Security update for the Linux Kernel (Live Patch 28 for SLE 15 SP4) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02436-1 Final 1 1 2025-07-21T12:33:43Z current 2025-07-21T12:33:43Z 2025-07-21T12:33:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 28 for SLE 15 SP4) This update for the Linux Kernel 5.14.21-150400_24_125 fixes several issues. The following security issues were fixed: - CVE-2024-53146: NFSD: Prevent a potential integer overflow (bsc#1234854). - CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled (bsc#1238920). - CVE-2024-53214: vfio/pci: Properly hide first-in-list PCIe extended capability (bsc#1235005). - CVE-2024-53173: NFSv4.0: Fix a use-after-free problem in the asynchronous open() (bsc#1234892). - CVE-2024-57893: ALSA: seq: oss: Fix races at processing SysEx messages (bsc#1235921). - CVE-2024-42232: Fixed a race between delayed_work() and ceph_monc_stop(). (bsc#1228959) - CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238912). - CVE-2024-53166: block, bfq: fix bfqq uaf in bfq_limit_depth() (bsc#1234885). - CVE-2024-50208: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (bsc#1233118). - CVE-2024-56558: nfsd: make sure exp active before svc_export_show (bsc#1243648). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2436,SUSE-SLE-Module-Live-Patching-15-SP4-2025-2436 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ Link for SUSE-SU-2025:02436-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040833.html E-Mail link for SUSE-SU-2025:02436-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1229458 SUSE Bug 1229458 https://bugzilla.suse.com/1233118 SUSE Bug 1233118 https://bugzilla.suse.com/1234854 SUSE Bug 1234854 https://bugzilla.suse.com/1234885 SUSE Bug 1234885 https://bugzilla.suse.com/1234892 SUSE Bug 1234892 https://bugzilla.suse.com/1235005 SUSE Bug 1235005 https://bugzilla.suse.com/1235921 SUSE Bug 1235921 https://bugzilla.suse.com/1238912 SUSE Bug 1238912 https://bugzilla.suse.com/1238920 SUSE Bug 1238920 https://bugzilla.suse.com/1243648 SUSE Bug 1243648 https://www.suse.com/security/cve/CVE-2022-49465/ SUSE CVE CVE-2022-49465 page https://www.suse.com/security/cve/CVE-2024-42232/ SUSE CVE CVE-2024-42232 page https://www.suse.com/security/cve/CVE-2024-50208/ SUSE CVE CVE-2024-50208 page https://www.suse.com/security/cve/CVE-2024-53146/ SUSE CVE CVE-2024-53146 page https://www.suse.com/security/cve/CVE-2024-53166/ SUSE CVE CVE-2024-53166 page https://www.suse.com/security/cve/CVE-2024-53173/ SUSE CVE CVE-2024-53173 page https://www.suse.com/security/cve/CVE-2024-53214/ SUSE CVE CVE-2024-53214 page https://www.suse.com/security/cve/CVE-2024-56558/ SUSE CVE CVE-2024-56558 page https://www.suse.com/security/cve/CVE-2024-57893/ SUSE CVE CVE-2024-57893 page https://www.suse.com/security/cve/CVE-2025-21772/ SUSE CVE CVE-2025-21772 page SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP4 In the Linux kernel, the following vulnerability has been resolved: blk-throttle: Set BIO_THROTTLED when bio has been throttled 1.In current process, all bio will set the BIO_THROTTLED flag after __blk_throtl_bio(). 2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blk_throtl_dispatch_work_fn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow. BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380 dump_stack+0x9b/0xce print_address_description.constprop.6+0x3e/0x60 kasan_report.cold.9+0x22/0x3a blk_throtl_bio+0x12f0/0x2c70 submit_bio_checks+0x701/0x1550 submit_bio_noacct+0x83/0xc80 submit_bio+0xa7/0x330 mpage_readahead+0x380/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 26380: kasan_save_stack+0x19/0x40 __kasan_kmalloc.constprop.2+0xc1/0xd0 kmem_cache_alloc+0x146/0x440 mempool_alloc+0x125/0x2f0 bio_alloc_bioset+0x353/0x590 mpage_alloc+0x3b/0x240 do_mpage_readpage+0xddf/0x1ef0 mpage_readahead+0x264/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: kasan_save_stack+0x19/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x111/0x160 kmem_cache_free+0x94/0x460 mempool_free+0xd6/0x320 bio_free+0xe0/0x130 bio_put+0xab/0xe0 bio_endio+0x3a6/0x5d0 blk_update_request+0x590/0x1370 scsi_end_request+0x7d/0x400 scsi_io_completion+0x1aa/0xe50 scsi_softirq_done+0x11b/0x240 blk_mq_complete_request+0xd4/0x120 scsi_mq_done+0xf0/0x200 virtscsi_vq_done+0xbc/0x150 vring_interrupt+0x179/0x390 __handle_irq_event_percpu+0xf7/0x490 handle_irq_event_percpu+0x7b/0x160 handle_irq_event+0xcc/0x170 handle_edge_irq+0x215/0xb20 common_interrupt+0x60/0x120 asm_common_interrupt+0x1e/0x40 Fix this by move BIO_THROTTLED set into the queue_lock. CVE-2022-49465 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2022-49465.html CVE-2022-49465 https://bugzilla.suse.com/1238919 SUSE Bug 1238919 https://bugzilla.suse.com/1238920 SUSE Bug 1238920 In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed CVE-2024-42232 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-42232.html CVE-2024-42232 https://bugzilla.suse.com/1228959 SUSE Bug 1228959 https://bugzilla.suse.com/1229458 SUSE Bug 1229458 In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Avoid memory corruption while setting up Level-2 PBL pages for the non MR resources when num_pages > 256K. There will be a single PDE page address (contiguous pages in the case of > PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid memory access after 256K PBL entries in the PDE. CVE-2024-50208 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-50208.html CVE-2024-50208 https://bugzilla.suse.com/1233117 SUSE Bug 1233117 https://bugzilla.suse.com/1233118 SUSE Bug 1233118 In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent a potential integer overflow If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. CVE-2024-53146 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-53146.html CVE-2024-53146 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234854 SUSE Bug 1234854 In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix bfqq uaf in bfq_limit_depth() Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: <TASK> dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock. CVE-2024-53166 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-53166.html CVE-2024-53166 https://bugzilla.suse.com/1234884 SUSE Bug 1234884 https://bugzilla.suse.com/1234885 SUSE Bug 1234885 In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed. CVE-2024-53173 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-53173.html CVE-2024-53173 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234891 SUSE Bug 1234891 https://bugzilla.suse.com/1234892 SUSE Bug 1234892 In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Properly hide first-in-list PCIe extended capability There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally chosen to be hidden from the user. Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden. The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list. However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfio_pci_core_device->pci_config_map is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfio_config_do_rw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array. Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct read only access instead of the ecap_perms array. Note that this is safe since the above is the only case where cap_id can exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which are already checked before). [1] WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? show_regs+0x69/0x80 ? __warn+0x8d/0x140 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? report_bug+0x18f/0x1a0 ? handle_bug+0x63/0xa0 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core] ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core] vfio_pci_rw+0x101/0x1b0 [vfio_pci_core] vfio_pci_core_read+0x1d/0x30 [vfio_pci_core] vfio_device_fops_read+0x27/0x40 [vfio] vfs_read+0xbd/0x340 ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio] ? __rseq_handle_notify_resume+0xa4/0x4b0 __x64_sys_pread64+0x96/0xc0 x64_sys_call+0x1c3d/0x20d0 do_syscall_64+0x4d/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-53214 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-53214.html CVE-2024-53214 https://bugzilla.suse.com/1235004 SUSE Bug 1235004 https://bugzilla.suse.com/1235005 SUSE Bug 1235005 In the Linux kernel, the following vulnerability has been resolved: nfsd: make sure exp active before svc_export_show The function `e_show` was called with protection from RCU. This only ensures that `exp` will not be freed. Therefore, the reference count for `exp` can drop to zero, which will trigger a refcount use-after-free warning when `exp_get` is called. To resolve this issue, use `cache_get_rcu` to ensure that `exp` remains active. ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 3 PID: 819 at lib/refcount.c:25 refcount_warn_saturate+0xb1/0x120 CPU: 3 UID: 0 PID: 819 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb1/0x120 ... Call Trace: <TASK> e_show+0x20b/0x230 [nfsd] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2024-56558 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-56558.html CVE-2024-56558 https://bugzilla.suse.com/1235100 SUSE Bug 1235100 https://bugzilla.suse.com/1243648 SUSE Bug 1243648 In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: oss: Fix races at processing SysEx messages OSS sequencer handles the SysEx messages split in 6 bytes packets, and ALSA sequencer OSS layer tries to combine those. It stores the data in the internal buffer and this access is racy as of now, which may lead to the out-of-bounds access. As a temporary band-aid fix, introduce a mutex for serializing the process of the SysEx message packets. CVE-2024-57893 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2024-57893.html CVE-2024-57893 https://bugzilla.suse.com/1235920 SUSE Bug 1235920 https://bugzilla.suse.com/1235921 SUSE Bug 1235921 In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp(). CVE-2025-21772 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_125-default-15-150400.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502436-1/ https://www.suse.com/security/cve/CVE-2025-21772.html CVE-2025-21772 https://bugzilla.suse.com/1238911 SUSE Bug 1238911 https://bugzilla.suse.com/1238912 SUSE Bug 1238912