Security update for the Linux Kernel (Live Patch 42 for SLE 15 SP3) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0943-1 Final 1 1 2025-03-19T11:34:03Z current 2025-03-19T11:34:03Z 2025-03-19T11:34:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 42 for SLE 15 SP3) This update for the Linux Kernel 5.3.18-150300_59_153 fixes several issues. The following security issues were fixed: - CVE-2024-46818: drm/amd/display: Check gpio_id before used as array index (bsc#1231204). - CVE-2021-47261: Fix initializing CQ fragments buffer (bsc#1224954) - CVE-2024-50302: HID: core: zero-initialize the report buffer (bsc#1233679). - CVE-2022-48792: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task (bsc#1228017). - CVE-2022-48911: kabi: add __nf_queue_get_refs() for kabi compliance. (bsc#1229640). - CVE-2021-47496: Fix flipped sign in tls_err_abort() calls (bsc#1225354) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-936,SUSE-2025-943,SUSE-SLE-Module-Live-Patching-15-SP3-2025-943 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ Link for SUSE-SU-2025:0943-1 https://lists.suse.com/pipermail/sle-security-updates/2025-March/020548.html E-Mail link for SUSE-SU-2025:0943-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227656 SUSE Bug 1227656 https://bugzilla.suse.com/1227751 SUSE Bug 1227751 https://bugzilla.suse.com/1228017 SUSE Bug 1228017 https://bugzilla.suse.com/1229640 SUSE Bug 1229640 https://bugzilla.suse.com/1231204 SUSE Bug 1231204 https://bugzilla.suse.com/1233679 SUSE Bug 1233679 https://www.suse.com/security/cve/CVE-2021-47261/ SUSE CVE CVE-2021-47261 page https://www.suse.com/security/cve/CVE-2021-47496/ SUSE CVE CVE-2021-47496 page https://www.suse.com/security/cve/CVE-2022-48792/ SUSE CVE CVE-2022-48792 page https://www.suse.com/security/cve/CVE-2022-48911/ SUSE CVE CVE-2022-48911 page https://www.suse.com/security/cve/CVE-2024-46818/ SUSE CVE CVE-2024-46818 page https://www.suse.com/security/cve/CVE-2024-50302/ SUSE CVE CVE-2024-50302 page SUSE Linux Enterprise Live Patching 15 SP3 kernel-livepatch-5_3_18-150300_59_158-default-14-150300.2.1 kernel-livepatch-5_3_18-150300_59_158-preempt-14-150300.2.1 kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 kernel-livepatch-5_3_18-150300_59_153-preempt-15-150300.2.1 kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP3 In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix initializing CQ fragments buffer The function init_cq_frag_buf() can be called to initialize the current CQ fragments buffer cq->buf, or the temporary cq->resize_buf that is filled during CQ resize operation. However, the offending commit started to use function get_cqe() for getting the CQEs, the issue with this change is that get_cqe() always returns CQEs from cq->buf, which leads us to initialize the wrong buffer, and in case of enlarging the CQ we try to access elements beyond the size of the current cq->buf and eventually hit a kernel panic. [exception RIP: init_cq_frag_buf+103] [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib] [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core] [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt] [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt] [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt] [ffff9f799ddcbec8] kthread at ffffffffa66c5da1 [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that takes the correct source buffer as a parameter. CVE-2021-47261 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2021-47261.html CVE-2021-47261 https://bugzilla.suse.com/1224954 SUSE Bug 1224954 https://bugzilla.suse.com/1227751 SUSE Bug 1227751 In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix flipped sign in tls_err_abort() calls sk->sk_err appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance, [kworker] tls_encrypt_done(..., err=<negative error from crypto request>) tls_err_abort(.., err) sk->sk_err = err; [task] splice_from_pipe_feed ... tls_sw_do_sendpage if (sk->sk_err) { ret = -sk->sk_err; // ret is positive splice_from_pipe_feed (continued) ret = actor(...) // ret is still positive and interpreted as bytes // written, resulting in underflow of buf->len and // sd->len, leading to huge buf->offset and bogus // addresses computed in later calls to actor() Fix all tls_err_abort() callers to pass a negative error code consistently and centralize the error-prone sign flip there, throwing in a warning to catch future misuse and uninlining the function so it really does only warn once. CVE-2021-47496 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2021-47496.html CVE-2021-47496 https://bugzilla.suse.com/1225354 SUSE Bug 1225354 https://bugzilla.suse.com/1227656 SUSE Bug 1227656 In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task in pm8001_ccb_task_free() call. When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call. Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering. CVE-2022-48792 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2022-48792.html CVE-2022-48792 https://bugzilla.suse.com/1228013 SUSE Bug 1228013 https://bugzilla.suse.com/1228017 SUSE Bug 1228017 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change CVE-2022-48911 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2022-48911.html CVE-2022-48911 https://bugzilla.suse.com/1229633 SUSE Bug 1229633 https://bugzilla.suse.com/1229640 SUSE Bug 1229640 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check gpio_id before used as array index [WHY & HOW] GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore should be checked in advance. This fixes 5 OVERRUN issues reported by Coverity. CVE-2024-46818 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2024-46818.html CVE-2024-46818 https://bugzilla.suse.com/1231203 SUSE Bug 1231203 https://bugzilla.suse.com/1231204 SUSE Bug 1231204 In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. CVE-2024-50302 SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_153-default-15-150300.2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250943-1/ https://www.suse.com/security/cve/CVE-2024-50302.html CVE-2024-50302 https://bugzilla.suse.com/1233491 SUSE Bug 1233491 https://bugzilla.suse.com/1233679 SUSE Bug 1233679