - commit 25971ed - smb: client: Fix minor whitespace errors and warnings (git-fixes). - commit 1eedc39 - smb: use kernel_connect() and kernel_bind() (git-fixes). - commit 6936009 - smb: client: introduce reparse mount option (git-fixes). - commit e5a8c1e - smb: client: implement -&gt;query_reparse_point() for SMB1 (git-fixes). - commit 2615bfd - smb: cilent: set reparse mount points as automounts (git-fixes). - commit da6e3c8 - smb: client: do not query reparse points twice on symlinks (git-fixes). - commit b7e62c9 - s390/futex: Fix FUTEX_OP_ANDN implementation (git-fixes bsc#1237158). - commit 3e00897 - KVM: s390: vsie: fix some corner-cases when grabbing vsie pages (git-fixes bsc#1237155). - commit 6d87f47 - net/smc: support ipv4 mapped ipv6 addr client for smc-r v2 (bsc#1236994). - net: smc: fix spurious error message from __sock_release() (bsc#1237126). - commit 2c0a5e1 - mptcp: fix data races on local_id (git-fixes) - Refresh patches.suse/mptcp-fix-data-races-on-remote_id.patch - commit 661ea6e - mptcp: pm: fullmesh: select the right ID later (git-fixes) - commit 1d30f2b - mptcp: pm: only in-kernel cannot have entries with ID 0 (git-fixes) - commit 8638b2c - mptcp: unify pm set_flags interfaces (git-fixes) - commit 493b268 - mptcp: unify pm get_flags_and_ifindex_by_id (git-fixes) - commit 57ae267 - mptcp: unify pm get_local_id interfaces (git-fixes) - commit f1f0e12 - mptcp: export local_address (git-fixes) - commit 2e22243 - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR (git-fixes) - commit 9c72df8 - mptcp: pm: only decrement add_addr_accepted for MPJ req (CVE-2024-45009 bsc#1230438) - commit 9337031 - mptcp: pm: only mark 'subflow' endp as available (CVE-2024-45010 bsc#1230439) - commit 9e1f869 - mptcp: pm: remove mptcp_pm_remove_subflow (git-fixes) - commit 0d1e602 - Update config files. Use the upstream default for TSX_MODE. - commit 55bbd12 - mptcp: pm: re-using ID of unused flushed subflows (git-fixes) - commit 2798558 - mptcp: pm: re-using ID of unused removed subflows (git-fixes) - commit 405e62f - mptcp: pm: re-using ID of unused removed ADD_ADDR (git-fixes) - commit 42e63a4 - mptcp: fix NL PM announced address accounting (git-fixes) - commit 28d5efa - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID (git-fixes) - commit adfc1dd - mptcp: pm: avoid possible UaF when selecting endp (CVE-2024-44974 bsc#1230235) - commit e827535 - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set (git-fixes) - commit 262fe7b - mptcp: pm: deny endp with signal + subflow + port (git-fixes) - commit 20e7fdf - mptcp: fully established after ADD_ADDR echo on MPJ (git-fixes) - commit 54ad8c1 - mptcp: pm: don't try to create sf if alloc failed (git-fixes) - commit 9185902 - mptcp: pm: reduce indentation blocks (git-fixes) - commit a393115 - mptcp: pass addr to mptcp_pm_alloc_anno_list (git-fixes) - commit 71a0164 - mptcp: handle consistently DSS corruption (CVE-2024-50185 bsc#1233109) - commit 01e9763 - powerpc/pseries/iommu: Split Dynamic DMA Window to be used in Hybrid mode (ltc#210895 bsc#1235933 ltc#210896 bsc#1235932). - Refresh patches.suse/powerpc-pseries-iommu-IOMMU-incorrectly-marks-MMIO-r.patch - commit d8f69df - usb: dwc3: core: Defer the probe until USB power supply ready (git-fixes). - commit f3ecf26 - vfio/platform: check the bounds of read/write syscalls (bsc#1237045 CVE-2025-21687). - commit e52d676 - xhci: dbgtty: remove kfifo_out() wrapper (git-fixes). - commit 806156f - net: sched: fix ets qdisc OOB Indexing (bsc#1237028 CVE-2025-21692). - commit 1b093fe - RDMA/rxe: Improve newline in printing messages (git-fixes) - Refresh patches.suse/RDMA-rxe-Fix-mismatched-max_msg_sz.patch - Pickup RXE code change introduced by upstream merge: af96134dc856 (&quot;Merge tag 'rcu.2023.06.22a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu&quot;) - commit 1492681 - smb: client: fix possible double free in smb2_set_ea() (git-fixes). - commit b6cd961 - powerpc/trace: Add support for HAVE_FUNCTION_ARG_ACCESS_API (bsc#1236967 ltc#210988). - Update config files. - commit 83bff51 - Update &quot;drm/mgag200: Added support for the new device G200eH5&quot; (jsc#PED-12094) Update to match upstream commit 6636c58b946c (&quot;drm/mgag200: Added support for the new device G200eH5&quot;). - commit 7ba9f89 - usb: xhci: Fix NULL pointer dereference on certain command aborts (git-fixes). - commit 8628513 - util_macros.h: fix/rework find_closest() macros (git-fixes). - commit 01b2939 - s390/topology: Improve topology detection (bsc#1236591). - commit 101e515 - HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() (git-fixes). - HID: multitouch: Add NULL check in mt_input_configured (git-fixes). - pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware (git-fixes). - commit 1dbe333 - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - commit 93c01ea - net/mlx5: Fix msix vectors to respect platform limit (bsc#1225981). - commit b7a2367 - s390/pci: Fix SR-IOV for PFs initially in standby (git-fixes bsc#1236752). - commit dcf85a0 - s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails (bsc#1236752). - s390/pci: Ignore RID for isolated VFs (bsc#1236752). - s390/pci: Use topology ID for multi-function devices (bsc#1236752). - s390/pci: Sort PCI functions prior to creating virtual busses (bsc#1236752). - commit 004cfd2 - iommu/arm-smmu: Make instance lookup robust (bsc#1235032, CVE-2024-56568). - commit 8f1b23e - Update patches.suse/ALSA-6fire-Release-resources-at-card-release.patch (git-fixes CVE-2024-53239 bsc#1235054 bsc#1234853). - Update patches.suse/Bluetooth-L2CAP-Fix-uaf-in-l2cap_connect.patch (CVE-2024-49950 bsc#1232159 bsc#1225742). - Update patches.suse/Bluetooth-L2CAP-do-not-leave-dangling-sk-pointer-on-.patch (stable-fixes CVE-2024-56605 bsc#1235061 bsc#1234853). - Update patches.suse/KVM-nSVM-Ignore-nCR3-4-0-when-loading-PDPTEs-from-me.patch (CVE-2024-50115 bsc#1232919 bsc#1225742). - Update patches.suse/NFSv4.0-Fix-a-use-after-free-problem-in-the-asynchronous-open.patch (git-fixes CVE-2024-53173 bsc#1234891 bsc#1234853). - Update patches.suse/RDMA-hns-Fix-NULL-pointer-derefernce-in-hns_roce_map.patch (git-fixes CVE-2024-53226 bsc#1236576). - Update patches.suse/ext4-avoid-OOB-when-system.data-xattr-changes-undern.patch (bsc#1231920 CVE-2024-47701 bsc#1225742). - Update patches.suse/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch (bsc#1232201 CVE-2024-49884 bsc#1232198 bsc#1225742). - Update patches.suse/hfsplus-don-t-query-the-device-logical-block-size-multiple-times.patch (git-fixes CVE-2024-56548 bsc#1235073 bsc#1234853). - Update patches.suse/mac802154-check-local-interfaces-before-deleting-sda.patch (stable-fixes CVE-2024-57948 bsc#1236677). - Update patches.suse/media-amphion-Set-video-drvdata-before-register-vide.patch (git-fixes CVE-2024-56579 bsc#1236575). - Update patches.suse/mm-prevent-derefencing-NULL-ptr-in-pfn_section_valid.patch (git-fixes CVE-2024-41055 bsc#1228521). - Update patches.suse/pinctrl-mcp23s08-Fix-sleeping-in-atomic-context-due-.patch (git-fixes CVE-2024-57889 bsc#1236573). - Update patches.suse/tty-n_gsm-Fix-use-after-free-in-gsm_cleanup_mux.patch (stable-fixes CVE-2024-50073 bsc#1232520 bsc#1225742). - Update patches.suse/vfio-pci-Lock-external-INTx-masking-ops.patch (bsc#1222803 CVE-2024-26810). - Update patches.suse/wifi-mwifiex-Fix-memcpy-field-spanning-write-warning-d241a13.patch (git-fixes CVE-2024-56539 bsc#1234963 bsc#1234853). - commit 2e394be - Update patches.suse/netfilter-nf_tables-don-t-fail-inserts-if-dupl.patch (bsc#1012628 CVE-2023-52925 bsc#1236822). - Update patches.suse/netfilter-nf_tables-don-t-skip-expired-element.patch (bsc#1012628 CVE-2023-52924 bsc#1236821). - commit 6257a48 - tg3: Disable tg3 PCIe AER on system reboot (bsc#1219367). - commit 43ff004 - wifi: mt76: mt7915: improve hardware restart reliability (stable-fixes). - commit 8478fb6 - ASoC: Intel: avs: Prefix SKL/APL-specific members (stable-fixes). - Refresh patches.suse/ASoC-Intel-avs-Fix-theoretical-infinite-loop.patch. - commit 01a2134 - serial: sc16is7xx: use device_property APIs when configuring irda mode (stable-fixes). - Refresh patches.suse/serial-sc16is7xx-remove-global-regmap-from-struct-sc.patch. - commit 5b3248c - ASoC: Intel: avs: Do not readq() u32 registers (git-fixes). - ALSA: seq: Make dependency on UMP clearer (git-fixes). - crypto: hisilicon/sec2 - fix for aead invalid authsize (git-fixes). - crypto: hisilicon/sec2 - fix for aead icv error (git-fixes). - wifi: mt76: mt7915: fix omac index assignment after hardware reset (git-fixes). - drm/rockchip: vop2: include rockchip_drm_drv.h (git-fixes). - drm/rockchip: vop2: Fix the windows switch between different layers (git-fixes). - wifi: mt76: connac: move mt7615_mcu_del_wtbl_all to connac (stable-fixes). - ASoC: Intel: avs: Abstract IPC handling (stable-fixes). - ALSA: seq: remove redundant 'tristate' for SND_SEQ_UMP_CLIENT (stable-fixes). - drm/rockchip: vop2: set bg dly and prescan dly at vop2_post_config (stable-fixes). - drm/rockchip: vop2: Set YUV/RGB overlay mode (stable-fixes). - drm/rockchip: move output interface related definition to rockchip_drm_drv.h (stable-fixes). - crypto: hisilicon/sec2 - optimize the error return process (stable-fixes). - commit 21fab4a - drm/i915/dp: Iterate DSC BPP from high to low on all platforms (git-fixes). - drm/i915/guc: Debug print LRC state entries only if the context is pinned (git-fixes). - drm/i915/pmu: Fix zero delta busyness issue (git-fixes). - gpu: drm_dp_cec: fix broken CEC adapter properties check (git-fixes). - drm/komeda: Add check for komeda_get_layer_fourcc_list() (git-fixes). - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry (git-fixes). - ACPI: property: Fix return value for nval == 0 in acpi_data_prop_read() (git-fixes). - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - gpio: pca953x: Improve interrupt support (git-fixes). - commit e018ad6 - mptcp: fix recvbuffer adjust on sleeping rcvmsg (git-fixes) - commit 4ce1907 - filemap: avoid truncating 64-bit offset to 32 bits (CVE-2025-21665 bsc#1236684). - commit 597c6a3 - smb: client: fix double free of TCP_Server_Info::hostname (CVE-2025-21673 bsc#1236689). - commit 3139e94 - openvswitch: fix lockup on tx to unregistering netdev with carrier (CVE-2025-21681 bsc#1236702). - commit b85304e - pmdomain: imx8mp-blk-ctrl: add missing loop break condition (CVE-2025-21668 bsc#1236682). - commit 99dbd95 - iomap: avoid avoid truncating 64-bit offset to 32 bits (CVE-2025-21667 bsc#1236681). - commit e233a3c - cpufreq: qcom-nvmem: add support for IPQ8064 (git-fixes). - Refresh patches.suse/cpufreq-qcom-nvmem-Enable-virtual-power-domain-devices.patch. - commit f530449 - drm/amdgpu: fix UVD contiguous CS mapping problem (bsc#1236759). - commit 785700c - cpufreq: mediatek-hw: Don't error out if supply is not found (git-fixes). - commit 8cc17c1 - mptcp: error out earlier on disconnect (CVE-2024-53123 bsc#1234070) - commit b7c16f4 - drop_monitor: replace spin_lock by raw_spin_lock (CVE-2024-40980 bsc#1227937) - commit 72b4850 - xfrm: validate new SA's prefixlen using SA family when sel.family is unset (CVE-2024-50142 bsc#1233028) - commit 821a08b - selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap (bsc#1235485 CVE-2024-56633). - tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg (bsc#1235485 CVE-2024-56633). - commit 92f3cb7 - smb: During unmount, ensure all cached dir instances drop their dentry (bsc#1231432, bsc#1234894, CVE-2024-53176). - commit c66b2d4 - smb: client: reduce stack usage in smb2_set_ea() (bsc#1231432). - Refresh patches.suse/smb-client-fix-potential-UAF-in-cifs_debug_files_proc_show-.patch. - commit b56ad4e - smb: client: properly close cfids on umount (bsc#1231432, bsc#1232299, bsc#1235599, bsc#1234896). - commit 189365b - drm/mgag200: Added support for the new device G200eH5 (jsc#PED-12094) - commit 5e11827 - cpufreq: qcom-nvmem: drop pvs_ver for format a fuses (git-fixes). - commit 60005f6 - cpufreq: qcom: Implement clk_ops::determine_rate() for qcom_cpufreq* clocks (git-fixes). - cpufreq: qcom: Fix qcom_cpufreq_hw_recalc_rate() to query LUT if LMh IRQ is not available (git-fixes). - commit 3e10296 - cpufreq: mediatek-hw: Wait for CPU supplies before probing (git-fixes). - commit b08f9e8 - sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647 bsc#1236133). - commit 1f1bc5f - locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() (git-fixes). - commit c137ed9 - lockdep: fix deadlock issue between lockdep and rcu (git-fixes). - commit d6daab7 - locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers (git-fixes). - commit 1366984 - selftests/futex: pass _GNU_SOURCE without a value to the compiler (git-fixes). - commit 6c47425 - futex: Don't include process MM in futex key on no-MMU (git-fixes). - commit 925398b - cpufreq: qcom-nvmem: use helper to get SMEM SoC ID (git-fixes). - cpufreq: qcom-nvmem: use SoC ID-s from bindings (git-fixes). - soc: qcom: smem: introduce qcom_smem_get_soc_id() (git-fixes). - soc: qcom: socinfo: move SMEM item struct and defines to a header (git-fixes). - commit 870636f Package libX11 was updated: - U_CVE-2025-26597-0001-xkb-Fix-buffer-overflow-in-XkbChangeTypesOfKey.patch * Buffer overflow in XkbChangeTypesOfKey() (CVE-2025-26597, bsc#1237431) Package freetype2 was updated: - Added patch: * CVE-2025-27363.patch + fixes bsc#1239465, CVE-2025-27363: out-of-bounds write when attempting to parse font subglyph structures related to TrueType GX and variable font files Package libgcrypt was updated: - FIPS: Differentiate non-compliant flags in the SLI [bsc#1225939] * Add libgcrypt-FIPS-SLI-Differentiate-non-compliant-flags-in-the-SLI.patch - FIPS: Implement KAT for non-deterministic ECDSA [bsc#1225939] * Add libgcrypt-FIPS-SLI-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch - FIPS: Disable setting the library in non-FIPS mode [bsc#1220893] * Add libgcrypt-FIPS-disable-GCRYCTL_NO_FIPS_MODE.patch - FIPS: Disallow rsa &lt; 2048 [bsc#1225941] * Mark RSA operations with keysize &lt; 2048 as non-approved in the SLI * Add libgcrypt-FIPS-SLI-Disallow-RSA-keys-with-size-lt-2048.patch - FIPS: Service level indicator for libgcrypt [bsc#1225939] * Factor out `prepare_datasexp_to_be_signed` for FIPS SLI * Add libgcrypt-FIPS-SLI-Factor-out-data-SEXP-preparation.patch * Include missing checks for EdDSA and ECDSA for FIPS SLI * Add libgcrypt-FIPS-SLI-Only-allow-defined-digest-algo-for-EdDSA.patch * Add libgcrypt-FIPS-SLI-Reject-use-of-SHAKE-when-its-ECDSA-with-RFC6979.patch * Include upstream patches for FIPS SLI for libgcrypt * Add libgcrypt-FIPS-SLI-Introduce-an-internal-API-for-FIPS-service-indicator.patch * Add libgcrypt-FIPS-SLI-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch * Add libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch * Add libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_md_hash_*.patch * Add libgcrypt-FIPS-SLI-Add-t-digest.patch * Add libgcrypt-FIPS-SLI-Fix-t-digest-for-a-minimal-configuration.patch * Add libgcrypt-FIPS-SLI-Extend-tests-t-digest-to-test-hmac-too.patch * Add libgcrypt-FIPS-SLI-Fix-comment-in-t-thread-local.patch * Add libgcrypt-FIPS-SLI-Change-the-internal-API-for-new-FIPS-service-indicator.patch * Add libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch * Add libgcrypt-FIPS-SLI-Add-tests-for-md_open-write-read-close-for-t-digest.patch * Add libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch * Add libgcrypt-FIPS-SLI-Implement-new-FIPS-service-indicator-for-cipher_open.patch * Add libgcrypt-FIPS-SLI-Add-gcry_mac_open-tests.patch * Add libgcrypt-FIPS-SLI-Rename-t-fips-service-ind.patch * Add libgcrypt-FIPS-SLI-Move-KDF-tests-to-t-fips-service-ind.patch * Add libgcrypt-FIPS-SLI-Add-gcry_cipher_open-tests.patch * Add libgcrypt-FIPS-SLI-gcry_md_copy-should-care-about-FIPS-service-indicator.patch * Add libgcrypt-FIPS-SLI-Implement-FIPS-service-indicator-for-gcry_pk_hash_API.patch * Add libgcrypt-FIPS-SLI-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch * Add libgcrypt-FIPS-SLI-Fix-the-previous-change.patch * Add libgcrypt-FIPS-SLI-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch * Add libgcrypt-FIPS-SLI-Add-behavior-not-to-reject-but-mark-non-compliant.patch * Add libgcrypt-FIPS-SLI-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch * Add libgcrypt-FIPS-SLI-Add-more-tests-to-tests-t-fips-service-ind.patch * Add libgcrypt-FIPS-SLI-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch * Add libgcrypt-FIPS-SLI-Fix-memory-leak-for-gcry_pk_hash_sign.patch * Add libgcrypt-FIPS-SLI-Improve-__thread-specifier-check.patch * Add libgcrypt-FIPS-SLI-mark-non-compliant-cipher-modes-as-non-approved-in-the-SLI.patch * Add libgcrypt-FIPS-SLI-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-.patch * Add libgcrypt-FIPS-SLI-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch * Implement `hex2buffer` in tests/t-common.h for FIPS SLI testing * Add hex2buffer-Factor-from-existing-uses.patch * Remove redundant/reworked patches now in FIPS SLI * Remove libgcrypt-FIPS-SLI-pk.patch * Remove libgcrypt-FIPS-SLI-hash-mac.patch * Remove libgcrypt-FIPS-SLI-kdf-leylength.patch * Rebased patches: * libgcrypt-1.10.0-allow_FSM_same_state.patch * libgcrypt-no-deprecated-grep-alias.patch * libgcrypt-FIPS-rndjent_poll.patch * libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch - FIPS: Consider deprecate sha1 [bsc#1225942] * In FIPS 180-5 revision, NIST announced EOL for SHA-1 and will transition at the end of 2030. Mark SHA1 as non-approved in SLI. * Add libgcrypt-FIPS-SLI-md-Make-SHA1-non-FIPS-and-differentiate-in-the-SLI.patch * Add libgcrypt-FIPS-SLI-cipher-Differentiate-SHA1-with-GCRY_FIPS_FLAG_REJECT_MD_SHA1.patch - FIPS: Unnecessary RSA KAT Encryption/Decryption [bsc#1225936] * cipher: Do not run RSA encryption selftest by default * Add libgcrypt-FIPS-SLI-Do-not-run-RSA-encryption-selftest-by-default.patch - FIPS: Make sure that Libgcrypt makes use of the built-in Jitter RNG for the whole length entropy buffer in FIPS mode. [bsc#1220893] * Add libgcrypt-FIPS-jitter-whole-entropy.patch - FIPS: Set the FSM into error state if Jitter RNG is returning an error code to the caller when an health test error occurs when random bytes are requested through the jent_read_entropy_safe() function. [bsc#1220895] * Add libgcrypt-FIPS-jitter-errorcodes.patch - FIPS: Replace the built-in jitter rng with standalone version * Remove the internal jitterentropy copy [bsc#1220896] * Add libgcrypt-FIPS-jitter-standalone.patch * Remove not needed libgcrypt-jitterentropy-3.4.0.patch Package gnutls was updated: - Security fix [bsc#1236974, CVE-2024-12243] * gnutls: inefficient DER Decoding in libtasn1 could lead to remote DoS * Add gnutls-CVE-2024-12243.patch Package xz was updated: - Add CVE-2025-31115.patch * Fix heap use after free and writing to an address based on the null pointer plus an offset (CVE-2025-31115, bsc#1240414) Package nfs-utils was updated: - rpc.idmapd: nfsopen() failures should not be fatal (bsc#1239165) - add 0007-rpc.idmapd-nfsopen-failures-should-not-be-fatal.patch - enable ldap support for nfsidmap (bsc#1226533) Package procps was updated: - Add patch CVE-2023-4016-part2.patch * Fix the ps command segfaults when pid argument has a leading space (bsc#1236842) Package python3 was updated: - Update CVE-2024-11168-validation-IPv6-addrs.patch according to the Debian version (gh#python/cpython#103848#issuecomment-2708135083). Package ruby2.5 was updated: - remove rexml-test.patch as it is included in suse.patch now- update suse.patch to f0660edeba - fix HTTP request smuggling in WEBrick bsc#1230930 CVE-2024-47220 - update REXML to 3.3.9 to fix ReDOS vulnerability bsc#1232440 CVE-2024-49761 - [ruby/uri] Fix quadratic backtracking on invalid relative URI - [ruby/time] Make RFC2822 regexp linear - [ruby/time] Fix quadratic backtracking on invalid time - merge some parts of CGI 0.1.1 Package systemd was updated: - Import commit 83b9060b6e4c9cdffbbed0e27467cbd2f806dc0d 09b7477895 udev: allow/denylist for reading sysfs attributes when composing a NIC name (bsc#1234015) - Drop 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch The path has been merged into the SUSE/v254 branch. - Import commit 2b599c7501253b0e6b7987fdb2676af21bc72ab3 (merge of v254.24) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/b25faa18ee7ef3c2d0b16416dfa331d0013dd112...2b599c7501253b0e6b7987fdb2676af21bc72ab3 - Import commit b25faa18ee7ef3c2d0b16416dfa331d0013dd112 b4693652f3 journald: close runtime journals before their parent directory removed 044d051f0c journald: reset runtime seqnum data when flushing to system journal (bsc#1236886) - Move systemd-userwork from the experimental sub-package to the main package (bsc#1236643) It is likely an oversight from when systemd-userdb was migrated from the experimental package to the main one. Package libxml2 was updated: - security update- added patches fix CVE-2024-56171 [bsc#1237363], use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c + libxml2-CVE-2024-56171.patch fix CVE-2025-24928 [bsc#1237370], stack-based buffer overflow in xmlSnprintfElements in valid.c + libxml2-CVE-2025-24928.patch fix CVE-2025-27113 [bsc#1237418], NULL Pointer Dereference in libxml2 xmlPatMatch + libxml2-CVE-2025-27113.patch Package libxslt was updated: - Security fixes: * Fix use-after-free of XPath context node [bsc#1239625, CVE-2025-24855] * Fix UAF related to excluded namespaces [bsc#1239637, CVE-2024-55549] * Make generate-id() deterministic [bsc#1238591, CVE-2023-40403] Just adding the reference here as this CVE was already fixed in 0009-Make-generate-id-deterministic.patch * Rebase patches to use autosetup: - libxslt-1.1.24-no-net-autobuild.patch - libxslt-config-fixes.patch * Add patches: - libxslt-CVE-2024-55549.patch - libxslt-CVE-2025-24855.patch Package libzypp was updated: - Disable zypp.conf:download.use_deltarpm by default (fixes #620) Measurements show that you don't benefit from using deltarpms unless your network connection is very slow. That's why most distributions even stop offering deltarpms. The default remains unchanged on SUSE-15.6 and older. - Make sure repo variables are evaluated in the right context (bsc#1237044) - Introducing MediaCurl2 a alternative HTTP backend. This patch adds MediaCurl2 as a testbed for experimenting with a more simple way to download files. Set ZYPP_CURL2=1 in the environment to use it. - version 17.36.3 (35) - Filesystem usrmerge must not be done in singletrans mode (bsc#1236481, bsc#1189788) Commit will amend the backend in case the transaction would perform a filesystem usrmerge. - Workaround bsc#1216091 on Code16. - version 17.36.2 (35) Package mozilla-nss was updated: - Updated nss-fips-approved-crypto-non-ec.patch to not pass in bad targetKeyLength parameters when checking for FIPS approval after keygen. This was causing false rejections. - Updated nss-fips-approved-crypto-non-ec.patch to approve RSA signature verification mechanisms with PKCS padding and legacy moduli (bsc#1222834). Package openssh was updated: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). The problem was introduced in the rebase of the patch for 9.6p1: * openssh-8.0p1-gssapi-keyex.patch - Rebase patch and apply it: * fix-memleak-in-process_server_config_line_depth.patch Package pkg-config was updated: Package python-instance-billing-flavor-check was updated: - Update to version 1.0.0 (jsc#PCT-531) + API incompatibility: The check_payg_byos function no longer exits, it now returns a tuple of (flavor, exit_code). This makes the function reusable. + Update the build setup to work with the system interpreter of upcoming SLE releases. SLE 12 stays with the Python 3.4 interpreter and SLE 15 with the Python 3.6 interpreter. Package python-Jinja2 was updated: Package python3-M2Crypto was updated: - Change macro to %{?sle15allpythons} so we build both Python 3.6 and Python 3.11 on SLE-15. - Fix spelling of BSD-2-Clause license. - Add rpmlintrc … overflow of ignorable rpmlint warnings caused me not to see the previous problem. - Update to 0.44.0: - fix(rsa): introduce internal cache for rsa.check_key() (bsc#1236664, srht#mcepl/m2crypto#369) - fix[authcookie]: modernize the module - fix(_lib): add missing #include for windows - ci: relax fedora crypto policy to legacy. - enhance setup.py for macos compatibility - prefer packaging.version over distutils.version - fix segfault with openssl 3.4.0 - fix[ec]: raise ioerror instead when load_key_bio() cannot read the file. - doc: update installation instructions for windows. - fix setting x509.verify_* variables - fix building against openssl in non-standard location - test_x509: use only x509_version_1 (0) as version for csr. - The real license is BSD 2-Clause, not MIT. - Update to 0.43.0: - feat[m2]: add m2.time_t_bits to checking for 32bitness. - fix[tests]: Use only X509_VERSION_1 (0) as version for CSR. - fix[EC]: raise ValueError when load_key_bio() cannot read the file (bsc#1231589). - ci: use -mpip wheel instead of -mbuild - fix: use PyMem_Malloc() instead of malloc() - fix[hints]: more work on conversion of type hints to the py3k ones - fix: make the package build even on Python 3.6 - ci[local]: skip freezing local tests - fix[hints]: remove AnyStr type - test: add suggested test for RSA.{get,set}_ex_data - fix: implement interfaces for RSA_{get,set}_ex_new_{data,index} - fix: generate src/SWIG/x509_v_flag.h to overcome weaknesses of swig - fix: replace literal enumeration of all VERIFY_ constants by a cycle - test: unify various test cases in test_ssl related to ftpslib - fix: replace deprecated url keyword in setup.cfg with complete project_urls map - Update 0.42.0: - allow ASN1_{Integer,String} be initialized directly - minimal infrastructure for type hints for a C extension and some type hints for some basic modules - time_t on 32bit Linux is 32bit (integer) not 64bit (long) - EOS for CentOS 7 - correct checking for OpenSSL version number on Windows - make compatible with Python 3.13 (replace PyEval_CallObject with PyObject_CallObject) - fix typo in extern function signature (and proper type of engine_ctrl_cmd_string()) - move the package to Sorucehut - setup CI to use Sourcehut CI - setup CI on GitLab for Windows as well (remove Appveyor) - initial draft of documentation for migration to pyca/cryptography - fix Read the Docs configuration (contributed kindly by Facundo Tuesca) - Remove upstreamed 32bit_ASN1_Time.patch - Remove python-M2Crypto.keyring, because PyPI broke GPG support - Build for modern python stack on SLE/Leap Package zypp-plugin was updated: - version 0.6.5 - Build package for multiple Python flavors on the SLE15 family (fixes #4) Package samba was updated: - Fix crossing automounter mount points; (bsc#1215212); (bsc#1236803); - Update shipped /etc/samba/smb.conf to point to smb.conf man page;(bsc#1233880). Package suse-build-key was updated: - changed keys to use SHA256 UIDs instead of SHA1. (bsc#1237294 bsc#1236779 jsc#PED-12321) - gpg-pubkey-3fa1d6ce-67c856ee.asc to gpg-pubkey-09d9ea69-67c857f3.asc - gpg-pubkey-09d9ea69-645b99ce.asc to gpg-pubkey-3fa1d6ce-63c9481c.asc - suse_ptf_key_2023.asc, suse_ptf_key.asc: adjusted Package timezone was updated: - Update to 2025a: * Paraguay adopts permanent -03 starting spring 2024 * Improve pre-1991 data for the Philippines * Etc/Unknown is now reserved - Update to 2024b: * Improve historical data for Mexico, Mongolia, and Portugal. * System V names are now obsolescent. * The main data form now uses %z. * The code now conforms to RFC 8536 for early timestamps. * Support POSIX.1-2024, which removes asctime_r and ctime_r. * Assume POSIX.2-1992 or later for shell scripts. * SUPPORT_C89 now defaults to 1. - Add revert-philippines-historical-data.patch, revert-systemv-deprecation.patch * Fixes testsuite failures for other packages Package vim was updated: - Introduce patch to fix bsc#1235751 (regression). * vim-9.1.1134-revert-putty-terminal-colors.patch - Update to 9.1.1176. Changes: * 9.1.1176: wrong indent when expanding multiple lines * 9.1.1175: inconsistent behaviour with exclusive selection and motion commands * 9.1.1174: tests: Test_complete_cmdline() may fail * 9.1.1173: filetype: ABNF files are not detected * 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file * 9.1.1171: tests: wrong arguments passed to assert_equal() * 9.1.1170: wildmenu highlighting in popup can be improved * 9.1.1169: using global variable for get_insert()/get_lambda_name() * 9.1.1168: wrong flags passed down to nextwild() * 9.1.1167: mark '] wrong after copying text object * 9.1.1166: command-line auto-completion hard with wildmenu * 9.1.1165: diff: regression with multi-file diff blocks * 9.1.1164: [security]: code execution with tar.vim and special crafted tar files * 9.1.1163: $MYVIMDIR is set too late * 9.1.1162: completion popup not cleared in cmdline * 9.1.1161: preinsert requires bot &quot;menu&quot; and &quot;menuone&quot; to be set * 9.1.1160: Ctrl-Y does not work well with &quot;preinsert&quot; when completing items * 9.1.1159: $MYVIMDIR may not always be set * 9.1.1158: :verbose set has wrong file name with :compiler! * 9.1.1157: command completion wrong for input() * 9.1.1156: tests: No test for what patch 9.1.1152 fixes * 9.1.1155: Mode message not cleared after :silent message * 9.1.1154: Vim9: not able to use autoload class accross scripts * 9.1.1153: build error on Haiku * 9.1.1152: Patch v9.1.1151 causes problems * 9.1.1151: too many strlen() calls in getchar.c * 9.1.1150: :hi completion may complete to wrong value * 9.1.1149: Unix Makefile does not support Brazilian lang for the installer * 9.1.1148: Vim9: finding imported scripts can be further improved * 9.1.1147: preview-window does not scroll correctly * 9.1.1146: Vim9: wrong context being used when evaluating class member * 9.1.1145: multi-line completion has wrong indentation for last line * 9.1.1144: no way to create raw strings from a blob * 9.1.1143: illegal memory access when putting a register * 9.1.1142: tests: test_startup fails if $HOME/$XDG_CONFIG_HOME is defined * 9.1.1141: Misplaced comment in readfile() * 9.1.1140: filetype: m17ndb files are not detected * 9.1.1139: [fifo] is not displayed when editing a fifo * 9.1.1138: cmdline completion for :hi is too simplistic * 9.1.1137: ins_str() is inefficient by calling STRLEN() * 9.1.1136: Match highlighting marks a buffer region as changed * 9.1.1135: 'suffixesadd' doesn't work with multiple items * 9.1.1134: filetype: Guile init file not recognized * 9.1.1133: filetype: xkb files not recognized everywhere * 9.1.1132: Mark positions wrong after triggering multiline completion * 9.1.1131: potential out-of-memory issue in search.c * 9.1.1130: 'listchars' &quot;precedes&quot; is not drawn on Tabs. * 9.1.1129: missing out-of-memory test in buf_write() * 9.1.1128: patch 9.1.1119 caused a regression with imports * 9.1.1127: preinsert text is not cleaned up correctly * 9.1.1126: patch 9.1.1121 used a wrong way to handle enter * 9.1.1125: cannot loop through pum menu with multiline items * 9.1.1124: No test for 'listchars' &quot;precedes&quot; with double-width char * 9.1.1123: popup hi groups not falling back to defaults * 9.1.1122: too many strlen() calls in findfile.c * 9.1.1121: Enter does not insert newline with &quot;noselect&quot; * 9.1.1120: tests: Test_registers fails * 9.1.1119: Vim9: Not able to use an autoloaded class from another autoloaded script * 9.1.1118: tests: test_termcodes fails * 9.1.1117: there are a few minor style issues * 9.1.1116: Vim9: super not supported in lambda expressions * 9.1.1115: [security]: use-after-free in str_to_reg() * 9.1.1114: enabling termguicolors automatically confuses users * 9.1.1113: tests: Test_terminal_builtin_without_gui waits 2 seconds * 9.1.1112: Inconsistencies in get_next_or_prev_match() * 9.1.1111: Vim9: variable not found in transitive import * 9.1.1110: Vim tests are slow and flaky * 9.1.1109: cmdexpand.c hard to read * 9.1.1108: 'smoothscroll' gets stuck with 'listchars' &quot;eol&quot; * 9.1.1107: cannot loop through completion menu with fuzzy * 9.1.1106: tests: Test_log_nonexistent() causes asan failure * 9.1.1105: Vim9: no support for protected new() method * 9.1.1104: CI: using Ubuntu 22.04 Github runners * 9.1.1103: if_perl: still some compile errors with Perl 5.38 * 9.1.1102: tests: Test_WinScrolled_Resized_eiw() uses wrong filename - 9.1.1101 is a fix for: bsc#1229685 (CVE-2024-43790) bsc#1229822 (CVE-2024-43802) bsc#1230078 (CVE-2024-45306) bsc#1235695 (CVE-2025-22134) bsc#1236151 (CVE-2025-24014) bsc#1237137 (CVE-2025-1215) - Remove obsoleted patch: * vim-7.3-mktemp_tutor.patch - update to 9.1.1101 * insexpand.c hard to read * tests: Test_log_nonexistent only works on Linux * Update base-syntax, improve variable matching * Vim9: import with extends may crash * leaking memory with completing multi lines * --log with non-existent path causes a crash * if_perl: Perl 5.38 adds new symbols causing link failure * tests: matchparen plugin test wrongly named * Vim9: problem finding implemented method in type hierarchy * runtime(qf): Update syntax file, match second delimiter * tests: output of test ...win32_ctrl_z depends on python version * tests: fix expected return code for python 3.13 on Windows * tests: timeout might be a bit too small * tests: test_terminwscroll_topline2 unreliable * tests: No check when tests are run under Github actions * tests: plugin tests are named inconsistently * Vim9: import with extends may crash * completion doesn't work with multi lines * filetype: cmmt files are not recognized * Unable to persistently ignore events in a window and its buffers * improve syntax highlighting * setreg() doesn't correctly handle mbyte chars in blockwise mode * unexpected DCS responses may cause out of bounds reads * has('bsd') is true for GNU/Hurd * filetype: Mill files are not recognized * GUI late startup leads to uninitialized scrollbars * Add support for lz4 to tar &amp; gzip plugin * Terminal ansi colors off by one after tgc reset * included syntax items do not understand contains=TOP * vim_strnchr() is strange and unnecessary * Vim9: len variable not used in compile_load() * runtime(vim): Update base-syntax, match :debuggreedy count prefix * Strange error when heredoc marker starts with &quot;trim&quot; * tests: test_compiler fails on Windows without Maven * 'diffopt' &quot;linematch&quot; cannot be used with {n} less than 10 * args missing after failing to redefine a function * Cannot control cursor positioning of getchar() * preinsert text completions not deleted with &lt;C-W&gt;/&lt;C-U&gt; * getchar() can't distinguish between C-I and Tab * tests: Test_termwinscroll_topline2 fails on MacOS * heap-use-after-free and stack-use-after-scope with :14verbose * no digraph for &quot;Approaches the limit&quot; * not possible to use plural forms with gettext() * too many strlen() calls in userfunc.c * terminal: E315 when dragging the terminal with the mouse * runtime(openPlugin): fix unclosed parenthesis in GetWordUnderCursor() * runtime(doc): Tweak documentation style a bit * tests: test_glvs fails when unarchiver not available * Vim always enables 'termguicolors' in a terminal * completion: input text deleted with preinsert when adding leader * translation(sr): Missing Serbian translation for the tutor * Superfluous cleanup steps in test_ins_complete.vim * runtime(netrw): correct wrong version check * Vim doesn't highlight to be inserted text when completing * runtime(netrw): upstream snapshot of v176 * runtime(dist/vim9): fix regressions in dist#vim9#Open * runtime(hyprlang): fix string recognition * make install fails because of a missing dependency * runtime(asm): add byte directives to syntax script * Vim doesn't work well with TERM=xterm-direct * runtime(filetype): commit 99181205c5f8284a3 breaks V lang detection * runtime: decouple Open and Launch commands and gx mapping from netrw * &quot;nosort&quot; enables fuzzy filtering even if &quot;fuzzy&quot; isn't in 'completeopt' * runtime(just): fix typo in syntax file * runtime(filetype): Improve Verilog detection by checking for modules definition * tests: off-by-one error in CheckCWD in test_debugger.vim * tests: no support for env variables when running Vim in terminal * too many strlen() calls in os_unix.c * insert-completed items are always sorted * crash after scrolling and pasting in silent Ex mode * Makefiles uses non-portable syntax * fuzzymatching doesn't prefer matching camelcase * filetype: N-Tripels and TriG files are not recognized * Vim9: Patch 9.1.1014 causes regressions * translation(sr): Update Serbian messages translation - updade to 9.1.1043 * [security]: segfault in win_line() * update helptags * filetype: just files are not recognized * Update base-syntax, match ternary and falsy operators * Vim9: out-of-bound access when echoing an enum * Vim9: imported type cannot be used as func return type * runtime(kconfig): updated ftplugin and syntax script * runtime(doc): rename last t_BG reference to t_RB * Vim9: comments are outdated * tests: test_channel.py fails with IPv6 * runtime(vim): Update base-syntax, fix is/isnot operator matching * Vim9: confusing error when using abstract method via super * make install fails when using shadowdir * Vim9: memory leak with blob2str() * runtime(tex): add texEmphStyle to texMatchGroup in syntax script * runtime(netrw): upstream snapshot of v175 * Vim9: compiling abstract method fails without return * runtime(c): add new constexpr keyword to syntax file (C23) * tests: shaderslang was removed from test_filetype erroneously * link error when FEAT_SPELL not defined * Coverity complains about insecure data handling * runtime(sh): update syntax script * runtime(c): Add missing syntax test files * filetype: setting bash filetype is backwards incompatible * runtime(c): Update syntax and ftplugin files * the installer can be improved * too many strlen() calls in screen.c * no sanitize check when running linematch * filetype: swc configuration files are not recognized * runtime(netrw): change netrw maintainer * wrong return type of blob2str() * blob2str/str2blob() do not support list of strings * runtime(doc): fix typo in usr_02.txt * Coverity complains about dereferencing NULL pointer * linematch option value not completed * string might be used without a trailing NUL * no way to get current selected item in a async context * filetype: fd ignore files are not recognized * v9.1.0743 causes regression with diff mode * runtime(doc): fix base64 encode/decode examples * Vim9: Patch 9.1.1013 causes a few problems * Not possible to convert string2blob and blob2string * Coverity complains about dereferencing NULL value * Vim9: variable not found in transitive import * runtime(colors): Update colorschemes, include new unokai colorscheme * Vim9: Regression caused by patch v9.1.0646 * runtime(lyrics): support milliseconds in syntax script * runtime(vim): Split Vim legacy and Vim9 script indent tests * Vim9: class interface inheritance not correctly working * popupmenu internal error with some abbr in completion item * filetype: VisualCode setting file not recognized * diff feature can be improved * tests: test for patch 9.1.1006 doesn't fail without the patch * filetype: various ignore are not recognized * tests: Load screendump files with &quot;git vimdumps&quot; * PmenuMatch completion highlight can be combined * completion text is highlighted even with no pattern found * tests: a few termdebug tests are flaky * [security]: heap-buffer-overflow with visual mode * runtime(doc): add package-&lt;name&gt; helptags for included packages * Vim9: unknown func error with interface declaring func var * runtime(filetype): don't detect string interpolation as angular * ComplMatchIns highlight hard to read on light background * runtime(vim): Update base-syntax, highlight literal string quote escape * runtime(editorconfig): set omnifunc to syntaxcomplete func * tests: ruby tests fail with Ruby 3.4 * Vim9: leaking finished exception * runtime(tiasm): use correct syntax name tiasm in syntax script * filetype: TI assembly files are not recognized * too many strlen() calls in drawscreen.c * runtime(xf86conf): add section name OutputClass to syntax script * ComplMatchIns may highlight wrong text * runtime(vim): Update base-syntax, improve ex-bang matching * runtime(doc): clarify buffer deletion on popup_close() * filetype: shaderslang files are not detected * Vim9: not able to use comment after opening curly brace - update to 9.1.0993 * 9.1.0993: New 'cmdheight' behavior may be surprising * runtime(sh): fix typo in Last Change header * 9.1.0992: Vim9: double-free after v9.1.0988 * 9.1.0991: v:stacktrace has wrong type in Vim9 script * runtime(sh): add PS0 to bashSpecialVariables in syntax script * runtime(vim): Remove trailing comma from match_words * runtime(zsh): sync syntax script with upstream repo * runtime(doc): Capitalise the mnemonic &quot;Zero&quot; for the 'z' flag of search() * 9.1.0990: Inconsistent behavior when changing cmdheight * 9.1.0989: Vim9: Whitespace after the final enum value causes a syntax error * runtime(java): Quietly opt out for unsupported markdown.vim versions * runtime(vim): fix failing vim syntax test * 9.1.0988: Vim9: no error when using uninitialized var in new() * runtime(doc): update index.txt * 9.1.0987: filetype: cake files are not recognized * 9.1.0986: filetype: 'jj' filetype is a bit imprecise * runtime(jj): Support diffs in jj syntax * runtime(vim): Update matchit pattern, no Vim9 short names * 9.1.0985: Vim9: some ex commands can be shortened * 9.1.0984: exception handling can be improved * runtime(doc): update doc for :horizontal * runtime(doc): update index.txt, windows.txt and version9.txt * runtime(doc): Tweak documentation about base64 function * runtime(chordpro): update syntax script * 9.1.0983: not able to get the displayed items in complete_info() * runtime(doc): use standard SGR format at :h xterm-true-color * 9.1.0982: TI linker files are not recognized * runtime(vim): update vim generator syntax script * 9.1.0981: tests: typo in test_filetype.vim * 9.1.0980: no support for base64 en-/decoding functions in Vim Script * syntax(sh): Improve the recognition of bracket expressions * runtime(doc): mention how NUL bytes are handled * 9.1.0979: VMS: type warning with $XDG_VIMRC_FILE * 9.1.0978: GUI tests sometimes fail when setting 'scroll' options * 9.1.0977: filetype: msbuild filetypes are not recognized * 9.1.0976: Vim9: missing return statement with throw * 9.1.0975: Vim9: interpolated string expr not working in object methods * 9.1.0974: typo in change of commit v9.1.0873 * 9.1.0973: too many strlen() calls in fileio.c * runtime(sh): set shellcheck as the compiler for supported shells * runtime(doc): Fix enum example syntax * 9.1.0972: filetype: TI linker map files are not recognized * runtime(vim): Improve syntax script generator for Vim Script * 9.1.0971: filetype: SLNX files are not recognized * 9.1.0970: VMS: build errors on VMS architecture * runtime(doc): Fix documentation typos * runtime(doc): update for new keyprotocol option value (after v9.1.0969) * 9.1.0969: ghostty not using kitty protocol by default * 9.1.0968: tests: GetFileNameChecks() isn't fully sorted by filetype name * runtime(doc): update version9.txt for bash filetype * runtime(netrw): update last change header for #16265 * runtime(doc): fix doc error in :r behaviour * 9.1.0967: SpotBugs compiler setup can be further improved * 9.1.0966: Vim9: :enum command can be shortened * runtime(compiler): include a basic bash syntax checker compiler * 9.1.0965: filetype: sh filetype set when detecting the use of bash * runtime(doc): clarify ARCH value for 32-bit in INSTALLpc.txt * 9.1.0963: fuzzy-matching does not prefer full match * 9.1.0962: filetype: bun.lock file is not recognized * runtime(vim): update indentation plugin for Vim script * runtime(doc): tweak documentation style in helphelp.txt * runtime(vim): Update base-syntax, allow parens in default arguments * runtime(doc): mention auto-format using clang-format for sound.c/sign.c * runtime(help): fix typo s/additional/arbitrary/ * runtime(help): Add better support for language annotation highlighting * 9.1.0961: filetype: TI gel files are not recognized * 9.1.0960: filetype: hy history files are not recognized * translation(fi): Fix typoes in Finish menu translation * 9.1.0959: Coverity complains about type conversion * runtime(vim): Use supported syntax in indent tests * 9.1.0958: filetype: supertux2 config files detected as lisp * 9.1.0956: completion may crash, completion highlight wrong with preview window * 9.1.0955: Vim9: vim9compile.c can be further improved * runtime(doc): move help tag E1182 * runtime(graphql): contribute vim-graphql to Vim core * 9.1.0954: popupmenu.c can be improved * 9.1.0953: filetype: APKBUILD files not correctly detected * 9.1.0952: Vim9: missing type checking for any type assignment * 9.1.0951: filetype: jshell files are not recognized * runtime(dockerfile): do not set commentstring in syntax script * 9.1.0950: filetype: fennelrc files are not recognized * runtime(netrw): do not double escape Vim special characters * git: ignore reformatting change of netrw plugin * runtime(netrw): more reformating #16248 * runtime(doc): Add a note about handling symbolic links in starting.txt * 9.1.0949: popups inconsistently shifted to the left * git: ignore reformatting change of netrw plugin * runtime(netrw): change indent size from 1 to 2 * 9.1.0948: Missing cmdline completion for :pbuffer * runtime(tutor): Reformat tutor1 * 9.1.0947: short-description * 9.1.0946: cross-compiling fails on osx-arm64 * 9.1.0945: ComplMatchIns highlight doesn't end after inserted text * translation(sv): re-include the change from #16240 * 9.1.0944: tests: test_registers fails when not run under X11 * 9.1.0943: Vim9: vim9compile.c can be further improved * runtime(doc): Update README and mention make check to verify * translation(sv): partly revert commit 98874dca6d0b60ccd6fc3a140b3ec * runtime(vim): update base-syntax after v9.1.0936 * 9.1.0942: a few typos were found * 9.1.0941: ComplMatchIns doesn't work after multibyte chars * runtime(doc): Fix style in fold.txt * translation(sv): Fix typo in Swedish translation * 9.1.0940: Wrong cursor shape with &quot;gq&quot; and 'indentexpr' executes :normal * runtime(doc): fix some small errors * 9.1.0939: make installtutor fails * 9.1.0938: exclusive selection not respected when re-selecting block mode * 9.1.0937: test_undolist() is flaky * 9.1.0936: cannot highlight completed text * 9.1.0935: SpotBugs compiler can be improved * 9.1.0934: hard to view an existing buffer in the preview window * runtime(doc): document how to minimize fold computation costs * 9.1.0933: Vim9: vim9compile.c can be further improved * 9.1.0932: new Italian tutor not installed * runtime(doc): fix a few minor errors from the last doc updates * translation(it): add Italian translation for the interactive tutor * runtime(doc): update the change.txt help file * runtime(help): Add Vim lang annotation support for codeblocks * 9.1.0931: ml_get error in terminal buffer * 9.1.0930: tests: test_terminal2 may hang in GUI mode * 9.1.0929: filetype: lalrpop files are not recognized * 9.1.0928: tests: test_popupwin fails because the filter command fails * editorconfig: set trim_trailing_whitespace = false for src/testdir/test*.vim * 9.1.0927: style issues in insexpand.c * 9.1.0926: filetype: Pixi lock files are not recognized * runtime(doc): Add a reference to |++opt| and |+cmd| at `:h :pedit` * runtime(doc): add a note about inclusive motions and exclusive selection * 9.1.0925: Vim9: expression compiled when not necessary * 9.1.0924: patch 9.1.0923 causes issues * 9.1.0923: too many strlen() calls in filepath.c * 9.1.0923: wrong MIN macro in popupmenu.c * 9.1.0921: popupmenu logic is a bit convoluted * 9.1.0920: Vim9: compile_assignment() too long * 9.1.0919: filetype: some assembler files are not recognized * runtime(netrw): do not pollute search history with symlinks * 9.1.0918: tiny Vim crashes with fuzzy buffer completion * 9.1.0917: various vartabstop and shiftround bugs when shifting lines * runtime(typst): add definition lists to formatlistpat, update maintainer * 9.1.0916: messages.c is exceeding 80 columns * runtime(proto): include filetype plugin for protobuf * 9.1.0915: GVim: default font size a bit too small * 9.1.0914: Vim9: compile_assignment() is too long * 9.1.0913: no error check for neg values for 'messagesopt' * runtime(netrw): only check first arg of netrw_browsex_viewer for being executable * 9.1.0912: xxd: integer overflow with sparse files and -autoskip * 9.1.0911: Variable name for 'messagesopt' doesn't match short name * 9.1.0910: 'messagesopt' does not check max wait time * runtime(doc): update wrong Vietnamese localization tag * 9.1.0909: Vim9: crash when calling instance method - update to 9.1.0908 * refresh vim-7.3-mktemp_tutor.patch * 9.1.0908: not possible to configure :messages * 9.1.0907: printoptions:portrait does not change postscript Orientation * runtime(doc): Add vietnamese.txt to helps main TOC * 9.1.0906: filetype: Nvidia PTX files are not recognized * runtime(doc): updated version9.txt with changes from v9.1.0905 * 9.1.0905: Missing information in CompleteDone event * 9.1.0904: Vim9: copy-paste error in class_defining_member() * 9.1.0903: potential overflow in spell_soundfold_wsal() * runtime(netrw): do not detach when launching external programs in gvim * runtime(doc): make tag alignment more consistent in filetype.txt * runtime(doc): fix wrong syntax and style of vietnamese.txt * translation(it): update Italian manpage for vimtutor * runtime(lua): add optional lua function folding * Filelist: include translations for Chapter 2 tutor * translation(vi): Update Vietnamese translation * runtime(doc): include vietnamese.txt * runtime(tutor): fix another typo in tutor2 * runtime(doc): fix typo in vimtutor manpage * translation(it): update Italian manpage for vimtutor * translation(it): include Italian version of tutor chapter 2 * runtime(tutor): regenerated some translated tutor1 files * runtime(tutor): fix typo in Chapter 2 * 9.1.0902: filetype: Conda configuration files are not recognized * runtime(doc): Tweak documentation style a bit * runtime(tutor): update the tutor files and re-number the chapters * runtime(tutor): Update the makefiles for tutor1 and tutor2 files * 9.1.0901: MS-Windows: vimtutor batch script can be improved * runtime(doc): remove buffer-local completeopt todo item * 9.1.0900: Vim9: digraph_getlist() does not accept bool arg * runtime(typst): provide a formatlistpat in ftplugin * runtime(doc): Update documentation for &quot;noselect&quot; in 'completeopt' * 9.1.0899: default for 'backspace' can be set in C code * runtime(helptoc): reload cached g:helptoc.shell_prompt when starting toc * translation(ru): Updated messages translation * 9.1.0898: runtime(compiler): pytest compiler not included * 9.1.0897: filetype: pyrex files are not detected * runtime(compiler): update eslint compiler * 9.1.0896: completion list wrong after v9.1.0891 * runtime(doc): document changed default value for 'history' * 9.1.0895: default history value is too small * 9.1.0894: No test for what the spotbug compiler parses * 9.1.0893: No test that undofile format does not regress * translation(de): update German manpages * runtime(compiler): include spotbugs Java linter * 9.1.0892: the max value of 'tabheight' is limited by other tabpages * runtime(po): remove poDiffOld/New, add po-format flags to syntax file * 9.1.0891: building the completion list array is inefficient * patch 9.1.0890: %! item not allowed for 'rulerformat' * runtime(gzip): load undofile if there exists one * 9.1.0889: Possible unnecessary redraw after adding/deleting lines * 9.1.0888: leftcol property not available in getwininfo() * 9.1.0887: Wrong expression in sign.c * 9.1.0886: filetype: debian control file not detected * runtime(c3): include c3 filetype plugin * 9.1.0885: style of sign.c can be improved * 9.1.0884: gcc warns about uninitialized variable * runtime(apache): Update syntax directives for apache server 2.4.62 * translation(ru): updated vimtutor translation, update MAINTAINERS file * 9.1.0883: message history cleanup is missing some tests * runtime(doc): Expand docs on :! vs. :term * runtime(netrw): Fixing powershell execution issues on Windows * 9.1.0882: too many strlen() calls in insexpand.c * 9.1.0881: GUI: message dialog may not get focus * runtime(netrw): update netrw's decompress logic * runtime(apache): Update syntax keyword definition * runtime(misc): add Italian LICENSE and (top-level) README file * 9.1.0880: filetype: C3 files are not recognized * runtime(doc): add helptag for :HelpToc command * 9.1.0879: source is not consistently formatted * Add clang-format config file * runtime(compiler): fix escaping of arguments passed to :CompilerSet * 9.1.0878: termdebug: cannot enable DEBUG mode * 9.1.0877: tests: missing test for termdebug + decimal signs * 9.1.0876: filetype: openCL files are not recognized * 9.1.0875: filetype: hyprlang detection can be improved * 9.1.0874: filetype: karel files are not detected * 9.1.0873: filetype: Vivado files are not recognized * 9.1.0872: No test for W23 message * 9.1.0871: getcellpixels() can be further improved * 9.1.0870: too many strlen() calls in eval.c * 9.1.0869: Problem: curswant not set on gm in folded line * 9.1.0868: the warning about missing clipboard can be improved * runtime(doc): Makefile does not clean up all temporary files * 9.1.0867: ins_compl_add() has too many args * editorconfig: don't trim trailing whitespaces in runtime/doc * translation(am): Remove duplicate keys in desktop files * runtime(doc): update helptags * runtime(filetype): remove duplicated *.org file pattern * runtime(cfg): only consider leading // as starting a comment * 9.1.0866: filetype: LLVM IR files are not recognized * 9.1.0865: filetype: org files are not recognized * 9.1.0864: message history is fixed to 200 * 9.1.0863: getcellpixels() can be further improved * runtime(sh): better function support for bash/zsh in indent script * runtime(netrw): small fixes to netrw#BrowseX * 9.1.0862: 'wildmenu' not enabled by default in nocp mode * runtime(doc): update how to report issues for mac Vim * runtime(doc): mention option-backslash at :h CompilerSet * runtime(compiler): include a Java Maven compiler plugin * runtime(racket): update Racket runtime files * runtime(doc): improve indentation in examples for netrw-handler * runtime(doc): improve examples for netrw-handler functions * runtime(idris2): include filetype,indent+syntax plugins for (L)Idris2 + ipkg * runtime(doc): clarify the use of filters and external commands * 9.1.0861: Vim9: no runtime check for object member access of any var * runtime(compiler): update pylint linter * 9.1.0860: tests: mouse_shape tests use hard code sleep value * 9.1.0859: several problems with the GLVS plugin * 9.1.0858: Coverity complains about dead code * runtime(tar): Update tar.vim to support permissions * 9.1.0857: xxd: --- is incorrectly recognized as end-of-options * 9.1.0851: too many strlen() calls in getchar.c * 9.1.0850: Vim9: cannot access nested object inside objects * runtime(tex): extra Number highlighting causes issues * runtime(vim): Fix indent after :silent! function * 9.1.0849: there are a few typos in the source * runtime(netrw): directory symlink not resolved in tree view * runtime(doc): add a table of supported Operating Systems * runtime(tex): update Last Change header in syntax script * runtime(doc): fix typo in g:termdebug_config * runtime(vim): Update base-syntax, improve :normal highlighting * runtime(tex): add Number highlighting to syntax file * runtime(doc): Tweak documentation style a bit * 9.1.0848: if_lua: v:false/v:true are not evaluated to boolean * runtime(dune): use :setl instead of :set in ftplugin * runtime(termdebug): allow to use decimal signs * translation(it): Updated Italian vimtutor * runtime(compiler): improve cppcheck * git: git-blame-ignore-revs shown as an error on Github * 9.1.0847: tests: test_popupwin fails because of updated help file * 9.1.0846: debug symbols for xxd are not cleaned in Makefile * runtime(structurizr): Update structurizr syntax * runtime(8th): updated 8th syntax * runtime(doc): Add pi_tutor.txt to help TOC * runtime(compiler): add mypy and ruff compiler; update pylint linter * runtime(netrw): fix several bugs in netrw tree listing * runtime(netrw): prevent polluting the search history * 9.1.0845: vimtutor shell script can be improved * 9.1.0844: if_python: no way to pass local vars to python * 9.1.0843: too many strlen() calls in undo.c * runtime(doc): update default value for fillchars option * runtime(compiler): fix typo in cppcheck compiler plugin * runtime(doc): simplify vimtutor manpage a bit more * runtime(matchparen): Add matchparen_disable_cursor_hl config option * 9.1.0842: not checking for the sync() systemcall * 9.1.0841: tests: still preferring python2 over python3 * 9.1.0840: filetype: idris2 files are not recognized * 9.1.0839: filetype: leo files are not recognized * runtime(cook): include cook filetype plugin * runtime(debversions): Update Debian versions * patch 9.1.0838: vimtutor is bash-specific * runtime(doc): add help specific modeline to pi_tutor.txt * Filelist: vimtutor chapter 2 is missing in Filelist * 9.1.0837: cross-compiling has some issues * runtime(vimtutor): Add a second chapter Package xen was updated: - bsc#1219354 - xen channels and domU console 67c86fc1-xl-fix-channel-configuration-setting.patch - bsc#1237692 - When attempting to start guest vm's libxl fills disk with errors 67d2a3fe-libxl-avoid-infinite-loop-in-libxl__remove_directory.patch - Upstream bug fixes (bsc#1027519) 67b4961e-console-dont-truncate-panic-messages.patch 67b49d86-memory-resource_max_frames-retval.patch 67b5d27c-SVM-separate-STI-from-VMRUN.patch 67cb03e0-x86-vlapic-ESR-write-handling.patch 67d17edd-x86-expose-MSR_FAM10H_MMIO_CONF_BASE-on-AMD.patch 67d17ede-VT-x-PI-usage-of-msi_desc-msg-field.patch - bsc#1238043 - VUL-0: CVE-2025-1713: xen: deadlock potential with VT-d and legacy PCI device pass-through (XSA-467) 67c06178-x86-IOMMU-bus-to-bridge-lock-acquired-IRQ-safe.patch - Xen call trace and APIC Error found after reboot operation on AMD machine (bsc#1233796) 67acb684-x86-offline-APs-with-IRQs-disabled.patch 67acb685-x86-SMP-disable-IRQs-ahead-of-AP-shutdown.patch 67acb686-x86-PCI-disable-MSI-at-shutdown.patch 67acb687-x86-IOMMU-disable-IRQs-at-shutdown.patch - Upstream bug fixes (bsc#1027519) 66dedebf-x86-HVM-recursion-in-linear-rw.patch 677bcb65-x86-traps-rework-LER-init-and.patch 677c1a7c-x86-AMD-misc-setup-for-Fam1A.patch 67921698-x86-HVM-MMIO-emul-cache-bounds-check.patch 67935a31-x86-HVM-dyn-alloc-emul-cache-ents.patch 67935a4c-x86-HVM-rw-split-at-page.patch 67977673-x86-IOMMU-check-CMPXCHG16B-when-enabling.patch 67977677-AMD-IOMMU-atomically-update-IRTE.patch 679796ff-x86-PV-further-harden-guest-mem-access.patch 67a5cb5f-radix-tree-purge-node-alloc-hooks.patch 67a5cb94-radix-tree-introduce-RADIX_TREE_INIT.patch Package yast2-network was updated: - Added a warn about a possible problem with the configured bond ports configuration using a MAC based renaming schema allowing the user to change all of them to use the BusID. (bsc#1233653) - 4.6.11 Package zypper was updated: - Annonunce --root in commands not launching a Target (bsc#1237044) - BuildRequires: libzypp-devel &gt;= 17.36.3. - version 1.14.85 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp6-byos-v20250408-x86-64/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 apparmor-parser-3.1.7-150600.5.3.2 branding-SLE-15-150600.45.3.2 ca-certificates-mozilla-2.74-150200.38.1 crash-8.0.4-150600.4.3.2 crypto-policies-20230920.570ea89-150600.3.9.2 docker-27.5.1_ce-150000.218.1 dracut-059+suse.557.gccd6ab94-150600.3.20.2 gettext-runtime-0.21.1-150600.3.3.2 google-guest-agent-20250327.01-150000.1.60.1 google-guest-oslogin-20240311.00-150000.1.48.1 google-osconfig-agent-20250115.01-150000.1.47.1 grub2-2.12-150600.8.21.2 grub2-i386-pc-2.12-150600.8.21.2 grub2-x86_64-efi-2.12-150600.8.21.2 hwinfo-21.87-150500.3.6.1 kdump-2.0.6+git25.g1dbf786-150600.3.14.1 kernel-default-6.4.0-150600.23.42.2 libX11-6-1.8.7-150600.3.3.1 libX11-data-1.8.7-150600.3.3.1 libapparmor1-3.1.7-150600.5.3.2 libfreetype6-2.10.4-150000.4.18.1 libgcrypt20-1.10.3-150600.3.3.1 libgnutls30-3.8.3-150600.4.6.2 liblzma5-5.4.1-150600.3.3.1 libnfsidmap1-1.0-150600.28.9.2 libprocps8-3.3.17-150000.7.42.1 libpython3_6m1_0-3.6.15-150300.10.84.1 libruby2_5-2_5-2.5.9-150000.4.36.1 libsystemd0-254.24-150600.4.28.1 libtextstyle0-0.21.1-150600.3.3.2 libudev1-254.24-150600.4.28.1 libxml2-2-2.10.3-150500.5.23.1 libxslt1-1.1.34-150400.3.6.1 libzypp-17.36.3-150600.3.50.1 mozilla-nss-certs-3.101.2-150400.3.54.1 nfs-client-2.6.4-150600.28.9.2 nfs-kernel-server-2.6.4-150600.28.9.2 openssh-9.6p1-150600.6.18.4 openssh-clients-9.6p1-150600.6.18.4 openssh-common-9.6p1-150600.6.18.4 openssh-server-9.6p1-150600.6.18.4 pkg-config-0.29.2-150600.15.3.1 procps-3.3.17-150000.7.42.1 python-instance-billing-flavor-check-1.0.0-150000.1.20.1 python3-3.6.15-150300.10.84.1 python3-Jinja2-2.10.1-150000.3.21.1 python3-M2Crypto-0.44.0-150600.19.3.1 python3-base-3.6.15-150300.10.84.1 python3-curses-3.6.15-150300.10.84.1 python3-zypp-plugin-0.6.5-150600.18.5.1 ruby2.5-2.5.9-150000.4.36.1 ruby2.5-stdlib-2.5.9-150000.4.36.1 samba-client-libs-4.19.8+git.404.38b26805d4-150600.3.12.2 suse-build-key-12.0-150000.8.58.1 systemd-254.24-150600.4.28.1 systemd-sysvcompat-254.24-150600.4.28.1 timezone-2025a-150600.91.3.1 udev-254.24-150600.4.28.1 vim-9.1.1176-150500.20.24.2 vim-data-common-9.1.1176-150500.20.24.2 xen-libs-4.18.4_06-150600.3.20.1 xz-5.4.1-150600.3.3.1 yast2-network-4.6.11-150600.3.6.1 zypper-1.14.85-150600.10.28.1 apparmor-parser-3.1.7-150600.5.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 branding-SLE-15-150600.45.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 ca-certificates-mozilla-2.74-150200.38.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 crash-8.0.4-150600.4.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 crypto-policies-20230920.570ea89-150600.3.9.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 docker-27.5.1_ce-150000.218.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 dracut-059+suse.557.gccd6ab94-150600.3.20.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 gettext-runtime-0.21.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 google-guest-agent-20250327.01-150000.1.60.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 google-guest-oslogin-20240311.00-150000.1.48.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 google-osconfig-agent-20250115.01-150000.1.47.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 grub2-2.12-150600.8.21.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 grub2-i386-pc-2.12-150600.8.21.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 grub2-x86_64-efi-2.12-150600.8.21.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 hwinfo-21.87-150500.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 kdump-2.0.6+git25.g1dbf786-150600.3.14.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 kernel-default-6.4.0-150600.23.42.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libX11-6-1.8.7-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libX11-data-1.8.7-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libapparmor1-3.1.7-150600.5.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libfreetype6-2.10.4-150000.4.18.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libgcrypt20-1.10.3-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libgnutls30-3.8.3-150600.4.6.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 liblzma5-5.4.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libnfsidmap1-1.0-150600.28.9.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libprocps8-3.3.17-150000.7.42.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libpython3_6m1_0-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libruby2_5-2_5-2.5.9-150000.4.36.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libsystemd0-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libtextstyle0-0.21.1-150600.3.3.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libudev1-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libxml2-2-2.10.3-150500.5.23.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libxslt1-1.1.34-150400.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 libzypp-17.36.3-150600.3.50.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 mozilla-nss-certs-3.101.2-150400.3.54.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 nfs-client-2.6.4-150600.28.9.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 nfs-kernel-server-2.6.4-150600.28.9.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 openssh-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 openssh-clients-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 openssh-common-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 openssh-server-9.6p1-150600.6.18.4 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 pkg-config-0.29.2-150600.15.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 procps-3.3.17-150000.7.42.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python-instance-billing-flavor-check-1.0.0-150000.1.20.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-Jinja2-2.10.1-150000.3.21.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-M2Crypto-0.44.0-150600.19.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-base-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-curses-3.6.15-150300.10.84.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 python3-zypp-plugin-0.6.5-150600.18.5.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 ruby2.5-2.5.9-150000.4.36.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 ruby2.5-stdlib-2.5.9-150000.4.36.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 samba-client-libs-4.19.8+git.404.38b26805d4-150600.3.12.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 suse-build-key-12.0-150000.8.58.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 systemd-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 systemd-sysvcompat-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 timezone-2025a-150600.91.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 udev-254.24-150600.4.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 vim-9.1.1176-150500.20.24.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 vim-data-common-9.1.1176-150500.20.24.2 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 xen-libs-4.18.4_06-150600.3.20.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 xz-5.4.1-150600.3.3.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 yast2-network-4.6.11-150600.3.6.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 zypper-1.14.85-150600.10.28.1 as a component of Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64 Under some circumstances, this weakness allows a user who has access to run the "ps" utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. CVE-2023-4016 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libprocps8-3.3.17-150000.7.42.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:procps-3.3.17-150000.7.42.1 low The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. Processing web content may disclose sensitive information. CVE-2023-40403 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxslt1-1.1.34-150400.3.6.1 moderate In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors. CVE-2023-52924 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error. CVE-2023-52925 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. CVE-2024-11168 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:python3-3.6.15-150300.10.84.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:python3-curses-3.6.15-150300.10.84.1 low A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. CVE-2024-12243 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libgnutls30-3.8.3-150600.4.6.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked. Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1. CVE-2024-26708 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Lock external INTx masking ops Mask operations through config space changes to DisINTx may race INTx configuration changes via ioctl. Create wrappers that add locking for paths outside of the core interrupt code. In particular, irq_type is updated holding igate, therefore testing is_intx() requires holding igate. For example clearing DisINTx from config space can otherwise race changes of the interrupt configuration. This aligns interfaces which may trigger the INTx eventfd into two camps, one side serialized by igate and the other only enabled while INTx is configured. A subsequent patch introduces synchronization for the latter flows. CVE-2024-26810 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: drop_monitor: replace spin_lock by raw_spin_lock trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context. CVE-2024-40980 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it. CVE-2024-41055 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689. CVE-2024-43790 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 moderate Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2024-43802 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. CVE-2024-44974 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning ... WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) ... before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest. Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That's not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR. CVE-2024-45009 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal' endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to 'subflow' endpoints, and here it is a 'signal' endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and if the ID is not 0 -- local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before. CVE-2024-45010 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade. CVE-2024-45306 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 moderate Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. CVE-2024-45337 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:google-guest-agent-20250327.01-150000.1.60.1 important An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." CVE-2024-47220 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libruby2_5-2_5-2.5.9-150000.4.36.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:ruby2.5-2.5.9-150000.4.36.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:ruby2.5-stdlib-2.5.9-150000.4.36.1 important In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. CVE-2024-47701 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. CVE-2024-49761 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libruby2_5-2_5-2.5.9-150000.4.36.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:ruby2.5-2.5.9-150000.4.36.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:ruby2.5-stdlib-2.5.9-150000.4.36.1 moderate In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. CVE-2024-49884 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-49950 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30 CVE-2024-50029 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels. CVE-2024-50036 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. CVE-2024-50073 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated--- CVE-2024-50085 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. CVE-2024-50115 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on. CVE-2024-50142 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: handle consistently DSS corruption Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type. CVE-2024-50185 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing locking causing hanging calls If a call gets aborted (e.g. because kafs saw a signal) between it being queued for connection and the I/O thread picking up the call, the abort will be prioritised over the connection and it will be removed from local->new_client_calls by rxrpc_disconnect_client_call() without a lock being held. This may cause other calls on the list to disappear if a race occurs. Fix this by taking the client_call_lock when removing a call from whatever list its ->wait_link happens to be on. CVE-2024-50294 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: error out earlier on disconnect Eric reported a division by zero splat in the MPTCP protocol: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 <f7> 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1073 __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 __do_sys_recvfrom net/socket.c:2283 [inline] __se_sys_recvfrom net/socket.c:2279 [inline] __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5d857559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef and provided a nice reproducer. The root cause is the current bad handling of racing disconnect. After the blamed commit below, sk_wait_data() can return (with error) with the underlying socket disconnected and a zero rcv_mss. Catch the error and return without performing any additional operations on the current socket. CVE-2024-53123 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. CVE-2024-53147 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed. CVE-2024-53173 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: smb: During unmount, ensure all cached dir instances drop their dentry The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs: BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including: - Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid. To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal. The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations. Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing. While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry. CVE-2024-53176 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument. The driver needs to check whether it is a NULL pointer before dereferencing it. CVE-2024-53226 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. CVE-2024-53239 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. CVE-2024-55549 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxslt1-1.1.34-150400.3.6.1 important libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. CVE-2024-56171 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxml2-2-2.10.3-150500.5.23.1 important In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Replace one-element array with a flexible-array member in `struct mwifiex_ie_types_wildcard_ssid_params` to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana): [ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like: ssid_len = user_scan_in->ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv->ssid, user_scan_in->ssid_list[i].ssid, ssid_len); There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed. CVE-2024-56539 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] <TASK> [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: ---truncated--- CVE-2024-56548 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Defer probe of clients after smmu device bound Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. [will: Add comment] CVE-2024-56568 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: media: amphion: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. CVE-2024-56579 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. CVE-2024-56605 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here. CVE-2024-56633 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it. CVE-2024-56647 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Several fixes to bpf_msg_pop_data Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG. CVE-2024-56720 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. CVE-2024-57889 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-57948 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 CVE-2024-57994 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component. CVE-2025-1215 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 low When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. CVE-2025-1713 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:xen-libs-4.18.4_06-150600.3.20.1 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used. CVE-2025-21636 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: udp_port: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21637 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21638 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. CVE-2025-21639 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used. CVE-2025-21640 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour. CVE-2025-21647 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. CVE-2025-21665 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. CVE-2025-21667 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f CVE-2025-21668 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> CVE-2025-21673 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ] CVE-2025-21680 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well. CVE-2025-21681 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) CVE-2025-21684 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device. CVE-2025-21687 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated--- CVE-2025-21688 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of "port" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds. CVE-2025-21689 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. CVE-2025-21690 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]--- CVE-2025-21692 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 important In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished. CVE-2025-21697 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 low In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. CVE-2025-21699 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com> CVE-2025-21700 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out. CVE-2025-21705 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool. CVE-2025-21715 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 CVE-2025-21716 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708 CVE-2025-21719 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type. CVE-2025-21724 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 </TASK> Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset. CVE-2025-21725 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. CVE-2025-21728 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context The following bug report happened with a PREEMPT_RT kernel: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 get_random_u32+0x4f/0x110 clocksource_verify_choose_cpus+0xab/0x1a0 clocksource_verify_percpu.part.0+0x6b/0x330 clocksource_watchdog_kthread+0x193/0x1a0 It is due to the fact that clocksource_verify_choose_cpus() is invoked with preemption disabled. This function invokes get_random_u32() to obtain random numbers for choosing CPUs. The batched_entropy_32 local lock and/or the base_crng.lock spinlock in driver/char/random.c will be acquired during the call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot be acquired in atomic context. Fix this problem by using migrate_disable() to allow smp_processor_id() to be reliably used without introducing atomic context. preempt_disable() is then called after clocksource_verify_choose_cpus() but before the clocksource measurement is being run to avoid introducing unexpected latency. CVE-2025-21767 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: vxlan: check vxlan_vnigroup_init() return value vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot. Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 unregister_netdevice_many net/core/dev.c:11866 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] __rtnl_newlink net/core/rtnetlink.c:3906 [inline] CVE-2025-21790 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state. CVE-2025-21795 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns(). CVE-2025-21799 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process. CVE-2025-21802 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:kernel-default-6.4.0-150600.23.42.2 moderate When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003 CVE-2025-22134 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 moderate An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. CVE-2025-22868 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:docker-27.5.1_ce-150000.218.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:google-guest-agent-20250327.01-150000.1.60.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:google-osconfig-agent-20250115.01-150000.1.47.1 important SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CVE-2025-22869 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:docker-27.5.1_ce-150000.218.1 important Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043. CVE-2025-24014 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-9.1.1176-150500.20.24.2 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:vim-data-common-9.1.1176-150500.20.24.2 moderate numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. CVE-2025-24855 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxslt1-1.1.34-150400.3.6.1 important libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. CVE-2025-24928 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxml2-2-2.10.3-150500.5.23.1 moderate A buffer overflow flaw was found in X.Org and Xwayland. If XkbChangeTypesOfKey() is called with a 0 group, it will resize the key symbols table to 0 but leave the key actions unchanged. If the same function is later called with a non-zero value of groups, this will cause a buffer overflow because the key actions are of the wrong size. CVE-2025-26597 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libX11-6-1.8.7-150600.3.3.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libX11-data-1.8.7-150600.3.3.1 moderate libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. CVE-2025-27113 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libxml2-2-2.10.3-150500.5.23.1 moderate An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. CVE-2025-27363 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:libfreetype6-2.10.4-150000.4.18.1 important Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6. CVE-2025-27516 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:python3-Jinja2-2.10.1-150000.3.21.1 moderate XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases. CVE-2025-31115 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:liblzma5-5.4.1-150600.3.3.1 Public Cloud Image google/sles-15-sp6-byos-v20250408-x86-64:xz-5.4.1-150600.3.3.1 important