Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02320-1 Final 1 1 2025-07-15T14:20:22Z current 2025-07-15T14:20:22Z 2025-07-15T14:20:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2022-50085: dm raid: fix address sanitizer warning in raid_resume (bsc#1245147). - CVE-2022-50087: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (bsc#1245119). - CVE-2022-50200: selinux: Add boundary check in put_entry() (bsc#1245149). - CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820). - CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095). - CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514). - CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381). - CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504). - CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924). - CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183). The following non-security bugs were fixed: - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504) - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455). - wifi: cfg80211: Add my certificate (bsc#1243001). - wifi: cfg80211: fix certs build to not depend on file order (bsc#1243001). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2320,SUSE-SUSE-MicroOS-5.1-2025-2320,SUSE-SUSE-MicroOS-5.2-2025-2320 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ Link for SUSE-SU-2025:02320-1 https://lists.suse.com/pipermail/sle-security-updates/2025-July/021812.html E-Mail link for SUSE-SU-2025:02320-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1065729 SUSE Bug 1065729 https://bugzilla.suse.com/1156395 SUSE Bug 1156395 https://bugzilla.suse.com/1199487 SUSE Bug 1199487 https://bugzilla.suse.com/1201160 SUSE Bug 1201160 https://bugzilla.suse.com/1201956 SUSE Bug 1201956 https://bugzilla.suse.com/1202095 SUSE Bug 1202095 https://bugzilla.suse.com/1202564 SUSE Bug 1202564 https://bugzilla.suse.com/1202716 SUSE Bug 1202716 https://bugzilla.suse.com/1202810 SUSE Bug 1202810 https://bugzilla.suse.com/1202860 SUSE Bug 1202860 https://bugzilla.suse.com/1205220 SUSE Bug 1205220 https://bugzilla.suse.com/1205514 SUSE Bug 1205514 https://bugzilla.suse.com/1206664 SUSE Bug 1206664 https://bugzilla.suse.com/1206878 SUSE Bug 1206878 https://bugzilla.suse.com/1206880 SUSE Bug 1206880 https://bugzilla.suse.com/1211226 SUSE Bug 1211226 https://bugzilla.suse.com/1212051 SUSE Bug 1212051 https://bugzilla.suse.com/1218184 SUSE Bug 1218184 https://bugzilla.suse.com/1224095 SUSE Bug 1224095 https://bugzilla.suse.com/1225820 SUSE Bug 1225820 https://bugzilla.suse.com/1226514 SUSE Bug 1226514 https://bugzilla.suse.com/1228659 SUSE Bug 1228659 https://bugzilla.suse.com/1230827 SUSE Bug 1230827 https://bugzilla.suse.com/1231293 SUSE Bug 1231293 https://bugzilla.suse.com/1232504 SUSE Bug 1232504 https://bugzilla.suse.com/1234381 SUSE Bug 1234381 https://bugzilla.suse.com/1234454 SUSE Bug 1234454 https://bugzilla.suse.com/1235637 SUSE Bug 1235637 https://bugzilla.suse.com/1237159 SUSE Bug 1237159 https://bugzilla.suse.com/1237312 SUSE Bug 1237312 https://bugzilla.suse.com/1237313 SUSE Bug 1237313 https://bugzilla.suse.com/1238303 SUSE Bug 1238303 https://bugzilla.suse.com/1238471 SUSE Bug 1238471 https://bugzilla.suse.com/1238570 SUSE Bug 1238570 https://bugzilla.suse.com/1239986 SUSE Bug 1239986 https://bugzilla.suse.com/1240785 SUSE Bug 1240785 https://bugzilla.suse.com/1241038 SUSE Bug 1241038 https://bugzilla.suse.com/1242414 SUSE Bug 1242414 https://bugzilla.suse.com/1242504 SUSE Bug 1242504 https://bugzilla.suse.com/1242924 SUSE Bug 1242924 https://bugzilla.suse.com/1243001 SUSE Bug 1243001 https://bugzilla.suse.com/1243330 SUSE Bug 1243330 https://bugzilla.suse.com/1243543 SUSE Bug 1243543 https://bugzilla.suse.com/1243627 SUSE Bug 1243627 https://bugzilla.suse.com/1243832 SUSE Bug 1243832 https://bugzilla.suse.com/1244234 SUSE Bug 1244234 https://bugzilla.suse.com/1244241 SUSE Bug 1244241 https://bugzilla.suse.com/1244277 SUSE Bug 1244277 https://bugzilla.suse.com/1244337 SUSE Bug 1244337 https://bugzilla.suse.com/1244764 SUSE Bug 1244764 https://bugzilla.suse.com/1244767 SUSE Bug 1244767 https://bugzilla.suse.com/1244770 SUSE Bug 1244770 https://bugzilla.suse.com/1244771 SUSE Bug 1244771 https://bugzilla.suse.com/1244773 SUSE Bug 1244773 https://bugzilla.suse.com/1244774 SUSE Bug 1244774 https://bugzilla.suse.com/1244776 SUSE Bug 1244776 https://bugzilla.suse.com/1244779 SUSE Bug 1244779 https://bugzilla.suse.com/1244782 SUSE Bug 1244782 https://bugzilla.suse.com/1244783 SUSE Bug 1244783 https://bugzilla.suse.com/1244786 SUSE Bug 1244786 https://bugzilla.suse.com/1244788 SUSE Bug 1244788 https://bugzilla.suse.com/1244790 SUSE Bug 1244790 https://bugzilla.suse.com/1244793 SUSE Bug 1244793 https://bugzilla.suse.com/1244794 SUSE Bug 1244794 https://bugzilla.suse.com/1244796 SUSE Bug 1244796 https://bugzilla.suse.com/1244797 SUSE Bug 1244797 https://bugzilla.suse.com/1244804 SUSE Bug 1244804 https://bugzilla.suse.com/1244813 SUSE Bug 1244813 https://bugzilla.suse.com/1244815 SUSE Bug 1244815 https://bugzilla.suse.com/1244816 SUSE Bug 1244816 https://bugzilla.suse.com/1244825 SUSE Bug 1244825 https://bugzilla.suse.com/1244834 SUSE Bug 1244834 https://bugzilla.suse.com/1244836 SUSE Bug 1244836 https://bugzilla.suse.com/1244838 SUSE Bug 1244838 https://bugzilla.suse.com/1244839 SUSE Bug 1244839 https://bugzilla.suse.com/1244841 SUSE Bug 1244841 https://bugzilla.suse.com/1244842 SUSE Bug 1244842 https://bugzilla.suse.com/1244845 SUSE Bug 1244845 https://bugzilla.suse.com/1244848 SUSE Bug 1244848 https://bugzilla.suse.com/1244849 SUSE Bug 1244849 https://bugzilla.suse.com/1244851 SUSE Bug 1244851 https://bugzilla.suse.com/1244853 SUSE Bug 1244853 https://bugzilla.suse.com/1244856 SUSE Bug 1244856 https://bugzilla.suse.com/1244861 SUSE Bug 1244861 https://bugzilla.suse.com/1244867 SUSE Bug 1244867 https://bugzilla.suse.com/1244868 SUSE Bug 1244868 https://bugzilla.suse.com/1244869 SUSE Bug 1244869 https://bugzilla.suse.com/1244881 SUSE Bug 1244881 https://bugzilla.suse.com/1244883 SUSE Bug 1244883 https://bugzilla.suse.com/1244884 SUSE Bug 1244884 https://bugzilla.suse.com/1244885 SUSE Bug 1244885 https://bugzilla.suse.com/1244886 SUSE Bug 1244886 https://bugzilla.suse.com/1244887 SUSE Bug 1244887 https://bugzilla.suse.com/1244899 SUSE Bug 1244899 https://bugzilla.suse.com/1244901 SUSE Bug 1244901 https://bugzilla.suse.com/1244902 SUSE Bug 1244902 https://bugzilla.suse.com/1244908 SUSE Bug 1244908 https://bugzilla.suse.com/1244936 SUSE Bug 1244936 https://bugzilla.suse.com/1244941 SUSE Bug 1244941 https://bugzilla.suse.com/1244943 SUSE Bug 1244943 https://bugzilla.suse.com/1244945 SUSE Bug 1244945 https://bugzilla.suse.com/1244948 SUSE Bug 1244948 https://bugzilla.suse.com/1244950 SUSE Bug 1244950 https://bugzilla.suse.com/1244956 SUSE Bug 1244956 https://bugzilla.suse.com/1244958 SUSE Bug 1244958 https://bugzilla.suse.com/1244959 SUSE Bug 1244959 https://bugzilla.suse.com/1244967 SUSE Bug 1244967 https://bugzilla.suse.com/1244968 SUSE Bug 1244968 https://bugzilla.suse.com/1244969 SUSE Bug 1244969 https://bugzilla.suse.com/1244976 SUSE Bug 1244976 https://bugzilla.suse.com/1244979 SUSE Bug 1244979 https://bugzilla.suse.com/1244984 SUSE Bug 1244984 https://bugzilla.suse.com/1244986 SUSE Bug 1244986 https://bugzilla.suse.com/1244992 SUSE Bug 1244992 https://bugzilla.suse.com/1245006 SUSE Bug 1245006 https://bugzilla.suse.com/1245007 SUSE Bug 1245007 https://bugzilla.suse.com/1245024 SUSE Bug 1245024 https://bugzilla.suse.com/1245031 SUSE Bug 1245031 https://bugzilla.suse.com/1245033 SUSE Bug 1245033 https://bugzilla.suse.com/1245041 SUSE Bug 1245041 https://bugzilla.suse.com/1245047 SUSE Bug 1245047 https://bugzilla.suse.com/1245051 SUSE Bug 1245051 https://bugzilla.suse.com/1245057 SUSE Bug 1245057 https://bugzilla.suse.com/1245058 SUSE Bug 1245058 https://bugzilla.suse.com/1245072 SUSE Bug 1245072 https://bugzilla.suse.com/1245073 SUSE Bug 1245073 https://bugzilla.suse.com/1245098 SUSE Bug 1245098 https://bugzilla.suse.com/1245103 SUSE Bug 1245103 https://bugzilla.suse.com/1245117 SUSE Bug 1245117 https://bugzilla.suse.com/1245119 SUSE Bug 1245119 https://bugzilla.suse.com/1245121 SUSE Bug 1245121 https://bugzilla.suse.com/1245122 SUSE Bug 1245122 https://bugzilla.suse.com/1245125 SUSE Bug 1245125 https://bugzilla.suse.com/1245129 SUSE Bug 1245129 https://bugzilla.suse.com/1245131 SUSE Bug 1245131 https://bugzilla.suse.com/1245135 SUSE Bug 1245135 https://bugzilla.suse.com/1245136 SUSE Bug 1245136 https://bugzilla.suse.com/1245138 SUSE Bug 1245138 https://bugzilla.suse.com/1245139 SUSE Bug 1245139 https://bugzilla.suse.com/1245140 SUSE Bug 1245140 https://bugzilla.suse.com/1245146 SUSE Bug 1245146 https://bugzilla.suse.com/1245147 SUSE Bug 1245147 https://bugzilla.suse.com/1245149 SUSE Bug 1245149 https://bugzilla.suse.com/1245183 SUSE Bug 1245183 https://bugzilla.suse.com/1245195 SUSE Bug 1245195 https://bugzilla.suse.com/1245265 SUSE Bug 1245265 https://bugzilla.suse.com/1245348 SUSE Bug 1245348 https://bugzilla.suse.com/1245455 SUSE Bug 1245455 https://www.suse.com/security/cve/CVE-2022-1679/ SUSE CVE CVE-2022-1679 page https://www.suse.com/security/cve/CVE-2022-2586/ SUSE CVE CVE-2022-2586 page https://www.suse.com/security/cve/CVE-2022-2905/ SUSE CVE CVE-2022-2905 page https://www.suse.com/security/cve/CVE-2022-3903/ SUSE CVE CVE-2022-3903 page https://www.suse.com/security/cve/CVE-2022-4095/ SUSE CVE CVE-2022-4095 page https://www.suse.com/security/cve/CVE-2022-4662/ SUSE CVE CVE-2022-4662 page https://www.suse.com/security/cve/CVE-2022-49934/ SUSE CVE CVE-2022-49934 page https://www.suse.com/security/cve/CVE-2022-49936/ SUSE CVE CVE-2022-49936 page https://www.suse.com/security/cve/CVE-2022-49937/ SUSE CVE CVE-2022-49937 page https://www.suse.com/security/cve/CVE-2022-49942/ SUSE CVE CVE-2022-49942 page https://www.suse.com/security/cve/CVE-2022-49945/ SUSE CVE CVE-2022-49945 page https://www.suse.com/security/cve/CVE-2022-49948/ SUSE CVE CVE-2022-49948 page https://www.suse.com/security/cve/CVE-2022-49950/ SUSE CVE CVE-2022-49950 page https://www.suse.com/security/cve/CVE-2022-49952/ SUSE CVE CVE-2022-49952 page https://www.suse.com/security/cve/CVE-2022-49954/ SUSE CVE CVE-2022-49954 page https://www.suse.com/security/cve/CVE-2022-49956/ SUSE CVE CVE-2022-49956 page https://www.suse.com/security/cve/CVE-2022-49968/ SUSE CVE CVE-2022-49968 page https://www.suse.com/security/cve/CVE-2022-49977/ SUSE CVE CVE-2022-49977 page https://www.suse.com/security/cve/CVE-2022-49978/ SUSE CVE CVE-2022-49978 page https://www.suse.com/security/cve/CVE-2022-49981/ SUSE CVE CVE-2022-49981 page https://www.suse.com/security/cve/CVE-2022-49984/ SUSE CVE CVE-2022-49984 page https://www.suse.com/security/cve/CVE-2022-49985/ SUSE CVE CVE-2022-49985 page https://www.suse.com/security/cve/CVE-2022-49986/ SUSE CVE CVE-2022-49986 page https://www.suse.com/security/cve/CVE-2022-49987/ SUSE CVE CVE-2022-49987 page https://www.suse.com/security/cve/CVE-2022-49989/ SUSE CVE CVE-2022-49989 page https://www.suse.com/security/cve/CVE-2022-49990/ SUSE CVE CVE-2022-49990 page https://www.suse.com/security/cve/CVE-2022-49993/ SUSE CVE CVE-2022-49993 page https://www.suse.com/security/cve/CVE-2022-50010/ SUSE CVE CVE-2022-50010 page https://www.suse.com/security/cve/CVE-2022-50012/ SUSE CVE CVE-2022-50012 page https://www.suse.com/security/cve/CVE-2022-50019/ SUSE CVE CVE-2022-50019 page https://www.suse.com/security/cve/CVE-2022-50020/ SUSE CVE CVE-2022-50020 page https://www.suse.com/security/cve/CVE-2022-50022/ SUSE CVE CVE-2022-50022 page https://www.suse.com/security/cve/CVE-2022-50027/ SUSE CVE CVE-2022-50027 page https://www.suse.com/security/cve/CVE-2022-50028/ SUSE CVE CVE-2022-50028 page https://www.suse.com/security/cve/CVE-2022-50029/ SUSE CVE CVE-2022-50029 page https://www.suse.com/security/cve/CVE-2022-50030/ SUSE CVE CVE-2022-50030 page https://www.suse.com/security/cve/CVE-2022-50032/ SUSE CVE CVE-2022-50032 page https://www.suse.com/security/cve/CVE-2022-50033/ SUSE CVE CVE-2022-50033 page https://www.suse.com/security/cve/CVE-2022-50036/ SUSE CVE CVE-2022-50036 page https://www.suse.com/security/cve/CVE-2022-50038/ SUSE CVE CVE-2022-50038 page https://www.suse.com/security/cve/CVE-2022-50045/ SUSE CVE CVE-2022-50045 page https://www.suse.com/security/cve/CVE-2022-50051/ SUSE CVE CVE-2022-50051 page https://www.suse.com/security/cve/CVE-2022-50059/ SUSE CVE CVE-2022-50059 page https://www.suse.com/security/cve/CVE-2022-50061/ SUSE CVE CVE-2022-50061 page https://www.suse.com/security/cve/CVE-2022-50065/ SUSE CVE CVE-2022-50065 page https://www.suse.com/security/cve/CVE-2022-50067/ SUSE CVE CVE-2022-50067 page https://www.suse.com/security/cve/CVE-2022-50072/ SUSE CVE CVE-2022-50072 page https://www.suse.com/security/cve/CVE-2022-50083/ SUSE CVE CVE-2022-50083 page https://www.suse.com/security/cve/CVE-2022-50084/ SUSE CVE CVE-2022-50084 page https://www.suse.com/security/cve/CVE-2022-50085/ SUSE CVE CVE-2022-50085 page https://www.suse.com/security/cve/CVE-2022-50087/ SUSE CVE CVE-2022-50087 page https://www.suse.com/security/cve/CVE-2022-50091/ SUSE CVE CVE-2022-50091 page https://www.suse.com/security/cve/CVE-2022-50092/ SUSE CVE CVE-2022-50092 page https://www.suse.com/security/cve/CVE-2022-50093/ SUSE CVE CVE-2022-50093 page https://www.suse.com/security/cve/CVE-2022-50094/ SUSE CVE CVE-2022-50094 page https://www.suse.com/security/cve/CVE-2022-50097/ SUSE CVE CVE-2022-50097 page https://www.suse.com/security/cve/CVE-2022-50098/ SUSE CVE CVE-2022-50098 page https://www.suse.com/security/cve/CVE-2022-50099/ SUSE CVE CVE-2022-50099 page https://www.suse.com/security/cve/CVE-2022-50101/ SUSE CVE CVE-2022-50101 page https://www.suse.com/security/cve/CVE-2022-50102/ SUSE CVE CVE-2022-50102 page https://www.suse.com/security/cve/CVE-2022-50104/ SUSE CVE CVE-2022-50104 page https://www.suse.com/security/cve/CVE-2022-50108/ SUSE CVE CVE-2022-50108 page https://www.suse.com/security/cve/CVE-2022-50109/ SUSE CVE CVE-2022-50109 page https://www.suse.com/security/cve/CVE-2022-50118/ SUSE CVE CVE-2022-50118 page https://www.suse.com/security/cve/CVE-2022-50124/ SUSE CVE CVE-2022-50124 page https://www.suse.com/security/cve/CVE-2022-50126/ SUSE CVE CVE-2022-50126 page https://www.suse.com/security/cve/CVE-2022-50127/ SUSE CVE CVE-2022-50127 page https://www.suse.com/security/cve/CVE-2022-50136/ SUSE CVE CVE-2022-50136 page https://www.suse.com/security/cve/CVE-2022-50138/ SUSE CVE CVE-2022-50138 page https://www.suse.com/security/cve/CVE-2022-50140/ SUSE CVE CVE-2022-50140 page https://www.suse.com/security/cve/CVE-2022-50141/ SUSE CVE CVE-2022-50141 page https://www.suse.com/security/cve/CVE-2022-50142/ SUSE CVE CVE-2022-50142 page https://www.suse.com/security/cve/CVE-2022-50143/ SUSE CVE CVE-2022-50143 page https://www.suse.com/security/cve/CVE-2022-50146/ SUSE CVE CVE-2022-50146 page https://www.suse.com/security/cve/CVE-2022-50149/ SUSE CVE CVE-2022-50149 page https://www.suse.com/security/cve/CVE-2022-50152/ SUSE CVE CVE-2022-50152 page https://www.suse.com/security/cve/CVE-2022-50153/ SUSE CVE CVE-2022-50153 page https://www.suse.com/security/cve/CVE-2022-50156/ SUSE CVE CVE-2022-50156 page https://www.suse.com/security/cve/CVE-2022-50158/ SUSE CVE CVE-2022-50158 page https://www.suse.com/security/cve/CVE-2022-50160/ SUSE CVE CVE-2022-50160 page https://www.suse.com/security/cve/CVE-2022-50161/ SUSE CVE CVE-2022-50161 page https://www.suse.com/security/cve/CVE-2022-50162/ SUSE CVE CVE-2022-50162 page https://www.suse.com/security/cve/CVE-2022-50164/ SUSE CVE CVE-2022-50164 page https://www.suse.com/security/cve/CVE-2022-50165/ SUSE CVE CVE-2022-50165 page https://www.suse.com/security/cve/CVE-2022-50169/ SUSE CVE CVE-2022-50169 page https://www.suse.com/security/cve/CVE-2022-50172/ SUSE CVE CVE-2022-50172 page https://www.suse.com/security/cve/CVE-2022-50173/ SUSE CVE CVE-2022-50173 page https://www.suse.com/security/cve/CVE-2022-50176/ SUSE CVE CVE-2022-50176 page https://www.suse.com/security/cve/CVE-2022-50179/ SUSE CVE CVE-2022-50179 page https://www.suse.com/security/cve/CVE-2022-50181/ SUSE CVE CVE-2022-50181 page https://www.suse.com/security/cve/CVE-2022-50185/ SUSE CVE CVE-2022-50185 page https://www.suse.com/security/cve/CVE-2022-50191/ SUSE CVE CVE-2022-50191 page https://www.suse.com/security/cve/CVE-2022-50200/ SUSE CVE CVE-2022-50200 page https://www.suse.com/security/cve/CVE-2022-50209/ SUSE CVE CVE-2022-50209 page https://www.suse.com/security/cve/CVE-2022-50211/ SUSE CVE CVE-2022-50211 page https://www.suse.com/security/cve/CVE-2022-50212/ SUSE CVE CVE-2022-50212 page https://www.suse.com/security/cve/CVE-2022-50213/ SUSE CVE CVE-2022-50213 page https://www.suse.com/security/cve/CVE-2022-50215/ SUSE CVE CVE-2022-50215 page https://www.suse.com/security/cve/CVE-2022-50218/ SUSE CVE CVE-2022-50218 page https://www.suse.com/security/cve/CVE-2022-50220/ SUSE CVE CVE-2022-50220 page https://www.suse.com/security/cve/CVE-2022-50222/ SUSE CVE CVE-2022-50222 page https://www.suse.com/security/cve/CVE-2022-50229/ SUSE CVE CVE-2022-50229 page https://www.suse.com/security/cve/CVE-2022-50231/ SUSE CVE CVE-2022-50231 page https://www.suse.com/security/cve/CVE-2023-3111/ SUSE CVE CVE-2023-3111 page https://www.suse.com/security/cve/CVE-2024-26924/ SUSE CVE CVE-2024-26924 page https://www.suse.com/security/cve/CVE-2024-27397/ SUSE CVE CVE-2024-27397 page https://www.suse.com/security/cve/CVE-2024-36978/ SUSE CVE CVE-2024-36978 page https://www.suse.com/security/cve/CVE-2024-46800/ SUSE CVE CVE-2024-46800 page https://www.suse.com/security/cve/CVE-2024-53141/ SUSE CVE CVE-2024-53141 page https://www.suse.com/security/cve/CVE-2024-56770/ SUSE CVE CVE-2024-56770 page https://www.suse.com/security/cve/CVE-2025-21700/ SUSE CVE CVE-2025-21700 page https://www.suse.com/security/cve/CVE-2025-21702/ SUSE CVE CVE-2025-21702 page https://www.suse.com/security/cve/CVE-2025-21703/ SUSE CVE CVE-2025-21703 page https://www.suse.com/security/cve/CVE-2025-37752/ SUSE CVE CVE-2025-37752 page https://www.suse.com/security/cve/CVE-2025-37798/ SUSE CVE CVE-2025-37798 page https://www.suse.com/security/cve/CVE-2025-37823/ SUSE CVE CVE-2025-37823 page https://www.suse.com/security/cve/CVE-2025-37890/ SUSE CVE CVE-2025-37890 page https://www.suse.com/security/cve/CVE-2025-37932/ SUSE CVE CVE-2025-37932 page https://www.suse.com/security/cve/CVE-2025-37953/ SUSE CVE CVE-2025-37953 page https://www.suse.com/security/cve/CVE-2025-37997/ SUSE CVE CVE-2025-37997 page https://www.suse.com/security/cve/CVE-2025-38000/ SUSE CVE CVE-2025-38000 page https://www.suse.com/security/cve/CVE-2025-38001/ SUSE CVE CVE-2025-38001 page https://www.suse.com/security/cve/CVE-2025-38083/ SUSE CVE CVE-2025-38083 page SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 cluster-md-kmp-rt-5.3.18-150300.214.1 cluster-md-kmp-rt_debug-5.3.18-150300.214.1 dlm-kmp-rt-5.3.18-150300.214.1 dlm-kmp-rt_debug-5.3.18-150300.214.1 gfs2-kmp-rt-5.3.18-150300.214.1 gfs2-kmp-rt_debug-5.3.18-150300.214.1 kernel-devel-rt-5.3.18-150300.214.1 kernel-rt-5.3.18-150300.214.1 kernel-rt-devel-5.3.18-150300.214.1 kernel-rt-extra-5.3.18-150300.214.1 kernel-rt-livepatch-devel-5.3.18-150300.214.1 kernel-rt-optional-5.3.18-150300.214.1 kernel-rt_debug-5.3.18-150300.214.1 kernel-rt_debug-devel-5.3.18-150300.214.1 kernel-rt_debug-extra-5.3.18-150300.214.1 kernel-rt_debug-livepatch-devel-5.3.18-150300.214.1 kernel-rt_debug-optional-5.3.18-150300.214.1 kernel-source-rt-5.3.18-150300.214.1 kselftests-kmp-rt-5.3.18-150300.214.1 kselftests-kmp-rt_debug-5.3.18-150300.214.1 ocfs2-kmp-rt-5.3.18-150300.214.1 ocfs2-kmp-rt_debug-5.3.18-150300.214.1 reiserfs-kmp-rt-5.3.18-150300.214.1 reiserfs-kmp-rt_debug-5.3.18-150300.214.1 kernel-rt-5.3.18-150300.214.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-source-rt-5.3.18-150300.214.1 as a component of SUSE Linux Enterprise Micro 5.1 kernel-rt-5.3.18-150300.214.1 as a component of SUSE Linux Enterprise Micro 5.2 kernel-source-rt-5.3.18-150300.214.1 as a component of SUSE Linux Enterprise Micro 5.2 A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. CVE-2022-1679 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-1679.html CVE-2022-1679 https://bugzilla.suse.com/1199487 SUSE Bug 1199487 https://bugzilla.suse.com/1201080 SUSE Bug 1201080 https://bugzilla.suse.com/1201832 SUSE Bug 1201832 https://bugzilla.suse.com/1204132 SUSE Bug 1204132 https://bugzilla.suse.com/1212316 SUSE Bug 1212316 It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted. CVE-2022-2586 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-2586.html CVE-2022-2586 https://bugzilla.suse.com/1202095 SUSE Bug 1202095 https://bugzilla.suse.com/1209719 SUSE Bug 1209719 An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. CVE-2022-2905 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-2905.html CVE-2022-2905 https://bugzilla.suse.com/1202860 SUSE Bug 1202860 An incorrect read request flaw was found in the Infrared Transceiver USB driver in the Linux kernel. This issue occurs when a user attaches a malicious USB device. A local user could use this flaw to starve the resources, causing denial of service or potentially crashing the system. CVE-2022-3903 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-3903.html CVE-2022-3903 https://bugzilla.suse.com/1205220 SUSE Bug 1205220 https://bugzilla.suse.com/1212297 SUSE Bug 1212297 A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges. CVE-2022-4095 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-4095.html CVE-2022-4095 https://bugzilla.suse.com/1205514 SUSE Bug 1205514 https://bugzilla.suse.com/1205594 SUSE Bug 1205594 https://bugzilla.suse.com/1208030 SUSE Bug 1208030 https://bugzilla.suse.com/1208085 SUSE Bug 1208085 https://bugzilla.suse.com/1212319 SUSE Bug 1212319 A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system. CVE-2022-4662 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-4662.html CVE-2022-4662 https://bugzilla.suse.com/1206664 SUSE Bug 1206664 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req. Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an RCU read critical section before we call cfg80211_scan_done(). CVE-2022-49934 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49934.html CVE-2022-49934 https://bugzilla.suse.com/1245051 SUSE Bug 1245051 In the Linux kernel, the following vulnerability has been resolved: USB: core: Prevent nested device-reset calls Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future. CVE-2022-49936 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49936.html CVE-2022-49936 https://bugzilla.suse.com/1244984 SUSE Bug 1244984 In the Linux kernel, the following vulnerability has been resolved: media: mceusb: Use new usb_control_msg_*() routines Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c6556ad #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41 RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000 R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline] mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807 The reason for the warning is clear enough; the driver sends an unusual read request on endpoint 0 but does not set the USB_DIR_IN bit in the bRequestType field. More importantly, the whole situation can be avoided and the driver simplified by converting it over to the relatively new usb_control_msg_recv() and usb_control_msg_send() routines. That's what this fix does. CVE-2022-49937 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49937.html CVE-2022-49937 https://bugzilla.suse.com/1245057 SUSE Bug 1245057 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense. The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac80211/ibss.c), which was consequently reported on the syzkaller dashboard. Thus, check if we have an existing connection before generating the CSA beacon in ieee80211_ibss_finish_csa(). CVE-2022-49942 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49942.html CVE-2022-49942 https://bugzilla.suse.com/1244881 SUSE Bug 1244881 In the Linux kernel, the following vulnerability has been resolved: hwmon: (gpio-fan) Fix array out of bounds access The driver does not check if the cooling state passed to gpio_fan_set_cur_state() exceeds the maximum cooling state as stored in fan_data->num_speeds. Since the cooling state is later used as an array index in set_fan_speed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops when unavailable memory is accessed this way. Example kernel oops: [ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064 [ 807.987369] Mem abort info: [ 807.987398] ESR = 0x96000005 [ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits [ 807.987477] SET = 0, FnV = 0 [ 807.987507] EA = 0, S1PTW = 0 [ 807.987536] FSC = 0x05: level 1 translation fault [ 807.987570] Data abort info: [ 807.987763] ISV = 0, ISS = 0x00000005 [ 807.987801] CM = 0, WnR = 0 [ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000 [ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575 [ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) [ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan] [ 807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] [ 807.988691] sp : ffffffc008cf3bd0 [ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000 [ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920 [ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c [ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000 [ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70 [ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c [ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009 [ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8 [ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060 [ 807.989084] Call trace: [ 807.989091] set_fan_speed.part.5+0x34/0x80 [gpio_fan] [ 807.989113] gpio_fan_set_cur_state+0x34/0x50 [gpio_fan] [ 807.989199] cur_state_store+0x84/0xd0 [ 807.989221] dev_attr_store+0x20/0x38 [ 807.989262] sysfs_kf_write+0x4c/0x60 [ 807.989282] kernfs_fop_write_iter+0x130/0x1c0 [ 807.989298] new_sync_write+0x10c/0x190 [ 807.989315] vfs_write+0x254/0x378 [ 807.989362] ksys_write+0x70/0xf8 [ 807.989379] __arm64_sys_write+0x24/0x30 [ 807.989424] invoke_syscall+0x4c/0x110 [ 807.989442] el0_svc_common.constprop.3+0xfc/0x120 [ 807.989458] do_el0_svc+0x2c/0x90 [ 807.989473] el0_svc+0x24/0x60 [ 807.989544] el0t_64_sync_handler+0x90/0xb8 [ 807.989558] el0t_64_sync+0x1a0/0x1a4 [ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416) [ 807.989627] ---[ end t ---truncated--- CVE-2022-49945 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49945.html CVE-2022-49945 https://bugzilla.suse.com/1244908 SUSE Bug 1244908 In the Linux kernel, the following vulnerability has been resolved: vt: Clear selection before changing the font When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are called. CVE-2022-49948 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49948.html CVE-2022-49948 https://bugzilla.suse.com/1245058 SUSE Bug 1245058 In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow check incremented the session count also when there were no more available sessions so that memory beyond the fixed-size slab-allocated session array could be corrupted in fastrpc_session_alloc() on open(). CVE-2022-49950 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49950.html CVE-2022-49950 https://bugzilla.suse.com/1244958 SUSE Bug 1244958 In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on probe Add the missing sanity check on the probed-session count to avoid corrupting memory beyond the fixed-size slab-allocated session array when there are more than FASTRPC_MAX_SESSIONS sessions defined in the devicetree. CVE-2022-49952 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49952.html CVE-2022-49952 https://bugzilla.suse.com/1244945 SUSE Bug 1244945 In the Linux kernel, the following vulnerability has been resolved: Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag syzbot is reporting hung task at __input_unregister_device() [1], for iforce_close() waiting at wait_event_interruptible() with dev->mutex held is blocking input_disconnect_device() from __input_unregister_device(). It seems that the cause is simply that commit c2b27ef672992a20 ("Input: iforce - wait for command completion when closing the device") forgot to call wake_up() after clear_bit(). Fix this problem by introducing a helper that calls clear_bit() followed by wake_up_all(). CVE-2022-49954 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49954.html CVE-2022-49954 https://bugzilla.suse.com/1244976 SUSE Bug 1244976 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8712: fix use after free bugs _Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl() functions don't do anything except free the "pcmd" pointer. It results in a use after free. Delete them. CVE-2022-49956 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49956.html CVE-2022-49956 https://bugzilla.suse.com/1244969 SUSE Bug 1244969 In the Linux kernel, the following vulnerability has been resolved: ieee802154/adf7242: defer destroy_workqueue call There is a possible race condition (use-after-free) like below (FREE) | (USE) adf7242_remove | adf7242_channel cancel_delayed_work_sync | destroy_workqueue (1) | adf7242_cmd_rx | mod_delayed_work (2) | The root cause for this race is that the upper layer (ieee802154) is unaware of this detaching event and the function adf7242_channel can be called without any checks. To fix this, we can add a flag write at the beginning of adf7242_remove and add flag check in adf7242_channel. Or we can just defer the destructive operation like other commit 3e0588c291d6 ("hamradio: defer ax25 kfree after unregister_netdev") which let the ieee802154_unregister_hw() to handle the synchronization. This patch takes the second option. runs") CVE-2022-49968 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49968.html CVE-2022-49968 https://bugzilla.suse.com/1244959 SUSE Bug 1244959 In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead ftrace_startup does not remove ops from ftrace_ops_list when ftrace_startup_enable fails: register_ftrace_function ftrace_startup __register_ftrace_function ... add_ftrace_ops(&ftrace_ops_list, ops) ... ... ftrace_startup_enable // if ftrace failed to modify, ftrace_disabled is set to 1 ... return 0 // ops is in the ftrace_ops_list. When ftrace_disabled = 1, unregister_ftrace_function simply returns without doing anything: unregister_ftrace_function ftrace_shutdown if (unlikely(ftrace_disabled)) return -ENODEV; // return here, __unregister_ftrace_function is not executed, // as a result, ops is still in the ftrace_ops_list __unregister_ftrace_function ... If ops is dynamically allocated, it will be free later, in this case, is_ftrace_trampoline accesses NULL pointer: is_ftrace_trampoline ftrace_ops_trampoline do_for_each_ftrace_op(op, ftrace_ops_list) // OOPS! op may be NULL! Syzkaller reports as follows: [ 1203.506103] BUG: kernel NULL pointer dereference, address: 000000000000010b [ 1203.508039] #PF: supervisor read access in kernel mode [ 1203.508798] #PF: error_code(0x0000) - not-present page [ 1203.509558] PGD 800000011660b067 P4D 800000011660b067 PUD 130fb8067 PMD 0 [ 1203.510560] Oops: 0000 [#1] SMP KASAN PTI [ 1203.511189] CPU: 6 PID: 29532 Comm: syz-executor.2 Tainted: G B W 5.10.0 #8 [ 1203.512324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 1203.513895] RIP: 0010:is_ftrace_trampoline+0x26/0xb0 [ 1203.514644] Code: ff eb d3 90 41 55 41 54 49 89 fc 55 53 e8 f2 00 fd ff 48 8b 1d 3b 35 5d 03 e8 e6 00 fd ff 48 8d bb 90 00 00 00 e8 2a 81 26 00 <48> 8b ab 90 00 00 00 48 85 ed 74 1d e8 c9 00 fd ff 48 8d bb 98 00 [ 1203.518838] RSP: 0018:ffffc900012cf960 EFLAGS: 00010246 [ 1203.520092] RAX: 0000000000000000 RBX: 000000000000007b RCX: ffffffff8a331866 [ 1203.521469] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 000000000000010b [ 1203.522583] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8df18b07 [ 1203.523550] R10: fffffbfff1be3160 R11: 0000000000000001 R12: 0000000000478399 [ 1203.524596] R13: 0000000000000000 R14: ffff888145088000 R15: 0000000000000008 [ 1203.525634] FS: 00007f429f5f4700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000 [ 1203.526801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1203.527626] CR2: 000000000000010b CR3: 0000000170e1e001 CR4: 00000000003706e0 [ 1203.528611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1203.529605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Therefore, when ftrace_startup_enable fails, we need to rollback registration process and remove ops from ftrace_ops_list. CVE-2022-49977 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49977.html CVE-2022-49977 https://bugzilla.suse.com/1244936 SUSE Bug 1244936 In the Linux kernel, the following vulnerability has been resolved: fbdev: fb_pm2fb: Avoid potential divide by zero error In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be copied from user, then go through `fb_set_var()` and `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`. Along the path, `var->pixclock` won't be modified. This function checks whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is zero, there will be a divide by zero error. So, it is necessary to check whether denominator is zero to avoid crash. As this bug is found by Syzkaller, logs are listed below. divide error in pm2fb_check_var Call Trace: <TASK> fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 CVE-2022-49978 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49978.html CVE-2022-49978 https://bugzilla.suse.com/1245195 SUSE Bug 1245195 In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix memory leak in hidraw_release() Free the buffered reports before deleting the list entry. BUG: memory leak unreferenced object 0xffff88810e72f180 (size 32): comm "softirq", pid 0, jiffies 4294945143 (age 16.080s) hex dump (first 32 bytes): 64 f3 c6 6a d1 88 07 04 00 00 00 00 00 00 00 00 d..j............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff814ac6c3>] kmemdup+0x23/0x50 mm/util.c:128 [<ffffffff8357c1d2>] kmemdup include/linux/fortify-string.h:440 [inline] [<ffffffff8357c1d2>] hidraw_report_event+0xa2/0x150 drivers/hid/hidraw.c:521 [<ffffffff8356ddad>] hid_report_raw_event+0x27d/0x740 drivers/hid/hid-core.c:1992 [<ffffffff8356e41e>] hid_input_report+0x1ae/0x270 drivers/hid/hid-core.c:2065 [<ffffffff835f0d3f>] hid_irq_in+0x1ff/0x250 drivers/hid/usbhid/hid-core.c:284 [<ffffffff82d3c7f9>] __usb_hcd_giveback_urb+0xf9/0x230 drivers/usb/core/hcd.c:1670 [<ffffffff82d3cc26>] usb_hcd_giveback_urb+0x1b6/0x1d0 drivers/usb/core/hcd.c:1747 [<ffffffff82ef1e14>] dummy_timer+0x8e4/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1988 [<ffffffff812f50a8>] call_timer_fn+0x38/0x200 kernel/time/timer.c:1474 [<ffffffff812f5586>] expire_timers kernel/time/timer.c:1519 [inline] [<ffffffff812f5586>] __run_timers.part.0+0x316/0x430 kernel/time/timer.c:1790 [<ffffffff812f56e4>] __run_timers kernel/time/timer.c:1768 [inline] [<ffffffff812f56e4>] run_timer_softirq+0x44/0x90 kernel/time/timer.c:1803 [<ffffffff848000e6>] __do_softirq+0xe6/0x2ea kernel/softirq.c:571 [<ffffffff81246db0>] invoke_softirq kernel/softirq.c:445 [inline] [<ffffffff81246db0>] __irq_exit_rcu kernel/softirq.c:650 [inline] [<ffffffff81246db0>] irq_exit_rcu+0xc0/0x110 kernel/softirq.c:662 [<ffffffff84574f02>] sysvec_apic_timer_interrupt+0xa2/0xd0 arch/x86/kernel/apic/apic.c:1106 [<ffffffff84600c8b>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649 [<ffffffff8458a070>] native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] [<ffffffff8458a070>] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] [<ffffffff8458a070>] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] [<ffffffff8458a070>] acpi_idle_do_entry+0xc0/0xd0 drivers/acpi/processor_idle.c:554 CVE-2022-49981 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49981.html CVE-2022-49981 https://bugzilla.suse.com/1245072 SUSE Bug 1245072 In the Linux kernel, the following vulnerability has been resolved: HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report It is possible for a malicious device to forgo submitting a Feature Report. The HID Steam driver presently makes no prevision for this and de-references the 'struct hid_report' pointer obtained from the HID devices without first checking its validity. Let's change that. CVE-2022-49984 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49984.html CVE-2022-49984 https://bugzilla.suse.com/1244950 SUSE Bug 1244950 In the Linux kernel, the following vulnerability has been resolved: bpf: Don't use tnum_range on array range checking for poke descriptors Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which is based on a customized syzkaller: BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0 Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489 CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x9c/0xc9 print_address_description.constprop.0+0x1f/0x1f0 ? bpf_int_jit_compile+0x1257/0x13f0 kasan_report.cold+0xeb/0x197 ? kvmalloc_node+0x170/0x200 ? bpf_int_jit_compile+0x1257/0x13f0 bpf_int_jit_compile+0x1257/0x13f0 ? arch_prepare_bpf_dispatcher+0xd0/0xd0 ? rcu_read_lock_sched_held+0x43/0x70 bpf_prog_select_runtime+0x3e8/0x640 ? bpf_obj_name_cpy+0x149/0x1b0 bpf_prog_load+0x102f/0x2220 ? __bpf_prog_put.constprop.0+0x220/0x220 ? find_held_lock+0x2c/0x110 ? __might_fault+0xd6/0x180 ? lock_downgrade+0x6e0/0x6e0 ? lock_is_held_type+0xa6/0x120 ? __might_fault+0x147/0x180 __sys_bpf+0x137b/0x6070 ? bpf_perf_link_attach+0x530/0x530 ? new_sync_read+0x600/0x600 ? __fget_files+0x255/0x450 ? lock_downgrade+0x6e0/0x6e0 ? fput+0x30/0x1a0 ? ksys_write+0x1a8/0x260 __x64_sys_bpf+0x7a/0xc0 ? syscall_enter_from_user_mode+0x21/0x70 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f917c4e2c2d The problem here is that a range of tnum_range(0, map->max_entries - 1) has limited ability to represent the concrete tight range with the tnum as the set of resulting states from value + mask can result in a superset of the actual intended range, and as such a tnum_in(range, reg->var_off) check may yield true when it shouldn't, for example tnum_range(0, 2) would result in 00XX -> v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here represented by a less precise superset of {0, 1, 2, 3}. As the register is known const scalar, really just use the concrete reg->var_off.value for the upper index check. CVE-2022-49985 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49985.html CVE-2022-49985 https://bugzilla.suse.com/1244956 SUSE Bug 1244956 In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq storvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it doesn't need to make forward progress under memory pressure. Marking this workqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a non-WQ_MEM_RECLAIM workqueue. In the current state it causes the following warning: [ 14.506347] ------------[ cut here ]------------ [ 14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn [ 14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130 [ 14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure #91~18.04.1-Ubuntu [ 14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun [ 14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130 <-snip-> [ 14.506408] Call Trace: [ 14.506412] __flush_work+0xf1/0x1c0 [ 14.506414] __cancel_work_timer+0x12f/0x1b0 [ 14.506417] ? kernfs_put+0xf0/0x190 [ 14.506418] cancel_delayed_work_sync+0x13/0x20 [ 14.506420] disk_block_events+0x78/0x80 [ 14.506421] del_gendisk+0x3d/0x2f0 [ 14.506423] sr_remove+0x28/0x70 [ 14.506427] device_release_driver_internal+0xef/0x1c0 [ 14.506428] device_release_driver+0x12/0x20 [ 14.506429] bus_remove_device+0xe1/0x150 [ 14.506431] device_del+0x167/0x380 [ 14.506432] __scsi_remove_device+0x11d/0x150 [ 14.506433] scsi_remove_device+0x26/0x40 [ 14.506434] storvsc_remove_lun+0x40/0x60 [ 14.506436] process_one_work+0x209/0x400 [ 14.506437] worker_thread+0x34/0x400 [ 14.506439] kthread+0x121/0x140 [ 14.506440] ? process_one_work+0x400/0x400 [ 14.506441] ? kthread_park+0x90/0x90 [ 14.506443] ret_from_fork+0x35/0x40 [ 14.506445] ---[ end trace 2d9633159fdc6ee7 ]--- CVE-2022-49986 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49986.html CVE-2022-49986 https://bugzilla.suse.com/1244948 SUSE Bug 1244948 In the Linux kernel, the following vulnerability has been resolved: md: call __md_stop_writes in md_stop From the link [1], we can see raid1d was running even after the path raid_dtr -> md_stop -> __md_stop. Let's stop write first in destructor to align with normal md-raid to fix the KASAN issue. [1]. https://lore.kernel.org/linux-raid/CAPhsuW5gc4AakdGNdF8ubpezAuDLFOYUO_sfMZcec6hQFm8nhg@mail.gmail.com/T/#m7f12bf90481c02c6d2da68c64aeed4779b7df74a CVE-2022-49987 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49987.html CVE-2022-49987 https://bugzilla.suse.com/1245024 SUSE Bug 1245024 In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix error exit of privcmd_ioctl_dm_op() The error exit of privcmd_ioctl_dm_op() is calling unlock_pages() potentially with pages being NULL, leading to a NULL dereference. Additionally lock_pages() doesn't check for pin_user_pages_fast() having been completely successful, resulting in potentially not locking all pages into memory. This could result in sporadic failures when using the related memory in user mode. Fix all of that by calling unlock_pages() always with the real number of pinned pages, which will be zero in case pages being NULL, and by checking the number of pages pinned by pin_user_pages_fast() matching the expected number of pages. CVE-2022-49989 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49989.html CVE-2022-49989 https://bugzilla.suse.com/1245007 SUSE Bug 1245007 In the Linux kernel, the following vulnerability has been resolved: s390: fix double free of GS and RI CBs on fork() failure The pointers for guarded storage and runtime instrumentation control blocks are stored in the thread_struct of the associated task. These pointers are initially copied on fork() via arch_dup_task_struct() and then cleared via copy_thread() before fork() returns. If fork() happens to fail after the initial task dup and before copy_thread(), the newly allocated task and associated thread_struct memory are freed via free_task() -> arch_release_task_struct(). This results in a double free of the guarded storage and runtime info structs because the fields in the failed task still refer to memory associated with the source task. This problem can manifest as a BUG_ON() in set_freepointer() (with CONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled) when running trinity syscall fuzz tests on s390x. To avoid this problem, clear the associated pointer fields in arch_dup_task_struct() immediately after the new task is copied. Note that the RI flag is still cleared in copy_thread() because it resides in thread stack memory and that is where stack info is copied. CVE-2022-49990 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49990.html CVE-2022-49990 https://bugzilla.suse.com/1245006 SUSE Bug 1245006 In the Linux kernel, the following vulnerability has been resolved: loop: Check for overflow while configuring loop The userspace can configure a loop using an ioctl call, wherein a configuration of type loop_config is passed (see lo_ioctl()'s case on line 1550 of drivers/block/loop.c). This proceeds to call loop_configure() which in turn calls loop_set_status_from_info() (see line 1050 of loop.c), passing &config->info which is of type loop_info64*. This function then sets the appropriate values, like the offset. loop_device has lo_offset of type loff_t (see line 52 of loop.c), which is typdef-chained to long long, whereas loop_info64 has lo_offset of type __u64 (see line 56 of include/uapi/linux/loop.h). The function directly copies offset from info to the device as follows (See line 980 of loop.c): lo->lo_offset = info->lo_offset; This results in an overflow, which triggers a warning in iomap_iter() due to a call to iomap_iter_done() which has: WARN_ON_ONCE(iter->iomap.offset > iter->pos); Thus, check for negative value during loop_set_status_from_info(). Bug report: https://syzkaller.appspot.com/bug?id=c620fe14aac810396d3c3edc9ad73848bf69a29e CVE-2022-49993 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-49993.html CVE-2022-49993 https://bugzilla.suse.com/1245121 SUSE Bug 1245121 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: i740fb: Check the argument of i740_calc_vclk() Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug. If the user provides an improper 'pixclock' value that makes the argumet of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a divide-by-zero bug in: drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX))); The following log can reveal it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Fix this by checking the argument of i740_calc_vclk() first. CVE-2022-50010 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50010.html CVE-2022-50010 https://bugzilla.suse.com/1245122 SUSE Bug 1245122 In the Linux kernel, the following vulnerability has been resolved: powerpc/64: Init jump labels before parse_early_param() On 64-bit, calling jump_label_init() in setup_feature_keys() is too late because static keys may be used in subroutines of parse_early_param() which is again subroutine of early_init_devtree(). For example booting with "threadirqs": static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init() WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120 ... NIP static_key_enable_cpuslocked+0xfc/0x120 LR static_key_enable_cpuslocked+0xf8/0x120 Call Trace: static_key_enable_cpuslocked+0xf8/0x120 (unreliable) static_key_enable+0x30/0x50 setup_forced_irqthreads+0x28/0x40 do_early_param+0xa0/0x108 parse_args+0x290/0x4e0 parse_early_options+0x48/0x5c parse_early_param+0x58/0x84 early_init_devtree+0xd4/0x518 early_setup+0xb4/0x214 So call jump_label_init() just before parse_early_param() in early_init_devtree(). [mpe: Add call trace to change log and minor wording edits.] CVE-2022-50012 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50012.html CVE-2022-50012 https://bugzilla.suse.com/1245125 SUSE Bug 1245125 In the Linux kernel, the following vulnerability has been resolved: tty: serial: Fix refcount leak bug in ucc_uart.c In soc_info(), of_find_node_by_type() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. CVE-2022-50019 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50019.html CVE-2022-50019 https://bugzilla.suse.com/1245098 SUSE Bug 1245098 In the Linux kernel, the following vulnerability has been resolved: ext4: avoid resizing to a partial cluster size This patch avoids an attempt to resize the filesystem to an unaligned cluster boundary. An online resize to a size that is not integral to cluster size results in the last iteration attempting to grow the fs by a negative amount, which trips a BUG_ON and leaves the fs with a corrupted in-memory superblock. CVE-2022-50020 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50020.html CVE-2022-50020 https://bugzilla.suse.com/1245129 SUSE Bug 1245129 https://bugzilla.suse.com/1245130 SUSE Bug 1245130 In the Linux kernel, the following vulnerability has been resolved: drivers:md:fix a potential use-after-free bug In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and may cause sh to be released. However, sh is subsequently used in lines 2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an use-after-free bug. It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of the function. CVE-2022-50022 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50022.html CVE-2022-50022 https://bugzilla.suse.com/1245131 SUSE Bug 1245131 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix possible memory leak when failing to issue CMF WQE There is no corresponding free routine if lpfc_sli4_issue_wqe fails to issue the CMF WQE in lpfc_issue_cmf_sync_wqe. If ret_val is non-zero, then free the iocbq request structure. CVE-2022-50027 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50027.html CVE-2022-50027 https://bugzilla.suse.com/1245073 SUSE Bug 1245073 In the Linux kernel, the following vulnerability has been resolved: gadgetfs: ep_io - wait until IRQ finishes after usb_ep_queue() if wait_for_completion_interruptible() is interrupted we need to wait until IRQ gets finished. Otherwise complete() from epio_complete() can corrupt stack. CVE-2022-50028 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50028.html CVE-2022-50028 https://bugzilla.suse.com/1245135 SUSE Bug 1245135 In the Linux kernel, the following vulnerability has been resolved: clk: qcom: ipq8074: dont disable gcc_sleep_clk_src Once the usb sleep clocks are disabled, clock framework is trying to disable the sleep clock source also. However, it seems that it cannot be disabled and trying to do so produces: [ 245.436390] ------------[ cut here ]------------ [ 245.441233] gcc_sleep_clk_src status stuck at 'on' [ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140 [ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio [ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215 [ 245.463889] Hardware name: Xiaomi AX9000 (DT) [ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 245.474307] pc : clk_branch_wait+0x130/0x140 [ 245.481073] lr : clk_branch_wait+0x130/0x140 [ 245.485588] sp : ffffffc009f2bad0 [ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000 [ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20 [ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0 [ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7 [ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777 [ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129 [ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001 [ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001 [ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027 [ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026 [ 245.557122] Call trace: [ 245.564229] clk_branch_wait+0x130/0x140 [ 245.566490] clk_branch2_disable+0x2c/0x40 [ 245.570656] clk_core_disable+0x60/0xb0 [ 245.574561] clk_core_disable+0x68/0xb0 [ 245.578293] clk_disable+0x30/0x50 [ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom] [ 245.585588] platform_remove+0x28/0x60 [ 245.590361] device_remove+0x4c/0x80 [ 245.594179] device_release_driver_internal+0x1dc/0x230 [ 245.597914] device_driver_detach+0x18/0x30 [ 245.602861] unbind_store+0xec/0x110 [ 245.607027] drv_attr_store+0x24/0x40 [ 245.610847] sysfs_kf_write+0x44/0x60 [ 245.614405] kernfs_fop_write_iter+0x128/0x1c0 [ 245.618052] new_sync_write+0xc0/0x130 [ 245.622391] vfs_write+0x1d4/0x2a0 [ 245.626123] ksys_write+0x58/0xe0 [ 245.629508] __arm64_sys_write+0x1c/0x30 [ 245.632895] invoke_syscall.constprop.0+0x5c/0x110 [ 245.636890] do_el0_svc+0xa0/0x150 [ 245.641488] el0_svc+0x18/0x60 [ 245.644872] el0t_64_sync_handler+0xa4/0x130 [ 245.647914] el0t_64_sync+0x174/0x178 [ 245.652340] ---[ end trace 0000000000000000 ]--- So, add CLK_IS_CRITICAL flag to the clock so that the kernel won't try to disable the sleep clock. CVE-2022-50029 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50029.html CVE-2022-50029 https://bugzilla.suse.com/1245146 SUSE Bug 1245146 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input Malformed user input to debugfs results in buffer overflow crashes. Adapt input string lengths to fit within internal buffers, leaving space for NULL terminators. CVE-2022-50030 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50030.html CVE-2022-50030 https://bugzilla.suse.com/1245265 SUSE Bug 1245265 In the Linux kernel, the following vulnerability has been resolved: usb: renesas: Fix refcount leak bug In usbhs_rza1_hardware_init(), of_find_node_by_name() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. CVE-2022-50032 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50032.html CVE-2022-50032 https://bugzilla.suse.com/1245103 SUSE Bug 1245103 In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-ppc-of: Fix refcount leak bug In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. CVE-2022-50033 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50033.html CVE-2022-50033 https://bugzilla.suse.com/1245139 SUSE Bug 1245139 In the Linux kernel, the following vulnerability has been resolved: drm/sun4i: dsi: Prevent underflow when computing packet sizes Currently, the packet overhead is subtracted using unsigned arithmetic. With a short sync pulse, this could underflow and wrap around to near the maximal u16 value. Fix this by using signed subtraction. The call to max() will correctly handle any negative numbers that are produced. Apply the same fix to the other timings, even though those subtractions are less likely to underflow. CVE-2022-50036 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50036.html CVE-2022-50036 https://bugzilla.suse.com/1244941 SUSE Bug 1244941 In the Linux kernel, the following vulnerability has been resolved: drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() In this function, there are two refcount leak bugs: (1) when breaking out of for_each_endpoint_of_node(), we need call the of_node_put() for the 'ep'; (2) we should call of_node_put() for the reference returned by of_graph_get_remote_port() when it is not used anymore. CVE-2022-50038 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50038.html CVE-2022-50038 https://bugzilla.suse.com/1244943 SUSE Bug 1244943 In the Linux kernel, the following vulnerability has been resolved: powerpc/pci: Fix get_phb_number() locking The recent change to get_phb_number() causes a DEBUG_ATOMIC_SLEEP warning on some systems: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 1 lock held by swapper/1: #0: c157efb0 (hose_spinlock){+.+.}-{2:2}, at: pcibios_alloc_controller+0x64/0x220 Preemption disabled at: [<00000000>] 0x0 CPU: 0 PID: 1 Comm: swapper Not tainted 5.19.0-yocto-standard+ #1 Call Trace: [d101dc90] [c073b264] dump_stack_lvl+0x50/0x8c (unreliable) [d101dcb0] [c0093b70] __might_resched+0x258/0x2a8 [d101dcd0] [c0d3e634] __mutex_lock+0x6c/0x6ec [d101dd50] [c0a84174] of_alias_get_id+0x50/0xf4 [d101dd80] [c002ec78] pcibios_alloc_controller+0x1b8/0x220 [d101ddd0] [c140c9dc] pmac_pci_init+0x198/0x784 [d101de50] [c140852c] discover_phbs+0x30/0x4c [d101de60] [c0007fd4] do_one_initcall+0x94/0x344 [d101ded0] [c1403b40] kernel_init_freeable+0x1a8/0x22c [d101df10] [c00086e0] kernel_init+0x34/0x160 [d101df30] [c001b334] ret_from_kernel_thread+0x5c/0x64 This is because pcibios_alloc_controller() holds hose_spinlock but of_alias_get_id() takes of_mutex which can sleep. The hose_spinlock protects the phb_bitmap, and also the hose_list, but it doesn't need to be held while get_phb_number() calls the OF routines, because those are only looking up information in the device tree. So fix it by having get_phb_number() take the hose_spinlock itself, only where required, and then dropping the lock before returning. pcibios_alloc_controller() then needs to take the lock again before the list_add() but that's safe, the order of the list is not important. CVE-2022-50045 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50045.html CVE-2022-50045 https://bugzilla.suse.com/1244967 SUSE Bug 1244967 In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: debug: Fix potential buffer overflow by snprintf() snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in the buffer overflow (although it's unrealistic). This patch replaces with a safer version, scnprintf() for papering over such a potential issue. CVE-2022-50051 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50051.html CVE-2022-50051 https://bugzilla.suse.com/1245041 SUSE Bug 1245041 In the Linux kernel, the following vulnerability has been resolved: ceph: don't leak snap_rwsem in handle_cap_grant When handle_cap_grant is called on an IMPORT op, then the snap_rwsem is held and the function is expected to release it before returning. It currently fails to do that in all cases which could lead to a deadlock. CVE-2022-50059 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50059.html CVE-2022-50059 https://bugzilla.suse.com/1245031 SUSE Bug 1245031 In the Linux kernel, the following vulnerability has been resolved: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak." CVE-2022-50061 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50061.html CVE-2022-50061 https://bugzilla.suse.com/1245033 SUSE Bug 1245033 In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix memory leak inside XPD_TX with mergeable When we call xdp_convert_buff_to_frame() to get xdpf, if it returns NULL, we should check if xdp_page was allocated by xdp_linearize_page(). If it is newly allocated, it should be freed here alone. Just like any other "goto err_xdp". CVE-2022-50065 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50065.html CVE-2022-50065 https://bugzilla.suse.com/1244986 SUSE Bug 1244986 In the Linux kernel, the following vulnerability has been resolved: btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() In btrfs_relocate_block_group(), the rc is allocated. Then btrfs_relocate_block_group() calls relocate_block_group() prepare_to_relocate() set_reloc_control() that assigns rc to the variable fs_info->reloc_ctl. When prepare_to_relocate() returns, it calls btrfs_commit_transaction() btrfs_start_dirty_block_groups() btrfs_alloc_path() kmem_cache_zalloc() which may fail for example (or other errors could happen). When the failure occurs, btrfs_relocate_block_group() detects the error and frees rc and doesn't set fs_info->reloc_ctl to NULL. After that, in btrfs_init_reloc_root(), rc is retrieved from fs_info->reloc_ctl and then used, which may cause a use-after-free bug. This possible bug can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). To fix this possible bug, in prepare_to_relocate(), check if btrfs_commit_transaction() fails. If the failure occurs, unset_reloc_control() is called to set fs_info->reloc_ctl to NULL. The error log in our fault-injection testing is shown as follows: [ 58.751070] BUG: KASAN: use-after-free in btrfs_init_reloc_root+0x7ca/0x920 [btrfs] ... [ 58.753577] Call Trace: ... [ 58.755800] kasan_report+0x45/0x60 [ 58.756066] btrfs_init_reloc_root+0x7ca/0x920 [btrfs] [ 58.757304] record_root_in_trans+0x792/0xa10 [btrfs] [ 58.757748] btrfs_record_root_in_trans+0x463/0x4f0 [btrfs] [ 58.758231] start_transaction+0x896/0x2950 [btrfs] [ 58.758661] btrfs_defrag_root+0x250/0xc00 [btrfs] [ 58.759083] btrfs_ioctl_defrag+0x467/0xa00 [btrfs] [ 58.759513] btrfs_ioctl+0x3c95/0x114e0 [btrfs] ... [ 58.768510] Allocated by task 23683: [ 58.768777] ____kasan_kmalloc+0xb5/0xf0 [ 58.769069] __kmalloc+0x227/0x3d0 [ 58.769325] alloc_reloc_control+0x10a/0x3d0 [btrfs] [ 58.769755] btrfs_relocate_block_group+0x7aa/0x1e20 [btrfs] [ 58.770228] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.770655] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.771071] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.771472] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.771902] btrfs_ioctl+0x4caa/0x114e0 [btrfs] ... [ 58.773337] Freed by task 23683: ... [ 58.774815] kfree+0xda/0x2b0 [ 58.775038] free_reloc_control+0x1d6/0x220 [btrfs] [ 58.775465] btrfs_relocate_block_group+0x115c/0x1e20 [btrfs] [ 58.775944] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.776369] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.776784] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.777185] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.777621] btrfs_ioctl+0x4caa/0x114e0 [btrfs] ... CVE-2022-50067 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50067.html CVE-2022-50067 https://bugzilla.suse.com/1245047 SUSE Bug 1245047 In the Linux kernel, the following vulnerability has been resolved: NFSv4/pnfs: Fix a use-after-free bug in open If someone cancels the open RPC call, then we must not try to free either the open slot or the layoutget operation arguments, since they are likely still in use by the hung RPC call. CVE-2022-50072 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50072.html CVE-2022-50072 https://bugzilla.suse.com/1244979 SUSE Bug 1244979 In the Linux kernel, the following vulnerability has been resolved: ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h When adding an xattr to an inode, we must ensure that the inode_size is not less than EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. Otherwise, the end position may be greater than the start position, resulting in UAF. CVE-2022-50083 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50083.html CVE-2022-50083 https://bugzilla.suse.com/1244968 SUSE Bug 1244968 In the Linux kernel, the following vulnerability has been resolved: dm raid: fix address sanitizer warning in raid_status There is this warning when using a kernel with the address sanitizer and running this testsuite: https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid ================================================================== BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid] Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319 CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6a/0x9c print_address_description.constprop.0+0x1f/0x1e0 print_report.cold+0x55/0x244 kasan_report+0xc9/0x100 raid_status+0x1747/0x2820 [dm_raid] dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod] table_load+0x35c/0x630 [dm_mod] ctl_ioctl+0x411/0x630 [dm_mod] dm_ctl_ioctl+0xa/0x10 [dm_mod] __x64_sys_ioctl+0x12a/0x1a0 do_syscall_64+0x5b/0x80 The warning is caused by reading conf->max_nr_stripes in raid_status. The code in raid_status reads mddev->private, casts it to struct r5conf and reads the entry max_nr_stripes. However, if we have different raid type than 4/5/6, mddev->private doesn't point to struct r5conf; it may point to struct r0conf, struct r1conf, struct r10conf or struct mpconf. If we cast a pointer to one of these structs to struct r5conf, we will be reading invalid memory and KASAN warns about it. Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6. CVE-2022-50084 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50084.html CVE-2022-50084 https://bugzilla.suse.com/1245117 SUSE Bug 1245117 In the Linux kernel, the following vulnerability has been resolved: dm raid: fix address sanitizer warning in raid_resume There is a KASAN warning in raid_resume when running the lvm test lvconvert-raid.sh. The reason for the warning is that mddev->raid_disks is greater than rs->raid_disks, so the loop touches one entry beyond the allocated length. CVE-2022-50085 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50085.html CVE-2022-50085 https://bugzilla.suse.com/1245147 SUSE Bug 1245147 In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails. CVE-2022-50087 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50087.html CVE-2022-50087 https://bugzilla.suse.com/1245119 SUSE Bug 1245119 https://bugzilla.suse.com/1245294 SUSE Bug 1245294 In the Linux kernel, the following vulnerability has been resolved: locking/csd_lock: Change csdlock_debug from early_param to __setup The csdlock_debug kernel-boot parameter is parsed by the early_param() function csdlock_debug(). If set, csdlock_debug() invokes static_branch_enable() to enable csd_lock_wait feature, which triggers a panic on arm64 for kernels built with CONFIG_SPARSEMEM=y and CONFIG_SPARSEMEM_VMEMMAP=n. With CONFIG_SPARSEMEM_VMEMMAP=n, __nr_to_section is called in static_key_enable() and returns NULL, resulting in a NULL dereference because mem_section is initialized only later in sparse_init(). This is also a problem for powerpc because early_param() functions are invoked earlier than jump_label_init(), also resulting in static_key_enable() failures. These failures cause the warning "static key 'xxx' used before call to jump_label_init()". Thus, early_param is too early for csd_lock_wait to run static_branch_enable(), so changes it to __setup to fix these. CVE-2022-50091 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50091.html CVE-2022-50091 https://bugzilla.suse.com/1244885 SUSE Bug 1244885 In the Linux kernel, the following vulnerability has been resolved: dm thin: fix use-after-free crash in dm_sm_register_threshold_callback Fault inject on pool metadata device reports: BUG: KASAN: use-after-free in dm_pool_register_metadata_threshold+0x40/0x80 Read of size 8 at addr ffff8881b9d50068 by task dmsetup/950 CPU: 7 PID: 950 Comm: dmsetup Tainted: G W 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xeb/0x3f4 kasan_report.cold+0xe6/0x147 dm_pool_register_metadata_threshold+0x40/0x80 pool_ctr+0xa0a/0x1150 dm_table_add_target+0x2c8/0x640 table_load+0x1fd/0x430 ctl_ioctl+0x2c4/0x5a0 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb3/0xd0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This can be easily reproduced using: echo offline > /sys/block/sda/device/state dd if=/dev/zero of=/dev/mapper/thin bs=4k count=10 dmsetup load pool --table "0 20971520 thin-pool /dev/sda /dev/sdb 128 0 0" If a metadata commit fails, the transaction will be aborted and the metadata space maps will be destroyed. If a DM table reload then happens for this failed thin-pool, a use-after-free will occur in dm_sm_register_threshold_callback (called from dm_pool_register_metadata_threshold). Fix this by in dm_pool_register_metadata_threshold() by returning the -EINVAL error if the thin-pool is in fail mode. Also fail pool_ctr() with a new error message: "Error registering metadata threshold". CVE-2022-50092 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50092.html CVE-2022-50092 https://bugzilla.suse.com/1244848 SUSE Bug 1244848 In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) KASAN reports: [ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) [ 4.676149][ T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0 [ 4.683454][ T0] [ 4.685638][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1 [ 4.694331][ T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016 [ 4.703196][ T0] Call Trace: [ 4.706334][ T0] <TASK> [ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) after converting the type of the first argument (@nr, bit number) of arch_test_bit() from `long` to `unsigned long`[0]. Under certain conditions (for example, when ACPI NUMA is disabled via command line), pxm_to_node() can return %NUMA_NO_NODE (-1). It is valid 'magic' number of NUMA node, but not valid bit number to use in bitops. node_online() eventually descends to test_bit() without checking for the input, assuming it's on caller side (which might be good for perf-critical tasks). There, -1 becomes %ULONG_MAX which leads to an insane array index when calculating bit position in memory. For now, add an explicit check for @node being not %NUMA_NO_NODE before calling test_bit(). The actual logics didn't change here at all. [0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d CVE-2022-50093 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50093.html CVE-2022-50093 https://bugzilla.suse.com/1244849 SUSE Bug 1244849 In the Linux kernel, the following vulnerability has been resolved: spmi: trace: fix stack-out-of-bound access in SPMI tracing functions trace_spmi_write_begin() and trace_spmi_read_end() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead. Here is a KASAN log showing the issue: BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 ... Call trace: dump_backtrace+0x0/0x3e8 show_stack+0x2c/0x3c dump_stack_lvl+0xdc/0x11c print_address_description+0x74/0x384 kasan_report+0x188/0x268 kasan_check_range+0x270/0x2b0 memcpy+0x90/0xe8 trace_event_raw_event_spmi_read_end+0x1d0/0x234 spmi_read_cmd+0x294/0x3ac spmi_ext_register_readl+0x84/0x9c regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] _regmap_raw_read+0x40c/0x754 regmap_raw_read+0x3a0/0x514 regmap_bulk_read+0x418/0x494 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] ... __arm64_sys_read+0x4c/0x60 invoke_syscall+0x80/0x218 el0_svc_common+0xec/0x1c8 ... addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3] this frame has 1 object: [32, 33) 'status' Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00 ================================================================== CVE-2022-50094 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50094.html CVE-2022-50094 https://bugzilla.suse.com/1244851 SUSE Bug 1244851 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: s3fb: Check the size of screen before memset_io() In the function s3fb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 54.083733] BUG: unable to handle page fault for address: ffffc90003000000 [ 54.083742] #PF: supervisor write access in kernel mode [ 54.083744] #PF: error_code(0x0002) - not-present page [ 54.083760] RIP: 0010:memset_orig+0x33/0xb0 [ 54.083782] Call Trace: [ 54.083788] s3fb_set_par+0x1ec6/0x4040 [ 54.083806] fb_set_var+0x604/0xeb0 [ 54.083836] do_fb_ioctl+0x234/0x670 Fix the this by checking the value of 'screen_size' before memset_io(). CVE-2022-50097 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50097.html CVE-2022-50097 https://bugzilla.suse.com/1244845 SUSE Bug 1244845 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts Ensure SRB is returned during I/O timeout error escalation. If that is not possible fail the escalation path. Following crash stack was seen: BUG: unable to handle kernel paging request at 0000002f56aa90f8 IP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx] Call Trace: ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx] ? qla2x00_start_sp+0x116/0x1170 [qla2xxx] ? dma_pool_alloc+0x1d6/0x210 ? mempool_alloc+0x54/0x130 ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx] ? qla_do_work+0x2d/0x40 [qla2xxx] ? process_one_work+0x14c/0x390 CVE-2022-50098 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50098.html CVE-2022-50098 https://bugzilla.suse.com/1244841 SUSE Bug 1244841 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: arkfb: Check the size of screen before memset_io() In the function arkfb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 659.399066] BUG: unable to handle page fault for address: ffffc90003000000 [ 659.399077] #PF: supervisor write access in kernel mode [ 659.399079] #PF: error_code(0x0002) - not-present page [ 659.399094] RIP: 0010:memset_orig+0x33/0xb0 [ 659.399116] Call Trace: [ 659.399122] arkfb_set_par+0x143f/0x24c0 [ 659.399130] fb_set_var+0x604/0xeb0 [ 659.399161] do_fb_ioctl+0x234/0x670 [ 659.399189] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). CVE-2022-50099 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50099.html CVE-2022-50099 https://bugzilla.suse.com/1244842 SUSE Bug 1244842 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: vt8623fb: Check the size of screen before memset_io() In the function vt8623fb_set_par(), the value of 'screen_size' is calculated by the user input. If the user provides the improper value, the value of 'screen_size' may larger than 'info->screen_size', which may cause the following bug: [ 583.339036] BUG: unable to handle page fault for address: ffffc90005000000 [ 583.339049] #PF: supervisor write access in kernel mode [ 583.339052] #PF: error_code(0x0002) - not-present page [ 583.339074] RIP: 0010:memset_orig+0x33/0xb0 [ 583.339110] Call Trace: [ 583.339118] vt8623fb_set_par+0x11cd/0x21e0 [ 583.339146] fb_set_var+0x604/0xeb0 [ 583.339181] do_fb_ioctl+0x234/0x670 [ 583.339209] fb_ioctl+0xdd/0x130 Fix the this by checking the value of 'screen_size' before memset_io(). CVE-2022-50101 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50101.html CVE-2022-50101 https://bugzilla.suse.com/1244839 SUSE Bug 1244839 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug in: drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. and then in: drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); we'll get a division-by-zero. The following log can reveal it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 Fix this by checking the argument of ark_set_pixclock() first. CVE-2022-50102 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50102.html CVE-2022-50102 https://bugzilla.suse.com/1244838 SUSE Bug 1244838 In the Linux kernel, the following vulnerability has been resolved: powerpc/xive: Fix refcount leak in xive_get_max_prio of_find_node_by_path() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. CVE-2022-50104 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50104.html CVE-2022-50104 https://bugzilla.suse.com/1244836 SUSE Bug 1244836 In the Linux kernel, the following vulnerability has been resolved: mfd: max77620: Fix refcount leak in max77620_initialise_fps of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50108 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50108.html CVE-2022-50108 https://bugzilla.suse.com/1244834 SUSE Bug 1244834 In the Linux kernel, the following vulnerability has been resolved: video: fbdev: amba-clcd: Fix refcount leak bugs In clcdfb_of_init_display(), we should call of_node_put() for the references returned by of_graph_get_next_endpoint() and of_graph_get_remote_port_parent() which have increased the refcount. Besides, we should call of_node_put() both in fail path or when the references are not used anymore. CVE-2022-50109 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50109.html CVE-2022-50109 https://bugzilla.suse.com/1244884 SUSE Bug 1244884 In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC") added a new function "pmi_irq_pending" in hw_irq.h. This function is to check if there is a PMI marked as pending in Paca (PACA_IRQ_PMI).This is used in power_pmu_disable in a WARN_ON. The intention here is to provide a warning if there is PMI pending, but no counter is found overflown. During some of the perf runs, below warning is hit: WARNING: CPU: 36 PID: 0 at arch/powerpc/perf/core-book3s.c:1332 power_pmu_disable+0x25c/0x2c0 Modules linked in: ----- NIP [c000000000141c3c] power_pmu_disable+0x25c/0x2c0 LR [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 Call Trace: [c000000baffcfb90] [c000000000141c8c] power_pmu_disable+0x2ac/0x2c0 (unreliable) [c000000baffcfc10] [c0000000003e2f8c] perf_pmu_disable+0x4c/0x60 [c000000baffcfc30] [c0000000003e3344] group_sched_out.part.124+0x44/0x100 [c000000baffcfc80] [c0000000003e353c] __perf_event_disable+0x13c/0x240 [c000000baffcfcd0] [c0000000003dd334] event_function+0xc4/0x140 [c000000baffcfd20] [c0000000003d855c] remote_function+0x7c/0xa0 [c000000baffcfd50] [c00000000026c394] flush_smp_call_function_queue+0xd4/0x300 [c000000baffcfde0] [c000000000065b24] smp_ipi_demux_relaxed+0xa4/0x100 [c000000baffcfe20] [c0000000000cb2b0] xive_muxed_ipi_action+0x20/0x40 [c000000baffcfe40] [c000000000207c3c] __handle_irq_event_percpu+0x8c/0x250 [c000000baffcfee0] [c000000000207e2c] handle_irq_event_percpu+0x2c/0xa0 [c000000baffcff10] [c000000000210a04] handle_percpu_irq+0x84/0xc0 [c000000baffcff40] [c000000000205f14] generic_handle_irq+0x54/0x80 [c000000baffcff60] [c000000000015740] __do_irq+0x90/0x1d0 [c000000baffcff90] [c000000000016990] __do_IRQ+0xc0/0x140 [c0000009732f3940] [c000000bafceaca8] 0xc000000bafceaca8 [c0000009732f39d0] [c000000000016b78] do_IRQ+0x168/0x1c0 [c0000009732f3a00] [c0000000000090c8] hardware_interrupt_common_virt+0x218/0x220 This means that there is no PMC overflown among the active events in the PMU, but there is a PMU pending in Paca. The function "any_pmc_overflown" checks the PMCs on active events in cpuhw->n_events. Code snippet: <<>> if (any_pmc_overflown(cpuhw)) clear_pmi_irq_pending(); else WARN_ON(pmi_irq_pending()); <<>> Here the PMC overflown is not from active event. Example: When we do perf record, default cycles and instructions will be running on PMC6 and PMC5 respectively. It could happen that overflowed event is currently not active and pending PMI is for the inactive event. Debug logs from trace_printk: <<>> any_pmc_overflown: idx is 5: pmc value is 0xd9a power_pmu_disable: PMC1: 0x0, PMC2: 0x0, PMC3: 0x0, PMC4: 0x0, PMC5: 0xd9a, PMC6: 0x80002011 <<>> Here active PMC (from idx) is PMC5 , but overflown PMC is PMC6(0x80002011). When we handle PMI interrupt for such cases, if the PMC overflown is from inactive event, it will be ignored. Reference commit: commit bc09c219b2e6 ("powerpc/perf: Fix finding overflowed PMC in interrupt") Patch addresses two changes: 1) Fix 1 : Removal of warning ( WARN_ON(pmi_irq_pending()); ) We were printing warning if no PMC is found overflown among active PMU events, but PMI pending in PACA. But this could happen in cases where PMC overflown is not in active PMC. An inactive event could have caused the overflow. Hence the warning is not needed. To know pending PMI is from an inactive event, we need to loop through all PMC's which will cause more SPR reads via mfspr and increase in context switch. Also in existing function: perf_event_interrupt, already we ignore PMI's overflown when it is from an inactive PMC. 2) Fix 2: optimization in clearing pending PMI. Currently we check for any active PMC overflown before clearing PMI pending in Paca. This is causing additional SP ---truncated--- CVE-2022-50118 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50118.html CVE-2022-50118 https://bugzilla.suse.com/1244825 SUSE Bug 1244825 In the Linux kernel, the following vulnerability has been resolved: ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50124 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50124.html CVE-2022-50124 https://bugzilla.suse.com/1244816 SUSE Bug 1244816 In the Linux kernel, the following vulnerability has been resolved: jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata(): jbd2_journal_commit_transaction unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false --> jbd2 abort <-- while (commit_transaction->t_buffers) if (is_journal_aborted) jbd2_journal_refile_buffer __jbd2_journal_refile_buffer WRITE_ONCE(jh->b_transaction, jh->b_next_transaction) WRITE_ONCE(jh->b_next_transaction, NULL) __jbd2_journal_file_buffer(jh, BJ_Reserved) J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! The reproducer (See detail in [Link]) reports: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: <TASK> __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80 After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock. CVE-2022-50126 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50126.html CVE-2022-50126 https://bugzilla.suse.com/1244813 SUSE Bug 1244813 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix error unwind in rxe_create_qp() In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like the spin locks are not setup until rxe_qp_init_req(). If an error occures before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. Move the spinlock initializations earlier before any failures. CVE-2022-50127 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50127.html CVE-2022-50127 https://bugzilla.suse.com/1244815 SUSE Bug 1244815 In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event If siw_recv_mpa_rr returns -EAGAIN, it means that the MPA reply hasn't been received completely, and should not report IW_CM_EVENT_CONNECT_REPLY in this case. This may trigger a call trace in iw_cm. A simple way to trigger this: server: ib_send_lat client: ib_send_lat -R <server_ip> The call trace looks like this: kernel BUG at drivers/infiniband/core/iwcm.c:894! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <...> Workqueue: iw_cm_wq cm_work_handler [iw_cm] Call Trace: <TASK> cm_work_handler+0x1dd/0x370 [iw_cm] process_one_work+0x1e2/0x3b0 worker_thread+0x49/0x2e0 ? rescuer_thread+0x370/0x370 kthread+0xe5/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> CVE-2022-50136 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50136.html CVE-2022-50136 https://bugzilla.suse.com/1244804 SUSE Bug 1244804 In the Linux kernel, the following vulnerability has been resolved: RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() __qedr_alloc_mr() allocates a memory chunk for "mr->info.pbl_table" with init_mr_info(). When rdma_alloc_tid() and rdma_register_tid() fail, "mr" is released while "mr->info.pbl_table" is not released, which will lead to a memory leak. We should release the "mr->info.pbl_table" with qedr_free_pbl() when error occurs to fix the memory leak. CVE-2022-50138 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50138.html CVE-2022-50138 https://bugzilla.suse.com/1244797 SUSE Bug 1244797 In the Linux kernel, the following vulnerability has been resolved: memstick/ms_block: Fix a memory leak 'erased_blocks_bitmap' is never freed. As it is allocated at the same time as 'used_blocks_bitmap', it is likely that it should be freed also at the same time. Add the corresponding bitmap_free() in msb_data_clear(). CVE-2022-50140 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50140.html CVE-2022-50140 https://bugzilla.suse.com/1244793 SUSE Bug 1244793 In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. of_node_put() checks null pointer. CVE-2022-50141 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50141.html CVE-2022-50141 https://bugzilla.suse.com/1244794 SUSE Bug 1244794 In the Linux kernel, the following vulnerability has been resolved: intel_th: msu: Fix vmalloced buffers After commit f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") there's a chance of DMA buffer getting allocated via vmalloc(), which messes up the mmapping code: > RIP: msc_mmap_fault [intel_th_msu] > Call Trace: > <TASK> > __do_fault > do_fault ... Fix this by accounting for vmalloc possibility. CVE-2022-50142 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50142.html CVE-2022-50142 https://bugzilla.suse.com/1244796 SUSE Bug 1244796 In the Linux kernel, the following vulnerability has been resolved: intel_th: Fix a resource leak in an error handling path If an error occurs after calling 'pci_alloc_irq_vectors()', 'pci_free_irq_vectors()' must be called as already done in the remove function. CVE-2022-50143 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50143.html CVE-2022-50143 https://bugzilla.suse.com/1244790 SUSE Bug 1244790 In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors If dw_pcie_ep_init() fails to perform any action after the EPC memory is initialized and the MSI memory region is allocated, the latter parts won't be undone thus causing a memory leak. Add a cleanup-on-error path to fix these leaks. [bhelgaas: commit log] CVE-2022-50146 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50146.html CVE-2022-50146 https://bugzilla.suse.com/1244788 SUSE Bug 1244788 In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential deadlock in __driver_attach In __driver_attach function, There are also AA deadlock problem, like the commit b232b02bf3c2 ("driver core: fix deadlock in __device_attach"). stack like commit b232b02bf3c2 ("driver core: fix deadlock in __device_attach"). list below: In __driver_attach function, The lock holding logic is as follows: ... __driver_attach if (driver_allows_async_probing(drv)) device_lock(dev) // get lock dev async_schedule_dev(__driver_attach_async_helper, dev); // func async_schedule_node async_schedule_node_domain(func) entry = kzalloc(sizeof(struct async_entry), GFP_ATOMIC); /* when fail or work limit, sync to execute func, but __driver_attach_async_helper will get lock dev as will, which will lead to A-A deadlock. */ if (!entry || atomic_read(&entry_count) > MAX_WORK) { func; else queue_work_node(node, system_unbound_wq, &entry->work) device_unlock(dev) As above show, when it is allowed to do async probes, because of out of memory or work limit, async work is not be allowed, to do sync execute instead. it will lead to A-A deadlock because of __driver_attach_async_helper getting lock dev. Reproduce: and it can be reproduce by make the condition (if (!entry || atomic_read(&entry_count) > MAX_WORK)) untenable, like below: [ 370.785650] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 370.787154] task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00004000 [ 370.788865] Call Trace: [ 370.789374] <TASK> [ 370.789841] __schedule+0x482/0x1050 [ 370.790613] schedule+0x92/0x1a0 [ 370.791290] schedule_preempt_disabled+0x2c/0x50 [ 370.792256] __mutex_lock.isra.0+0x757/0xec0 [ 370.793158] __mutex_lock_slowpath+0x1f/0x30 [ 370.794079] mutex_lock+0x50/0x60 [ 370.794795] __device_driver_lock+0x2f/0x70 [ 370.795677] ? driver_probe_device+0xd0/0xd0 [ 370.796576] __driver_attach_async_helper+0x1d/0xd0 [ 370.797318] ? driver_probe_device+0xd0/0xd0 [ 370.797957] async_schedule_node_domain+0xa5/0xc0 [ 370.798652] async_schedule_node+0x19/0x30 [ 370.799243] __driver_attach+0x246/0x290 [ 370.799828] ? driver_allows_async_probing+0xa0/0xa0 [ 370.800548] bus_for_each_dev+0x9d/0x130 [ 370.801132] driver_attach+0x22/0x30 [ 370.801666] bus_add_driver+0x290/0x340 [ 370.802246] driver_register+0x88/0x140 [ 370.802817] ? virtio_scsi_init+0x116/0x116 [ 370.803425] scsi_register_driver+0x1a/0x30 [ 370.804057] init_sd+0x184/0x226 [ 370.804533] do_one_initcall+0x71/0x3a0 [ 370.805107] kernel_init_freeable+0x39a/0x43a [ 370.805759] ? rest_init+0x150/0x150 [ 370.806283] kernel_init+0x26/0x230 [ 370.806799] ret_from_fork+0x1f/0x30 To fix the deadlock, move the async_schedule_dev outside device_lock, as we can see, in async_schedule_node_domain, the parameter of queue_work_node is system_unbound_wq, so it can accept concurrent operations. which will also not change the code logic, and will not lead to deadlock. CVE-2022-50149 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50149.html CVE-2022-50149 https://bugzilla.suse.com/1244883 SUSE Bug 1244883 In the Linux kernel, the following vulnerability has been resolved: usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50152 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50152.html CVE-2022-50152 https://bugzilla.suse.com/1244783 SUSE Bug 1244783 In the Linux kernel, the following vulnerability has been resolved: usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. CVE-2022-50153 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50153.html CVE-2022-50153 https://bugzilla.suse.com/1244786 SUSE Bug 1244786 In the Linux kernel, the following vulnerability has been resolved: HID: cp2112: prevent a buffer overflow in cp2112_xfer() Smatch warnings: drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'data->block[1]' too small (33 vs 255) drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too small (64 vs 255) The 'read_length' variable is provided by 'data->block[0]' which comes from user and it(read_length) can take a value between 0-255. Add an upper bound to 'read_length' variable to prevent a buffer overflow in memcpy(). CVE-2022-50156 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50156.html CVE-2022-50156 https://bugzilla.suse.com/1244782 SUSE Bug 1244782 In the Linux kernel, the following vulnerability has been resolved: mtd: partitions: Fix refcount leak in parse_redboot_of of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50158 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50158.html CVE-2022-50158 https://bugzilla.suse.com/1244779 SUSE Bug 1244779 In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in ap_flash_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50160 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50160.html CVE-2022-50160 https://bugzilla.suse.com/1244776 SUSE Bug 1244776 In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in of_flash_probe_versatile of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50161 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50161.html CVE-2022-50161 https://bugzilla.suse.com/1244774 SUSE Bug 1244774 In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: Fix possible refcount leak in if_usb_probe() usb_get_dev will be called before lbs_get_firmware_async which means that usb_put_dev need to be called when lbs_get_firmware_async fails. CVE-2022-50162 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50162.html CVE-2022-50162 https://bugzilla.suse.com/1244773 SUSE Bug 1244773 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue After successfull station association, if station queues are disabled for some reason, the related lists are not emptied. So if some new element is added to the list in iwl_mvm_mac_wake_tx_queue, it can match with the old one and produce a BUG like this: [ 46.535263] list_add corruption. prev->next should be next (ffff94c1c318a360), but was 0000000000000000. (prev=ffff94c1d02d3388). [ 46.535283] ------------[ cut here ]------------ [ 46.535284] kernel BUG at lib/list_debug.c:26! [ 46.535290] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 46.585304] CPU: 0 PID: 623 Comm: wpa_supplicant Not tainted 5.19.0-rc3+ #1 [ 46.592380] Hardware name: Dell Inc. Inspiron 660s/0478VN , BIOS A07 08/24/2012 [ 46.600336] RIP: 0010:__list_add_valid.cold+0x3d/0x3f [ 46.605475] Code: f2 4c 89 c1 48 89 fe 48 c7 c7 c8 40 67 93 e8 20 cc fd ff 0f 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 70 40 67 93 e8 09 cc fd ff <0f> 0b 48 89 fe 48 c7 c7 00 41 67 93 e8 f8 cb fd ff 0f 0b 48 89 d1 [ 46.624469] RSP: 0018:ffffb20800ab76d8 EFLAGS: 00010286 [ 46.629854] RAX: 0000000000000075 RBX: ffff94c1c318a0e0 RCX: 0000000000000000 [ 46.637105] RDX: 0000000000000201 RSI: ffffffff9365e100 RDI: 00000000ffffffff [ 46.644356] RBP: ffff94c1c5f43370 R08: 0000000000000075 R09: 3064316334396666 [ 46.651607] R10: 3364323064316334 R11: 39666666663d7665 R12: ffff94c1c5f43388 [ 46.658857] R13: ffff94c1d02d3388 R14: ffff94c1c318a360 R15: ffff94c1cf2289c0 [ 46.666108] FS: 00007f65634ff7c0(0000) GS:ffff94c1da200000(0000) knlGS:0000000000000000 [ 46.674331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 46.680170] CR2: 00007f7dfe984460 CR3: 000000010e894003 CR4: 00000000000606f0 [ 46.687422] Call Trace: [ 46.689906] <TASK> [ 46.691950] iwl_mvm_mac_wake_tx_queue+0xec/0x15c [iwlmvm] [ 46.697601] ieee80211_queue_skb+0x4b3/0x720 [mac80211] [ 46.702973] ? sta_info_get+0x46/0x60 [mac80211] [ 46.707703] ieee80211_tx+0xad/0x110 [mac80211] [ 46.712355] __ieee80211_tx_skb_tid_band+0x71/0x90 [mac80211] ... In order to avoid this problem, we must also remove the related lists when station queues are disabled. CVE-2022-50164 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50164.html CVE-2022-50164 https://bugzilla.suse.com/1244770 SUSE Bug 1244770 In the Linux kernel, the following vulnerability has been resolved: wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` Commit 7a4836560a61 changes simple_write_to_buffer() with memdup_user() but it forgets to change the value to be returned that came from simple_write_to_buffer() call. It results in the following warning: warning: variable 'rc' is uninitialized when used here [-Wuninitialized] return rc; ^~ Remove rc variable and just return the passed in length if the memdup_user() succeeds. CVE-2022-50165 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50165.html CVE-2022-50165 https://bugzilla.suse.com/1244771 SUSE Bug 1244771 In the Linux kernel, the following vulnerability has been resolved: wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() The simple_write_to_buffer() function will succeed if even a single byte is initialized. However, we need to initialize the whole buffer to prevent information leaks. Just use memdup_user(). CVE-2022-50169 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50169.html CVE-2022-50169 https://bugzilla.suse.com/1244767 SUSE Bug 1244767 In the Linux kernel, the following vulnerability has been resolved: mt76: mt76x02u: fix possible memory leak in __mt76x02u_mcu_send_msg Free the skb if mt76u_bulk_msg fails in __mt76x02u_mcu_send_msg routine. CVE-2022-50172 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50172.html CVE-2022-50172 https://bugzilla.suse.com/1244764 SUSE Bug 1244764 In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Fix global state lock backoff We need to grab the lock after the early return for !hwpipe case. Otherwise, we could have hit contention yet still returned 0. Fixes an issue that the new CONFIG_DRM_DEBUG_MODESET_LOCK stuff flagged in CI: WARNING: CPU: 0 PID: 282 at drivers/gpu/drm/drm_modeset_lock.c:296 drm_modeset_lock+0xf8/0x154 Modules linked in: CPU: 0 PID: 282 Comm: kms_cursor_lega Tainted: G W 5.19.0-rc2-15930-g875cc8bc536a #1 Hardware name: Qualcomm Technologies, Inc. DB820c (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_modeset_lock+0xf8/0x154 lr : drm_atomic_get_private_obj_state+0x84/0x170 sp : ffff80000cfab6a0 x29: ffff80000cfab6a0 x28: 0000000000000000 x27: ffff000083bc4d00 x26: 0000000000000038 x25: 0000000000000000 x24: ffff80000957ca58 x23: 0000000000000000 x22: ffff000081ace080 x21: 0000000000000001 x20: ffff000081acec18 x19: ffff80000cfabb80 x18: 0000000000000038 x17: 0000000000000000 x16: 0000000000000000 x15: fffffffffffea0d0 x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 5f534b434f4c5f47 x11: ffff80000a386aa8 x10: 0000000000000029 x9 : ffff80000cfab610 x8 : 0000000000000029 x7 : 0000000000000014 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff8000081ad904 x3 : 0000000000000029 x2 : ffff0000801db4c0 x1 : ffff80000cfabb80 x0 : ffff000081aceb58 Call trace: drm_modeset_lock+0xf8/0x154 drm_atomic_get_private_obj_state+0x84/0x170 mdp5_get_global_state+0x54/0x6c mdp5_pipe_release+0x2c/0xd4 mdp5_plane_atomic_check+0x2ec/0x414 drm_atomic_helper_check_planes+0xd8/0x210 drm_atomic_helper_check+0x54/0xb0 ... ---[ end trace 0000000000000000 ]--- drm_modeset_lock attempting to lock a contended lock without backoff: drm_modeset_lock+0x148/0x154 mdp5_get_global_state+0x30/0x6c mdp5_pipe_release+0x2c/0xd4 mdp5_plane_atomic_check+0x290/0x414 drm_atomic_helper_check_planes+0xd8/0x210 drm_atomic_helper_check+0x54/0xb0 drm_atomic_check_only+0x4b0/0x8f4 drm_atomic_commit+0x68/0xe0 Patchwork: https://patchwork.freedesktop.org/patch/492701/ CVE-2022-50173 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50173.html CVE-2022-50173 https://bugzilla.suse.com/1244992 SUSE Bug 1244992 In the Linux kernel, the following vulnerability has been resolved: drm/mcde: Fix refcount leak in mcde_dsi_bind Every iteration of for_each_available_child_of_node() decrements the reference counter of the previous node. There is no decrement when break out from the loop and results in refcount leak. Add missing of_node_put() to fix this. CVE-2022-50176 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50176.html CVE-2022-50176 https://bugzilla.suse.com/1244902 SUSE Bug 1244902 In the Linux kernel, the following vulnerability has been resolved: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization. Probable call trace which can trigger use-after-free: ath9k_htc_probe_device() /* htc_handle->drv_priv = priv; */ ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed <IRQ> ... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all *_STAT_* macros NULL safe, since syzbot has reported related NULL deref in that macros [1] CVE-2022-50179 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50179.html CVE-2022-50179 https://bugzilla.suse.com/1244886 SUSE Bug 1244886 In the Linux kernel, the following vulnerability has been resolved: virtio-gpu: fix a missing check to avoid NULL dereference 'cache_ent' could be set NULL inside virtio_gpu_cmd_get_capset() and it will lead to a NULL dereference by a lately use of it (i.e., ptr = cache_ent->caps_cache). Fix it with a NULL check. [ kraxel: minor codestyle fixup ] CVE-2022-50181 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50181.html CVE-2022-50181 https://bugzilla.suse.com/1244901 SUSE Bug 1244901 In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() The last case label can write two buffers 'mc_reg_address[j]' and 'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE since there are no checks for this value in both case labels after the last 'j++'. Instead of changing '>' to '>=' there, add the bounds check at the start of the second 'case' (the first one already has it). Also, remove redundant last checks for 'j' index bigger than array size. The expression is always false. Moreover, before or after the patch 'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it seems it can be a valid value. Detected using the static analysis tool - Svace. CVE-2022-50185 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50185.html CVE-2022-50185 https://bugzilla.suse.com/1244887 SUSE Bug 1244887 In the Linux kernel, the following vulnerability has been resolved: regulator: of: Fix refcount leak bug in of_get_regulation_constraints() We should call the of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. CVE-2022-50191 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50191.html CVE-2022-50191 https://bugzilla.suse.com/1244899 SUSE Bug 1244899 In the Linux kernel, the following vulnerability has been resolved: selinux: Add boundary check in put_entry() Just like next_entry(), boundary check is necessary to prevent memory out-of-bound access. CVE-2022-50200 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50200.html CVE-2022-50200 https://bugzilla.suse.com/1245149 SUSE Bug 1245149 In the Linux kernel, the following vulnerability has been resolved: meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. CVE-2022-50209 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50209.html CVE-2022-50209 https://bugzilla.suse.com/1244868 SUSE Bug 1244868 In the Linux kernel, the following vulnerability has been resolved: md-raid10: fix KASAN warning There's a KASAN warning in raid10_remove_disk when running the lvm test lvconvert-raid-reshape.sh. We fix this warning by verifying that the value "number" is valid. BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x45/0x57a ? __lock_text_start+0x18/0x18 ? raid10_remove_disk+0x61/0x2a0 [raid10] kasan_report+0xa8/0xe0 ? raid10_remove_disk+0x61/0x2a0 [raid10] raid10_remove_disk+0x61/0x2a0 [raid10] Buffer I/O error on dev dm-76, logical block 15344, async page read ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 remove_and_add_spares+0x367/0x8a0 [md_mod] ? super_written+0x1c0/0x1c0 [md_mod] ? mutex_trylock+0xac/0x120 ? _raw_spin_lock+0x72/0xc0 ? _raw_spin_lock_bh+0xc0/0xc0 md_check_recovery+0x848/0x960 [md_mod] raid10d+0xcf/0x3360 [raid10] ? sched_clock_cpu+0x185/0x1a0 ? rb_erase+0x4d4/0x620 ? var_wake_function+0xe0/0xe0 ? psi_group_change+0x411/0x500 ? preempt_count_sub+0xf/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? raid10_sync_request+0x36c0/0x36c0 [raid10] ? preempt_count_sub+0xf/0xc0 ? _raw_spin_unlock_irqrestore+0x19/0x40 ? del_timer_sync+0xa9/0x100 ? try_to_del_timer_sync+0xc0/0xc0 ? _raw_spin_lock_irqsave+0x78/0xc0 ? __lock_text_start+0x18/0x18 ? _raw_spin_unlock_irq+0x11/0x24 ? __list_del_entry_valid+0x68/0xa0 ? finish_wait+0xa3/0x100 md_thread+0x161/0x260 [md_mod] ? unregister_md_personality+0xa0/0xa0 [md_mod] ? _raw_spin_lock_irqsave+0x78/0xc0 ? prepare_to_wait_event+0x2c0/0x2c0 ? unregister_md_personality+0xa0/0xa0 [md_mod] kthread+0x148/0x180 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 124495: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x80/0xa0 setup_conf+0x140/0x5c0 [raid10] raid10_run+0x4cd/0x740 [raid10] md_run+0x6f9/0x1300 [md_mod] raid_ctr+0x2531/0x4ac0 [dm_raid] dm_table_add_target+0x2b0/0x620 [dm_mod] table_load+0x1c8/0x400 [dm_mod] ctl_ioctl+0x29e/0x560 [dm_mod] dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] __do_compat_sys_ioctl+0xfa/0x160 do_syscall_64+0x90/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 L __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x9e/0xc0 kvfree_call_rcu+0x84/0x480 timerfd_release+0x82/0x140 __fput+0xfa/0x400 task_work_run+0x80/0xc0 exit_to_user_mode_prepare+0x155/0x160 syscall_exit_to_user_mode+0x12/0x40 do_syscall_64+0x42/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff889108f3d200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff889108f3d200, ffff889108f3d300) The buggy address belongs to the physical page: page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=2) raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff889108f3d280: 00 00 ---truncated--- CVE-2022-50211 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50211.html CVE-2022-50211 https://bugzilla.suse.com/1245140 SUSE Bug 1245140 https://bugzilla.suse.com/1245141 SUSE Bug 1245141 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not allow CHAIN_ID to refer to another table When doing lookups for chains on the same batch by using its ID, a chain from a different table can be used. If a rule is added to a table but refers to a chain in a different table, it will be linked to the chain in table2, but would have expressions referring to objects in table1. Then, when table1 is removed, the rule will not be removed as its linked to a chain in table2. When expressions in the rule are processed or removed, that will lead to a use-after-free. When looking for chains by ID, use the table that was used for the lookup by name, and only return chains belonging to that same table. CVE-2022-50212 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50212.html CVE-2022-50212 https://bugzilla.suse.com/1244869 SUSE Bug 1244869 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not allow SET_ID to refer to another table When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. CVE-2022-50213 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50213.html CVE-2022-50213 https://bugzilla.suse.com/1244867 SUSE Bug 1244867 In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Allow waiting for commands to complete on removed device When a SCSI device is removed while in active use, currently sg will immediately return -ENODEV on any attempt to wait for active commands that were sent before the removal. This is problematic for commands that use SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel when userspace frees or reuses it after getting ENODEV, leading to corrupted userspace memory (in the case of READ-type commands) or corrupted data being sent to the device (in the case of WRITE-type commands). This has been seen in practice when logging out of a iscsi_tcp session, where the iSCSI driver may still be processing commands after the device has been marked for removal. Change the policy to allow userspace to wait for active sg commands even when the device is being removed. Return -ENODEV only when there are no more responses to read. CVE-2022-50215 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50215.html CVE-2022-50215 https://bugzilla.suse.com/1245138 SUSE Bug 1245138 In the Linux kernel, the following vulnerability has been resolved: iio: light: isl29028: Fix the warning in isl29028_remove() The driver use the non-managed form of the register function in isl29028_remove(). To keep the release order as mirroring the ordering in probe, the driver should use non-managed form in probe, too. The following log reveals it: [ 32.374955] isl29028 0-0010: remove [ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI [ 32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0 [ 32.385461] Call Trace: [ 32.385807] sysfs_unmerge_group+0x59/0x110 [ 32.386110] dpm_sysfs_remove+0x58/0xc0 [ 32.386391] device_del+0x296/0xe50 [ 32.386959] cdev_device_del+0x1d/0xd0 [ 32.387231] devm_iio_device_unreg+0x27/0xb0 [ 32.387542] devres_release_group+0x319/0x3d0 [ 32.388162] i2c_device_remove+0x93/0x1f0 CVE-2022-50218 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50218.html CVE-2022-50218 https://bugzilla.suse.com/1244861 SUSE Bug 1244861 In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix linkwatch use-after-free on disconnect usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": https://git.kernel.org/tglx/history/c/0f138bbfd83c The change was made because back then, the kernel's workqueue implementation did not allow waiting for a single work. One had to wait for completion of *all* work by calling flush_scheduled_work(), and that could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex held in ->ndo_stop(). The commit solved one problem but created another: It causes a use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c, ax88179_178a.c, ch9200.c and smsc75xx.c: * If the drivers receive a link change interrupt immediately before disconnect, they raise EVENT_LINK_RESET in their (non-sleepable) ->status() callback and schedule usbnet_deferred_kevent(). * usbnet_deferred_kevent() invokes the driver's ->link_reset() callback, which calls netif_carrier_{on,off}(). * That in turn schedules the work linkwatch_event(). Because usbnet_deferred_kevent() is awaited after unregister_netdev(), netif_carrier_{on,off}() may operate on an unregistered netdev and linkwatch_event() may run after free_netdev(), causing a use-after-free. In 2010, usbnet was changed to only wait for a single instance of usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf ("drivers/net: don't use flush_scheduled_work()"). Unfortunately the commit neglected to move the wait back to ->ndo_stop(). Rectify that omission at long last. CVE-2022-50220 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50220.html CVE-2022-50220 https://bugzilla.suse.com/1245348 SUSE Bug 1245348 In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read immediately after resize operation. Initialize buffer using kzalloc(). ---------- #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/fb.h> int main(int argc, char *argv[]) { struct fb_var_screeninfo var = { }; const int fb_fd = open("/dev/fb0", 3); ioctl(fb_fd, FBIOGET_VSCREENINFO, &var); var.yres = 0x21; ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var); return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1; } ---------- CVE-2022-50222 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50222.html CVE-2022-50222 https://bugzilla.suse.com/1245136 SUSE Bug 1245136 In the Linux kernel, the following vulnerability has been resolved: ALSA: bcd2000: Fix a UAF bug on the error path of probing When the driver fails in snd_card_register() at probe time, it will free the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. The following log can reveal it: [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 [ 50.729530] Call Trace: [ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] Fix this by adding usb_kill_urb() before usb_free_urb(). CVE-2022-50229 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50229.html CVE-2022-50229 https://bugzilla.suse.com/1244856 SUSE Bug 1244856 In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/poly1305 - fix a read out-of-bound A kasan error was reported during fuzzing: BUG: KASAN: slab-out-of-bounds in neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon] Read of size 4 at addr ffff0010e293f010 by task syz-executor.5/1646715 CPU: 4 PID: 1646715 Comm: syz-executor.5 Kdump: loaded Not tainted 5.10.0.aarch64 #1 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.59 01/31/2019 Call trace: dump_backtrace+0x0/0x394 show_stack+0x34/0x4c arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x158/0x1e4 lib/dump_stack.c:118 print_address_description.constprop.0+0x68/0x204 mm/kasan/report.c:387 __kasan_report+0xe0/0x140 mm/kasan/report.c:547 kasan_report+0x44/0xe0 mm/kasan/report.c:564 check_memory_region_inline mm/kasan/generic.c:187 [inline] __asan_load4+0x94/0xd0 mm/kasan/generic.c:252 neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon] neon_poly1305_do_update+0x6c/0x15c [poly1305_neon] neon_poly1305_update+0x9c/0x1c4 [poly1305_neon] crypto_shash_update crypto/shash.c:131 [inline] shash_finup_unaligned+0x84/0x15c crypto/shash.c:179 crypto_shash_finup+0x8c/0x140 crypto/shash.c:193 shash_digest_unaligned+0xb8/0xe4 crypto/shash.c:201 crypto_shash_digest+0xa4/0xfc crypto/shash.c:217 crypto_shash_tfm_digest+0xb4/0x150 crypto/shash.c:229 essiv_skcipher_setkey+0x164/0x200 [essiv] crypto_skcipher_setkey+0xb0/0x160 crypto/skcipher.c:612 skcipher_setkey+0x3c/0x50 crypto/algif_skcipher.c:305 alg_setkey+0x114/0x2a0 crypto/af_alg.c:220 alg_setsockopt+0x19c/0x210 crypto/af_alg.c:253 __sys_setsockopt+0x190/0x2e0 net/socket.c:2123 __do_sys_setsockopt net/socket.c:2134 [inline] __se_sys_setsockopt net/socket.c:2131 [inline] __arm64_sys_setsockopt+0x78/0x94 net/socket.c:2131 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall+0x64/0x100 arch/arm64/kernel/syscall.c:48 el0_svc_common.constprop.0+0x220/0x230 arch/arm64/kernel/syscall.c:155 do_el0_svc+0xb4/0xd4 arch/arm64/kernel/syscall.c:217 el0_svc+0x24/0x3c arch/arm64/kernel/entry-common.c:353 el0_sync_handler+0x160/0x164 arch/arm64/kernel/entry-common.c:369 el0_sync+0x160/0x180 arch/arm64/kernel/entry.S:683 This error can be reproduced by the following code compiled as ko on a system with kasan enabled: #include <linux/module.h> #include <linux/crypto.h> #include <crypto/hash.h> #include <crypto/poly1305.h> char test_data[] = "\x00\x01\x02\x03\x04\x05\x06\x07" "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" "\x10\x11\x12\x13\x14\x15\x16\x17" "\x18\x19\x1a\x1b\x1c\x1d\x1e"; int init(void) { struct crypto_shash *tfm = NULL; char *data = NULL, *out = NULL; tfm = crypto_alloc_shash("poly1305", 0, 0); data = kmalloc(POLY1305_KEY_SIZE - 1, GFP_KERNEL); out = kmalloc(POLY1305_DIGEST_SIZE, GFP_KERNEL); memcpy(data, test_data, POLY1305_KEY_SIZE - 1); crypto_shash_tfm_digest(tfm, data, POLY1305_KEY_SIZE - 1, out); kfree(data); kfree(out); return 0; } void deinit(void) { } module_init(init) module_exit(deinit) MODULE_LICENSE("GPL"); The root cause of the bug sits in neon_poly1305_blocks. The logic neon_poly1305_blocks() performed is that if it was called with both s[] and r[] uninitialized, it will first try to initialize them with the data from the first "block" that it believed to be 32 bytes in length. First 16 bytes are used as the key and the next 16 bytes for s[]. This would lead to the aforementioned read out-of-bound. However, after calling poly1305_init_arch(), only 16 bytes were deducted from the input and s[] is initialized yet again with the following 16 bytes. The second initialization of s[] is certainly redundent which indicates that the first initialization should be for r[] only. This patch fixes the issue by calling poly1305_init_arm64() instead o ---truncated--- CVE-2022-50231 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2022-50231.html CVE-2022-50231 https://bugzilla.suse.com/1244853 SUSE Bug 1244853 A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). CVE-2023-3111 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2023-3111.html CVE-2023-3111 https://bugzilla.suse.com/1212051 SUSE Bug 1212051 https://bugzilla.suse.com/1220015 SUSE Bug 1220015 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- delete one that was just added ... add_elem("00005000") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano) CVE-2024-26924 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-26924.html CVE-2024-26924 https://bugzilla.suse.com/1223387 SUSE Bug 1223387 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. CVE-2024-27397 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-27397.html CVE-2024-27397 https://bugzilla.suse.com/1224095 SUSE Bug 1224095 In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur. CVE-2024-36978 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-36978.html CVE-2024-36978 https://bugzilla.suse.com/1226514 SUSE Bug 1226514 https://bugzilla.suse.com/1244631 SUSE Bug 1244631 In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF CVE-2024-46800 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-46800.html CVE-2024-46800 https://bugzilla.suse.com/1230827 SUSE Bug 1230827 In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. CVE-2024-53141 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-53141.html CVE-2024-53141 https://bugzilla.suse.com/1234381 SUSE Bug 1234381 https://bugzilla.suse.com/1245778 SUSE Bug 1245778 In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev <oif> Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics. CVE-2024-56770 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2024-56770.html CVE-2024-56770 https://bugzilla.suse.com/1235637 SUSE Bug 1235637 In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com> CVE-2025-21700 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-21700.html CVE-2025-21700 https://bugzilla.suse.com/1237159 SUSE Bug 1237159 In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable. CVE-2025-21702 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-21702.html CVE-2025-21702 https://bugzilla.suse.com/1237312 SUSE Bug 1237312 https://bugzilla.suse.com/1245797 SUSE Bug 1245797 In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. CVE-2025-21703 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-21703.html CVE-2025-21703 https://bugzilla.suse.com/1237313 SUSE Bug 1237313 https://bugzilla.suse.com/1245796 SUSE Bug 1245796 In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375 CVE-2025-37752 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37752.html CVE-2025-37752 https://bugzilla.suse.com/1242504 SUSE Bug 1242504 https://bugzilla.suse.com/1245776 SUSE Bug 1245776 In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). CVE-2025-37798 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37798.html CVE-2025-37798 https://bugzilla.suse.com/1242414 SUSE Bug 1242414 https://bugzilla.suse.com/1242417 SUSE Bug 1242417 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer. CVE-2025-37823 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37823.html CVE-2025-37823 https://bugzilla.suse.com/1242924 SUSE Bug 1242924 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/ CVE-2025-37890 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37890.html CVE-2025-37890 https://bugzilla.suse.com/1243330 SUSE Bug 1243330 https://bugzilla.suse.com/1245791 SUSE Bug 1245791 In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qlen_notify() always deactivates the HTB class and in fact could trigger a warning if it is already deactivated. Therefore, it is not idempotent and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life. CVE-2025-37932 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37932.html CVE-2025-37932 https://bugzilla.suse.com/1243627 SUSE Bug 1243627 In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer. CVE-2025-37953 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37953.html CVE-2025-37953 https://bugzilla.suse.com/1243543 SUSE Bug 1243543 In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts. CVE-2025-37997 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-37997.html CVE-2025-37997 https://bugzilla.suse.com/1243832 SUSE Bug 1243832 https://bugzilla.suse.com/1245774 SUSE Bug 1245774 In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek. CVE-2025-38000 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-38000.html CVE-2025-38000 https://bugzilla.suse.com/1244277 SUSE Bug 1244277 https://bugzilla.suse.com/1245775 SUSE Bug 1245775 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u CVE-2025-38001 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-38001.html CVE-2025-38001 https://bugzilla.suse.com/1244234 SUSE Bug 1244234 https://bugzilla.suse.com/1244235 SUSE Bug 1244235 In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38083 SUSE Linux Enterprise Micro 5.1:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.1:kernel-source-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-rt-5.3.18-150300.214.1 SUSE Linux Enterprise Micro 5.2:kernel-source-rt-5.3.18-150300.214.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502320-1/ https://www.suse.com/security/cve/CVE-2025-38083.html CVE-2025-38083 https://bugzilla.suse.com/1245183 SUSE Bug 1245183 https://bugzilla.suse.com/1245350 SUSE Bug 1245350