Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20260-1 Final 1 1 2025-04-17T10:48:21Z current 2025-04-17T10:48:21Z 2025-04-17T10:48:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-52927: netfilter: allow exp not to be removed in nf_ct_find_expectation (bsc#1239644). - CVE-2024-26708: mptcp: fix inconsistent state on fastopen race (bsc#1222672). - CVE-2024-35910: tcp: properly terminate timers for kernel sockets (bsc#1224489). - CVE-2024-40980: drop_monitor: replace spin_lock by raw_spin_lock (bsc#1227937). - CVE-2024-41005: netpoll: Fix race condition in netpoll_owner_active (bsc#1227858). - CVE-2024-44974: mptcp: pm: avoid possible UaF when selecting endp (bsc#1230235). - CVE-2024-45009: mptcp: pm: only decrement add_addr_accepted for MPJ req (bsc#1230438). - CVE-2024-45010: mptcp: pm: only mark 'subflow' endp as available (bsc#1230439). - CVE-2024-46782: ila: call nf_unregister_net_hooks() sooner (bsc#1230769). - CVE-2024-46858: mptcp: pm: Fix uaf in __timer_delete_sync (bsc#1231088). - CVE-2024-47408: net/smc: check smcd_v2_ext_offset when receiving proposal msg (bsc#1235711). - CVE-2024-47794: kABI: bpf: Prevent tailcall infinite loop caused by freplace kABI workaround (bsc#1235712). - CVE-2024-49571: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg (bsc#1235733). - CVE-2024-49940: kABI fix for l2tp: prevent possible tunnel refcount underflow (bsc#1232812). - CVE-2024-50029: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync (bsc#1231949). - CVE-2024-50036: net: do not delay dst_entries_add() in dst_release() (bsc#1231912). - CVE-2024-50056: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c (bsc#1232389). - CVE-2024-50085: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow (bsc#1232508). - CVE-2024-50140: net: sched: use RCU read-side critical section in taprio_dump() (bsc#1233060). - CVE-2024-50142: xfrm: validate new SA's prefixlen using SA family when sel.family is unset (bsc#1233028). - CVE-2024-50185: kABI fix for mptcp: handle consistently DSS corruption (bsc#1233109). - CVE-2024-50251: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() (bsc#1233248). - CVE-2024-50258: net: fix crash when config small gso_max_size/gso_ipv4_max_size (bsc#1233221). - CVE-2024-50294: rxrpc: Fix missing locking causing hanging calls (bsc#1233483). - CVE-2024-50304: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() (bsc#1233522). - CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (bsc#1233551). - CVE-2024-53123: mptcp: error out earlier on disconnect (bsc#1234070). - CVE-2024-53140: netlink: terminate outstanding dump on socket close (bsc#1234222). - CVE-2024-53147: exfat: fix out-of-bounds access of directory entries (bsc#1234857). - CVE-2024-53176: smb: During unmount, ensure all cached dir instances drop their dentry (bsc#1234894). - CVE-2024-53177: smb: prevent use-after-free due to open_cached_dir error paths (bsc#1234896). - CVE-2024-53178: smb: Do not leak cfid when reconnect races with open_cached_dir (bsc#1234895). - CVE-2024-53680: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() (bsc#1235715). - CVE-2024-54683: netfilter: IDLETIMER: Fix for possible ABBA deadlock (bsc#1235729). - CVE-2024-56592: bpf: Call free_htab_elem() after htab_unlock_bucket() (bsc#1235244). - CVE-2024-56633: selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap (bsc#1235485). - CVE-2024-56638: kABI fix for "netfilter: nft_inner: incorrect percpu area handling under softirq" (bsc#1235524). - CVE-2024-56640: net/smc: fix LGR and link use-after-free issue (bsc#1235436). - CVE-2024-56647: net: Fix icmp host relookup triggering ip_rt_bug (bsc#1235435). - CVE-2024-56658: net: defer final 'struct net' free in netns dismantle (bsc#1235441). - CVE-2024-56702: bpf: Add tracepoints with null-able arguments (bsc#1235501). - CVE-2024-56703: ipv6: Fix soft lockups in fib6_select_path under high next hop churn (bsc#1235455). - CVE-2024-56718: net/smc: protect link down work from execute after lgr freed (bsc#1235589). - CVE-2024-56719: net: stmmac: fix TSO DMA API usage causing oops (bsc#1235591). - CVE-2024-56720: bpf, sockmap: Several fixes to bpf_msg_pop_data (bsc#1235592). - CVE-2024-56751: ipv6: release nexthop on device removal (bsc#1234936). - CVE-2024-56758: btrfs: check folio mapping after unlock in relocate_one_folio() (bsc#1235621). - CVE-2024-56770: net/sched: netem: account for backlog updates from child qdisc (bsc#1235637). - CVE-2024-57882: mptcp: fix TCP options overflow. (bsc#1235914). - CVE-2024-57900: ila: serialize calls to nf_register_net_hooks() (bsc#1235973). - CVE-2024-57947: netfilter: nf_set_pipapo: fix initial map fill (bsc#1236333). - CVE-2024-57974: udp: Deal with race between UDP socket address change and rehash (bsc#1238532). - CVE-2024-57979: kABI workaround for pps changes (bsc#1238521). - CVE-2024-57994: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() (bsc#1237901). - CVE-2024-57996: net_sched: sch_sfq: do not allow 1 packet limit (bsc#1239076). - CVE-2024-58012: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params (bsc#1239104). - CVE-2024-58019: nvkm/gsp: correctly advance the read pointer of GSP message queue (bsc#1238997). - CVE-2024-58083: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (bsc#1239036). - CVE-2025-21635: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy (bsc#1236111). - CVE-2025-21636: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy (bsc#1236113). - CVE-2025-21637: sctp: sysctl: udp_port: avoid using current->nsproxy (bsc#1236114). - CVE-2025-21638: sctp: sysctl: auth_enable: avoid using current->nsproxy (bsc#1236115). - CVE-2025-21639: sctp: sysctl: rto_min/max: avoid using current->nsproxy (bsc#1236122). - CVE-2025-21640: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy (bsc#1236123). - CVE-2025-21647: sched: sch_cake: add bounds checks to host bulk flow fairness counts (bsc#1236133). - CVE-2025-21659: netdev: prevent accessing NAPI instances from another namespace (bsc#1236206). - CVE-2025-21665: filemap: avoid truncating 64-bit offset to 32 bits (bsc#1236684). - CVE-2025-21666: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] (bsc#1236680). - CVE-2025-21667: iomap: avoid avoid truncating 64-bit offset to 32 bits (bsc#1236681). - CVE-2025-21668: pmdomain: imx8mp-blk-ctrl: add missing loop break condition (bsc#1236682). - CVE-2025-21669: vsock/virtio: discard packets if the transport changes (bsc#1236683). - CVE-2025-21670: vsock/bpf: return early if transport is not assigned (bsc#1236685). - CVE-2025-21673: smb: client: fix double free of TCP_Server_Info::hostname (bsc#1236689). - CVE-2025-21675: net/mlx5: Clear port select structure when fail to create (bsc#1236694). - CVE-2025-21678: gtp: Destroy device along with udp socket's netns dismantle (bsc#1236698). - CVE-2025-21680: pktgen: Avoid out-of-bounds access in get_imix_entries (bsc#1236700). - CVE-2025-21681: openvswitch: fix lockup on tx to unregistering netdev with carrier (bsc#1236702). - CVE-2025-21687: vfio/platform: check the bounds of read/write syscalls (bsc#1237045). - CVE-2025-21692: net: sched: fix ets qdisc OOB Indexing (bsc#1237028). - CVE-2025-21693: mm: zswap: properly synchronize freeing resources during CPU hotunplug (bsc#1237029). - CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159). - CVE-2025-21701: net: avoid race between device unregistration and ethnl ops (bsc#1237164). - CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313). - CVE-2025-21705: mptcp: handle fastopen disconnect correctly (bsc#1238525). - CVE-2025-21706: mptcp: pm: only set fullmesh for subflow endp (bsc#1238528). - CVE-2025-21715: net: davicom: fix UAF in dm9000_drv_remove (bsc#1237889). - CVE-2025-21716: vxlan: Fix uninit-value in vxlan_vnifilter_dump() (bsc#1237891). - CVE-2025-21719: ipmr: do not call mr_mfc_uses_dev() for unres entries (bsc#1238860). - CVE-2025-21724: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (bsc#1238863). - CVE-2025-21725: smb: client: fix oops due to unset link speed (bsc#1238877). - CVE-2025-21728: bpf: Send signals asynchronously if !preemptible (bsc#1237879). - CVE-2025-21733: tracing/osnoise: Fix resetting of tracepoints (bsc#1238494). - CVE-2025-21739: kABI: ufshcd: add ufshcd_dealloc_host back (bsc#1238506). - CVE-2025-21753: btrfs: fix use-after-free when attempting to join an aborted transaction (bsc#1237875). - CVE-2025-21754: btrfs: fix assertion failure when splitting ordered extent after transaction abort (bsc#1238496). - CVE-2025-21759: ipv6: mcast: extend RCU protection in igmp6_send() (bsc#1238738). - CVE-2025-21760: ndisc: extend RCU protection in ndisc_send_skb() (bsc#1238763). - CVE-2025-21761: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (bsc#1238775). - CVE-2025-21762: arp: use RCU protection in arp_xmit() (bsc#1238780). - CVE-2025-21763: neighbour: use RCU protection in __neigh_notify() (bsc#1237897). - CVE-2025-21765: ipv6: use RCU protection in ip6_default_advmss() (bsc#1237906). - CVE-2025-21766: ipv4: use RCU protection in __ip_rt_update_pmtu() (bsc#1238754). - CVE-2025-21767: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context (bsc#1238509). - CVE-2025-21790: vxlan: check vxlan_vnigroup_init() return value (bsc#1238753). - CVE-2025-21791: vrf: use RCU protection in l3mdev_l3_out() (bsc#1238512). - CVE-2025-21795: NFSD: fix hang in nfsd4_shutdown_callback (bsc#1238759). - CVE-2025-21799: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() (bsc#1238739). - CVE-2025-21802: net: hns3: fix oops when unload drivers paralleling (bsc#1238751). - CVE-2025-21825: selftests/bpf: Add test case for the freeing of bpf_timer (bsc#1238971). - CVE-2025-21844: smb: client: Add check for next_buffer in receive_encrypted_standard() (bsc#1239512). - CVE-2025-21848: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() (bsc#1239479). - CVE-2025-21856: s390/ism: add release function for struct device (bsc#1239486). - CVE-2025-21857: net/sched: cls_api: fix error handling causing NULL dereference (bsc#1239478). - CVE-2025-21861: mm/migrate_device: do not add folio to be freed to LRU in migrate_device_finalize() (bsc#1239483). - CVE-2025-21862: drop_monitor: fix incorrect initialization order (bsc#1239474). - CVE-2025-21864: kABI fix for tcp: drop secpath at the same time as we currently drop (bsc#1239482). - CVE-2025-21865: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl() (bsc#1239481). - CVE-2025-21870: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers (bsc#1240191). - CVE-2025-21871: tee: optee: Fix supplicant wait loop (bsc#1240183). - CVE-2025-21883: ice: Fix deinitializing VF in error path (bsc#1240189). - CVE-2025-21890: idpf: fix checksums set in idpf_rx_rsc() (bsc#1240173). - CVE-2025-21891: ipvlan: ensure network headers are in skb linear part (bsc#1240186). The following non-security bugs were fixed: - ACPI: PRM: Remove unnecessary strict handler address checks (git-fixes). - ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are invalid (bsc#1237530). - ACPI: property: Fix return value for nval == 0 in acpi_data_prop_read() (git-fixes). - ACPI: resource: IRQ override for Eluktronics MECH-17 (stable-fixes). - ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V (stable-fixes). - ALSA: hda/cirrus: Correct the full scale volume set logic (git-fixes). - ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED (stable-fixes). - ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform (stable-fixes). - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA (stable-fixes). - ALSA: hda/realtek: Always honor no_shutup_pins (git-fixes). - ALSA: hda/realtek: Fix Asus Z13 2025 audio (stable-fixes). - ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA (git-fixes). - ALSA: hda/realtek: Fix microphone regression on ASUS N705UD (git-fixes). - ALSA: hda/realtek: Fix wrong mic setup for ASUS VivoBook 15 (git-fixes). - ALSA: hda/realtek: Fixup ALC225 depop procedure (git-fixes). - ALSA: hda/realtek: Limit mic boost on Positivo ARN50 (stable-fixes). - ALSA: hda/realtek: Remove (revert) duplicate Ally X config (git-fixes). - ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx (stable-fixes). - ALSA: hda/realtek: update ALC222 depop optimize (stable-fixes). - ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() (git-fixes). - ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0 (stable-fixes). - ALSA: hda: intel: Add Dell ALC3271 to power_save denylist (stable-fixes). - ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage (git-fixes). - ALSA: pcm: Drop superfluous NULL check in snd_pcm_format_set_silence() (git-fixes). - ALSA: seq: Avoid module auto-load handling at event delivery (stable-fixes). - ALSA: seq: Drop UMP events when no UMP-conversion is set (git-fixes). - ALSA: seq: Make dependency on UMP clearer (git-fixes). - ALSA: seq: remove redundant 'tristate' for SND_SEQ_UMP_CLIENT (stable-fixes). - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names (stable-fixes). - ALSA: usb-audio: Avoid dropping MIDI events at closing multiple ports (git-fixes). - ALSA: usb-audio: Re-add sample rate quirk for Pioneer DJM-900NXS2 (stable-fixes). - ALSA: usb-audio: separate DJM-A9 cap lvl options (git-fixes). - ALSA: usx2y: validate nrpacks module parameter on probe (git-fixes). - APEI: GHES: Have GHES honor the panic= setting (stable-fixes). - ASoC: Intel: avs: Abstract IPC handling (stable-fixes). - ASoC: Intel: avs: Do not readq() u32 registers (git-fixes). - ASoC: Intel: avs: Prefix SKL/APL-specific members (stable-fixes). - ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V (stable-fixes). - ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module (stable-fixes). - ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE (stable-fixes). - ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close (git-fixes). - ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (git-fixes). - ASoC: amd: Add ACPI dependency to fix build error (stable-fixes). - ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model (stable-fixes). - ASoC: arizona/madera: use fsleep() in up/down DAPM event delays (stable-fixes). - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() (git-fixes). - ASoC: cs35l41: check the return value from spi_setup() (git-fixes). - ASoC: es8328: fix route from DAC to output (git-fixes). - ASoC: fsl_micfil: Enable default case in micfil_set_quality() (git-fixes). - ASoC: ops: Consistently treat platform_max as control value (git-fixes). - ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB] (git-fixes). - ASoC: rt722-sdca: add missing readable registers (git-fixes). - ASoC: tas2764: Fix power control mask (stable-fixes). - ASoC: tas2764: Set the SDOUT polarity correctly (stable-fixes). - ASoC: tas2770: Fix volume scale (stable-fixes). - ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio compatible (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() (git-fixes). - Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() (git-fixes). - Bluetooth: Fix error code in chan_alloc_skb_cb() (git-fixes). - Bluetooth: HCI: Add definition of hci_rp_remote_name_req_cancel (git-fixes). - Bluetooth: Improve setsockopt() handling of malformed user input (git-fixes). - Bluetooth: L2CAP: Fix L2CAP_ECRED_CONN_RSP response (git-fixes). - Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (stable-fixes). - Bluetooth: hci_event: Fix connection regression between LE and non-LE adapters (git-fixes). - Bluetooth: hci_event: Fix enabling passive scanning (git-fixes). - Documentation: qat: fix auto_reset attribute details (git-fixes). - Documentation: qat: fix auto_reset section (git-fixes). - Drivers: hv: vmbus: Do not release fb_mmio resource in vmbus_free_mmio() (git-fixes). - Fix memory-hotplug regression (bsc#1237504) - Grab mm lock before grabbing pt lock (git-fixes). - HID: Enable playstation driver independently of sony driver (git-fixes). - HID: Wacom: Add PCI Wacom device support (stable-fixes). - HID: apple: disable Fn key handling on the Omoton KB066 (git-fixes). - HID: apple: fix up the F6 key on the Omoton KB066 keyboard (stable-fixes). - HID: appleir: Fix potential NULL dereference at raw event handle (git-fixes). - HID: google: fix unused variable warning under !CONFIG_ACPI (git-fixes). - HID: hid-apple: Apple Magic Keyboard a3203 USB-C support (stable-fixes). - HID: hid-steam: Add Deck IMU support (stable-fixes). - HID: hid-steam: Add gamepad-only mode switched to by holding options (stable-fixes). - HID: hid-steam: Avoid overwriting smoothing parameter (stable-fixes). - HID: hid-steam: Clean up locking (stable-fixes). - HID: hid-steam: Disable watchdog instead of using a heartbeat (stable-fixes). - HID: hid-steam: Do not use cancel_delayed_work_sync in IRQ context (git-fixes). - HID: hid-steam: Fix cleanup in probe() (git-fixes). - HID: hid-steam: Fix use-after-free when detaching device (git-fixes). - HID: hid-steam: Make sure rumble work is canceled on removal (stable-fixes). - HID: hid-steam: Move hidraw input (un)registering to work (git-fixes). - HID: hid-steam: Update list of identifiers from SDL (stable-fixes). - HID: hid-steam: remove pointless error message (stable-fixes). - HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() (git-fixes). - HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend (stable-fixes). - HID: ignore non-functional sensor in HP 5MP Camera (stable-fixes). - HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (git-fixes). - HID: intel-ish-hid: Send clock sync message immediately after reset (stable-fixes). - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell (stable-fixes). - HID: multitouch: Add NULL check in mt_input_configured (git-fixes). - HID: remove superfluous (and wrong) Makefile entry for CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER (git-fixes). - HID: topre: Fix n-key rollover on Realforce R3S TKL boards (stable-fixes). - IB/mad: Check available slots before posting receive WRs (git-fixes) - IB/mlx5: Set and get correct qp_num for a DCT QP (git-fixes) - Input: ads7846 - fix gpiod allocation (git-fixes). - Input: allocate keycode for phone linking (stable-fixes). - Input: i8042 - add required quirks for missing old boardnames (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for more devices (stable-fixes). - Input: i8042 - swap old quirk combination with new quirk for several devices (stable-fixes). - Input: iqs7222 - add support for Azoteq IQS7222D (git-fixes). - Input: iqs7222 - add support for IQS7222D v1.1 and v1.2 (git-fixes). - Input: iqs7222 - preserve system status register (git-fixes). - Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE controllers (stable-fixes). - Input: xpad - add multiple supported devices (stable-fixes). - Input: xpad - add support for TECNO Pocket Go (stable-fixes). - Input: xpad - add support for ZOTAC Gaming Zone (stable-fixes). - Input: xpad - rename QH controller to Legion Go S (stable-fixes). - KVM: VMX: Allow toggling bits in MSR_IA32_RTIT_CTL when enable bit is cleared (git-fixes). - KVM: VMX: Fix comment of handle_vmx_instruction() (git-fixes). - KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset() (jsc#PED-348 git-fixes). - KVM: arm64: Do not eagerly teardown the vgic on init error (git-fixes). - KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (git-fixes). - KVM: arm64: Fix alignment of kvm_hyp_memcache allocations (git-fixes). - KVM: arm64: Flush hyp bss section after initialization of variables in bss (git-fixes). - KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state (git-fixes) - KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR (git-fixes). - KVM: nSVM: Enter guest mode before initializing nested NPT MMU (git-fixes). - KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled (jsc#PED-348 git-fixes). - KVM: s390: vsie: fix some corner-cases when grabbing vsie pages (git-fixes bsc#1237155). - KVM: x86/mmu: Skip the "try unsync" path iff the old SPTE was a leaf SPTE (git-fixes). - KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB (git-fixes). - KVM: x86: Account for KVM-reserved CR4 bits when passing through CR4 on VMX (git-fixes). - KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (git-fixes). - KVM: x86: Avoid double RDPKRU when loading host/guest PKRU (git-fixes). - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init (git-fixes). - KVM: x86: Fix a comment inside __kvm_set_or_clear_apicv_inhibit() (git-fixes). - KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (git-fixes). - KVM: x86: Unconditionally set irr_pending when updating APICv state (jsc#PED-348). - KVM: x86: Zero out PV features cache when the CPUID leaf is not present (git-fixes). - Move upstreamed ACPI patch into sorted section - Move upstreamed PCI and initramfs patches into sorted section - Move upstreamed nfsd and sunrpc patches into sorted section - Move upstreamed powerpc and SCSI patches into sorted section - PCI/ACS: Fix 'pci=config_acs=' parameter (git-fixes). - PCI/ASPM: Fix link state exit during switch upstream function removal (git-fixes). - PCI/DOE: Poll DOE Busy bit for up to 1 second in pci_doe_send_req() (bsc#1237853) - PCI/DOE: Support discovery version 2 (bsc#1237853) - PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P (stable-fixes). - PCI/portdrv: Only disable pciehp interrupts early when needed (git-fixes). - PCI: Avoid reset when disabled via sysfs (git-fixes). - PCI: Fix reference leak in pci_alloc_child_bus() (git-fixes). - PCI: Remove stray put_device() in pci_register_host_bridge() (git-fixes). - PCI: Use downstream bridges for distributing resources (bsc#1237325). - PCI: brcmstb: Fix error path after a call to regulator_bulk_get() (git-fixes). - PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() (git-fixes). - PCI: brcmstb: Fix potential premature regulator disabling (git-fixes). - PCI: brcmstb: Set generation limit before PCIe link up (git-fixes). - PCI: brcmstb: Use internal register to change link capability (git-fixes). - PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data payload (git-fixes). - PCI: dwc: ep: Return -ENOMEM for allocation failures (git-fixes). - PCI: hookup irq_get_affinity callback (bsc#1236896). - PCI: imx6: Simplify clock handling by using clk_bulk*() function (git-fixes). - PCI: pciehp: Do not enable HPIE when resuming in poll mode (git-fixes). - PCI: switchtec: Add Microchip PCI100X device IDs (stable-fixes). - PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe (git-fixes). - PM: sleep: Adjust check before setting power.must_resume (git-fixes). - PM: sleep: Fix handling devices with direct_complete set on errors (git-fixes). - RAS: Avoid build errors when CONFIG_DEBUG_FS=n (jsc#PED-7619). - RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx (git-fixes) - RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path (git-fixes) - RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers (git-fixes) - RDMA/bnxt_re: Fix the statistics for Gen P7 VF (git-fixes) - RDMA/core: Do not expose hw_counters outside of init net namespace (git-fixes) - RDMA/efa: Reset device on probe failure (git-fixes) - RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() (git-fixes) - RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() (git-fixes) - RDMA/hns: Fix mbox timing out by adding retry mechanism (git-fixes) - RDMA/hns: Fix missing xa_destroy() (git-fixes) - RDMA/hns: Fix soft lockup during bt pages loop (git-fixes) - RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() (git-fixes) - RDMA/hns: Fix wrong value of max_sge_rd (git-fixes) - RDMA/mana_ib: Allocate PAGE aligned doorbell index (git-fixes). - RDMA/mana_ib: Prefer struct_size over open coded arithmetic (bsc#1239016). - RDMA/mlx5: Fix AH static rate parsing (git-fixes) - RDMA/mlx5: Fix MR cache initialization error flow (git-fixes) - RDMA/mlx5: Fix a WARN during dereg_mr for DM type (git-fixes) - RDMA/mlx5: Fix a race for DMABUF MR which can lead to CQE with error (git-fixes) - RDMA/mlx5: Fix bind QP error cleanup flow (git-fixes) - RDMA/mlx5: Fix cache entry update on dereg error (git-fixes) - RDMA/mlx5: Fix calculation of total invalidated pages (git-fixes) - RDMA/mlx5: Fix implicit ODP hang on parent deregistration (git-fixes) - RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow (git-fixes) - RDMA/mlx5: Fix the recovery flow of the UMR QP (git-fixes) - RDMA/mlx5: Handle errors returned from mlx5r_ib_rate() (git-fixes) - RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests (git-fixes) - RDMA/rxe: Improve newline in printing messages (git-fixes) - Reapply "wifi: ath11k: restore country code during resume" (bsc#1207948). - Revert "blk-throttle: Fix IO hang for a corner case" (git-fixes). - Revert "dm: requeue IO if mapping table not yet available" (git-fixes). - Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection" (git-fixes). - Revert "drm/amd/display: Use HW lock mgr for PSR1" (stable-fixes). - Revert "leds-pca955x: Remove the unused function pca95xx_num_led_regs()" (stable-fixes). - Revert "wifi: ath11k: restore country code during resume" (bsc#1207948). - Revert "wifi: ath11k: support hibernation" (bsc#1207948). - SUNRPC: Handle -ETIMEDOUT return from tlshd (git-fixes). - SUNRPC: Prevent looping due to rpc_signal_task() races (git-fixes). - SUNRPC: convert RPC_TASK_* constants to enum (git-fixes). - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() (git-fixes). - USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone (stable-fixes). - USB: Fix the issue of task recovery failure caused by USB status when S4 wakes up (git-fixes). - USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk (git-fixes). - USB: gadget: f_midi: f_midi_complete to call queue_work (git-fixes). - USB: hub: Ignore non-compliant devices with too many configs or interfaces (stable-fixes). - USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI (stable-fixes). - USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist (stable-fixes). - USB: serial: ftdi_sio: add support for Altera USB Blaster 3 (stable-fixes). - USB: serial: option: add MeiG Smart SLM828 (stable-fixes). - USB: serial: option: add Telit Cinterion FE990B compositions (stable-fixes). - USB: serial: option: add Telit Cinterion FN990B compositions (stable-fixes). - USB: serial: option: drop MeiG Smart defines (stable-fixes). - USB: serial: option: fix Telit Cinterion FE990A name (stable-fixes). - USB: serial: option: fix Telit Cinterion FN990A name (stable-fixes). - USB: serial: option: match on interface class for Telit FN990B (stable-fixes). - Update "drm/mgag200: Added support for the new device G200eH5" (jsc#PED-12094) - Use gcc-13 for build on SLE16 (jsc#PED-10028). - accel/qaic: Fix integer overflow in qaic_validate_req() (git-fixes). - accel/qaic: Fix possible data corruption in BOs > 2G (git-fixes). - acct: block access to kernel internal filesystems (git-fixes). - acct: perform last write from workqueue (git-fixes). - add nf_tables for iptables non-legacy network handling. - af_packet: do not call packet_read_pending() from tpacket_destruct_skb() (bsc#1237849). - af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb() (bsc#1239435). - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash (bsc#1239435). - af_unix: Remove put_pid()/put_cred() in copy_peercred() (bsc#1240334). - amdgpu/pm/legacy: fix suspend/resume issues (git-fixes). - arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes) - arm64: Handle .ARM.attributes section in linker scripts (git-fixes) - arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (git-fixes) - arm64: cputype: Add MIDR_CORTEX_A76AE (git-fixes) - arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to (git-fixes) - arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply (git-fixes) - arm64: dts: rockchip: Add avdd HDMI supplies to RockPro64 board dtsi (git-fixes) - arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board (git-fixes) - arm64: dts: rockchip: Fix PWM pinctrl names (git-fixes) - arm64: dts: rockchip: Remove bluetooth node from rock-3a (git-fixes) - arm64: dts: rockchip: Remove undocumented sdmmc property from (git-fixes) - arm64: dts: rockchip: add rs485 support on uart5 of (git-fixes) - arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou (git-fixes) - arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou (git-fixes) - arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe (git-fixes) - arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (git-fixes) - arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() (git-fixes) - arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre (git-fixes) - arm64: hugetlb: Fix flush_hugetlb_tlb_range() invalidation level (git-fixes) - arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes (git-fixes) - arm64: hugetlb: enable __HAVE_ARCH_FLUSH_HUGETLB_TLB_RANGE (git-fixes) - arm64: mm: Populate vmemmap at the page level if not section aligned (git-fixes) - arm64: tegra: Remove the Orin NX/Nano suspend key (git-fixes) - ata: ahci: Add mask_port_map module parameter (git-fixes). - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf (git-fixes). - ata: libata-scsi: Remove redundant sense_buffer memsets (git-fixes). - ata: libata-sff: Ensure that we cannot write outside the allocated buffer (stable-fixes). - ata: libata: Fix NCQ Non-Data log not supported print (git-fixes). - ata: pata_parport: add custom version of wait_after_reset (git-fixes). - ata: pata_parport: fit3: implement IDE command set registers (git-fixes). - ata: pata_serverworks: Do not use the term blacklist (git-fixes). - ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() (git-fixes). - ata: sata_sil: Rename sil_blacklist to sil_quirks (git-fixes). - auxdisplay: panel: Fix an API misuse in panel.c (git-fixes). - backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() (git-fixes). - batman-adv: Drop unmanaged ELP metric worker (git-fixes). - batman-adv: Ignore neighbor throughput metrics in error case (stable-fixes). - batman-adv: Ignore own maximum aggregation size during RX (git-fixes). - batman-adv: fix panic during interface removal (git-fixes). - bio-integrity: do not restrict the size of integrity metadata (git-fixes). - bitmap: introduce generic optimized bitmap_size() (git-fixes). - blk-cgroup: Fix class @block_class's subsystem refcount leakage (bsc#1237558). - blk-cgroup: Properly propagate the iostat update up the hierarchy (bsc#1225606). - blk-iocost: Avoid using clamp() on inuse in __propagate_weights() (git-fixes). - blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long (git-fixes). - blk-mq: add number of queue calc helper (bsc#1236897). - blk-mq: create correct map for fallback case (bsc#1236896). - blk-mq: do not count completed flush data request as inflight in case of quiesce (git-fixes). - blk-mq: introduce blk_mq_map_hw_queues (bsc#1236896). - blk-mq: issue warning when offlining hctx with online isolcpus (bsc#1236897). - blk-mq: move cpuhp callback registering out of q->sysfs_lock (git-fixes). - blk-mq: register cpuhp callback after hctx is added to xarray table (git-fixes). - blk-mq: use hk cpus only when isolcpus=managed_irq is enabled (bsc#1236897). - blk_iocost: remove some duplicate irq disable/enables (git-fixes). - block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (git-fixes). - block: Clear zone limits for a non-zoned stacked queue (git-fixes). - block: Fix elevator_get_default() checking for NULL q->tag_set (git-fixes). - block: Fix lockdep warning in blk_mq_mark_tag_wait (git-fixes). - block: Fix page refcounts for unaligned buffers in __bio_release_pages() (git-fixes). - block: Provide bdev_open_* functions (git-fixes). - block: Remove special-casing of compound pages (git-fixes). - block: Set memalloc_noio to false on device_add_disk() error path (git-fixes). - block: add a disk_has_partscan helper (git-fixes). - block: add a partscan sysfs attribute for disks (git-fixes). - block: add check of 'minors' and 'first_minor' in device_add_disk() (git-fixes). - block: avoid to reuse `hctx` not removed from cpuhp callback list (git-fixes). - block: change rq_integrity_vec to respect the iterator (git-fixes). - block: cleanup and fix batch completion adding conditions (git-fixes). - block: copy back bounce buffer to user-space correctly in case of split (git-fixes). - block: do not revert iter for -EIOCBQUEUED (git-fixes). - block: ensure we hold a queue reference when using queue limits (git-fixes). - block: fix and simplify blkdevparts= cmdline parsing (git-fixes). - block: fix bio_split_rw_at to take zone_write_granularity into account (git-fixes). - block: fix integer overflow in BLKSECDISCARD (git-fixes). - block: fix missing dispatching request when queue is started or unquiesced (git-fixes). - block: fix ordering between checking BLK_MQ_S_STOPPED request adding (git-fixes). - block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding (git-fixes). - block: fix sanity checks in blk_rq_map_user_bvec (git-fixes). - block: propagate partition scanning errors to the BLKRRPART ioctl (git-fixes). - block: remove the blk_flush_integrity call in blk_integrity_unregister (git-fixes). - block: retry call probe after request_module in blk_request_module (git-fixes). - block: return unsigned int from bdev_io_min (git-fixes). - block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() (git-fixes). - block: support to account io_ticks precisely (git-fixes). - block: use the right type for stub rq_integrity_vec() (git-fixes). - bluetooth: btusb: Initialize .owner field of force_poll_sync_fops (git-fixes). - bnxt_en: Fix possible memory leak when hwrm_req_replace fails (git-fixes). - bnxt_en: Refactor bnxt_ptp_init() (git-fixes). - bnxt_en: Unregister PTP during PCI shutdown and suspend (git-fixes). - bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie (git-fixes). - bpf: Fix a verifier verbose message (git-fixes). - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array (git-fixes). - bpf: Use -Wno-error in certain tests when building with GCC (git-fixes). - bpf: prevent r10 register from being marked as precise (git-fixes). - broadcom: fix supported flag check in periodic output function (git-fixes). - btrfs: check delayed refs when we're checking if a ref exists (bsc#1239605). - btrfs: do not use btrfs_bio_ctrl for extent buffer writing (bsc#1239045). - btrfs: drop the backref cache during relocation if we commit (bsc#1239605). - btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1237232). - btrfs: fix extent map merging not happening for adjacent extents (bsc#1237232). - btrfs: remove the mirror_num argument to btrfs_submit_compressed_read (bsc#1239045). - btrfs: subpage: fix error handling in end_bio_subpage_eb_writepage (bsc#1239045). - btrfs: use a separate end_io handler for extent_buffer writing (bsc#1239045). - bus: mhi: host: Fix race between unprepare and queue_buf (git-fixes). - bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock (git-fixes). - bus: qcom-ssc-block-bus: Fix the error handling path of qcom_ssc_block_bus_probe() (git-fixes). - bus: qcom-ssc-block-bus: Remove some duplicated iounmap() calls (git-fixes). - bus: simple-pm-bus: fix forced runtime PM use (git-fixes). - can: c_can: fix unbalanced runtime PM disable in error path (git-fixes). - can: ctucanfd: handle skb allocation failure (git-fixes). - can: etas_es58x: fix potential NULL pointer dereference on udev->serial (git-fixes). - can: flexcan: disable transceiver during system PM (git-fixes). - can: flexcan: only change CAN state when link up in system PM (git-fixes). - can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero (git-fixes). - can: rcar_canfd: Fix page entries in the AFL list (git-fixes). - can: ucan: fix out of bound read in strscpy() source (git-fixes). - cdx: Fix possible UAF error in driver_override_show() (git-fixes). - char: misc: deallocate static minor in error path (git-fixes). - chelsio/chtls: prevent potential integer overflow on 32bit (git-fixes). - cifs: Fix parsing reparse point with native symlink in SMB1 non-UNICODE session (git-fixes). - cifs: Remove intermediate object of failed create reparse call (git-fixes). - cifs: commands that are retried should have replay flag set (bsc#1231432). - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path (bsc#1231432). - cifs: helper function to check replayable error codes (bsc#1231432). - cifs: new mount option called retrans (bsc#1231432). - cifs: open_cached_dir should not rely on primary channel (bsc#1231432). - cifs: open_cached_dir(): add FILE_READ_EA to desired access (git-fixes). - cifs: update desired access while requesting for directory lease (git-fixes). - cifs: update the same create_guid on replay (git-fixes). - clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe (git-fixes). - clk: mediatek: mt2701-bdp: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-img: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-mm: add missing dummy clk (git-fixes). - clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe (git-fixes). - clk: qcom: clk-alpha-pll: fix alpha mode configuration (git-fixes). - clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate (git-fixes). - clk: qcom: dispcc-sm6350: Add missing parent_map for a clock (git-fixes). - clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg (git-fixes). - clk: qcom: gcc-sm6350: Add missing parent_map for two clocks (git-fixes). - clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable() (git-fixes). - clk: sunxi-ng: a100: enable MMC clock reparenting (git-fixes). - clockevents/drivers/i8253: Fix stop sequence for timer 0 (git-fixes). - config: Set gcc version (jsc#PED-12251). - coredump: Fixes core_pipe_limit sysctl proc_handler (git-fixes). - cppc_cpufreq: Use desired perf if feedback ctrs are 0 or unchanged (bsc#1237856) - cpu/hotplug: Do not offline the last non-isolated CPU (bsc#1237562). - cpu/hotplug: Prevent self deadlock on CPU hot-unplug (bsc#1237562). - cpufreq/amd-pstate: Fix max_perf updation with schedutil (bsc#1239707). - cpufreq/cppc: Do not compare desired_perf in target() (bsc#1237856) - cpufreq/cppc: Move and rename (bsc#1237856) - cpufreq: cppc: Set fie_disabled to FIE_DISABLED if fails to create (bsc#1237856) - cpufreq: cppc: cppc_cpufreq_get_rate() returns zero in all error (bsc#1237856) - cpufreq: imx6q: Do not disable 792 Mhz OPP unnecessarily (git-fixes). - cpufreq: imx6q: do not warn for disabling a non-existing frequency (git-fixes). - cpufreq: mediatek-hw: Do not error out if supply is not found (git-fixes). - cpufreq: mediatek-hw: Wait for CPU supplies before probing (git-fixes). - cpufreq: qcom-nvmem: Enable virtual power domain devices (git-fixes). - cpufreq: qcom-nvmem: Simplify driver data allocation (stable-fixes). - cpufreq: qcom-nvmem: add support for IPQ8064 (git-fixes). - cpufreq: qcom-nvmem: drop pvs_ver for format a fuses (git-fixes). - cpufreq: qcom-nvmem: fix memory leaks in probe error paths (git-fixes). - cpufreq: qcom-nvmem: use SoC ID-s from bindings (git-fixes). - cpufreq: qcom-nvmem: use helper to get SMEM SoC ID (git-fixes). - cpufreq: qcom: Fix qcom_cpufreq_hw_recalc_rate() to query LUT if LMh IRQ is not available (git-fixes). - cpufreq: qcom: Implement clk_ops::determine_rate() for qcom_cpufreq* clocks (git-fixes). - cpufreq: s3c64xx: Fix compilation warning (stable-fixes). - cpumask: add cpumask_weight_andnot() (bsc#1239015). - cpumask: define cleanup function for cpumasks (bsc#1239015). - crypto: ccp - Fix check for the primary ASP device (git-fixes). - crypto: ccp - Fix uAPI definitions of PSP errors (git-fixes). - crypto: hisilicon/sec2 - fix for aead auth key length (git-fixes). - crypto: hisilicon/sec2 - fix for aead authsize alignment (git-fixes). - crypto: hisilicon/sec2 - fix for aead icv error (git-fixes). - crypto: hisilicon/sec2 - fix for aead invalid authsize (git-fixes). - crypto: hisilicon/sec2 - fix for sec spec check (git-fixes). - crypto: hisilicon/sec2 - optimize the error return process (stable-fixes). - crypto: iaa - Add global_stats file and remove individual stat files (jsc#PED-12416). - crypto: iaa - Change desc->priv to 0 (jsc#PED-12416). - crypto: iaa - Change iaa statistics to atomic64_t (jsc#PED-12416). - crypto: iaa - Fix comp/decomp delay statistics (jsc#PED-12416). - crypto: iaa - Remove comp/decomp delay statistics (jsc#PED-12416). - crypto: iaa - Remove header table code (jsc#PED-12416). - crypto: iaa - Remove potential infinite loop in check_completion() (jsc#PED-12416). - crypto: iaa - Remove unnecessary debugfs_create_dir() error check in iaa_crypto_debugfs_init() (jsc#PED-12416). - crypto: iaa - Remove unneeded newline in update_max_adecomp_delay_ns() (jsc#PED-12416). - crypto: iaa - Test the correct request flag (git-fixes). - crypto: iaa - Use cpumask_weight() when rebalancing (jsc#PED-12416). - crypto: iaa - Use kmemdup() instead of kzalloc() and memcpy() (jsc#PED-12416). - crypto: iaa - fix decomp_bytes_in stats (jsc#PED-12416). - crypto: iaa - fix the missing CRYPTO_ALG_ASYNC in cra_flags (jsc#PED-12416). - crypto: iaa - remove unneeded semicolon (jsc#PED-12416). - crypto: nx - Fix uninitialised hv_nxc on error (git-fixes). - crypto: qat - Avoid -Wflex-array-member-not-at-end warnings (jsc#PED-12416). - crypto: qat - Constify struct pm_status_row (jsc#PED-12416). - crypto: qat - Fix missing destroy_workqueue in adf_init_aer() (jsc#PED-12416). - crypto: qat - Fix spelling mistake "Invalide" -> "Invalid" (jsc#PED-12416). - crypto: qat - Fix typo "accelaration" (jsc#PED-12416). - crypto: qat - Fix typo (jsc#PED-12416). - crypto: qat - Remove trailing space after \n newline (jsc#PED-12416). - crypto: qat - Use static_assert() to check struct sizes (jsc#PED-12416). - crypto: qat - add admin msgs for telemetry (jsc#PED-12416). - crypto: qat - add auto reset on error (jsc#PED-12416). - crypto: qat - add bank save and restore flows (jsc#PED-12416). - crypto: qat - add fatal error notification (jsc#PED-12416). - crypto: qat - add fatal error notify method (jsc#PED-12416). - crypto: qat - add heartbeat error simulator (jsc#PED-12416). - crypto: qat - add interface for live migration (jsc#PED-12416). - crypto: qat - add support for 420xx devices (jsc#PED-12416). - crypto: qat - add support for device telemetry (jsc#PED-12416). - crypto: qat - add support for ring pair level telemetry (jsc#PED-12416). - crypto: qat - adf_get_etr_base() helper (jsc#PED-12416). - crypto: qat - allow disabling SR-IOV VFs (jsc#PED-12416). - crypto: qat - avoid memcpy() overflow warning (jsc#PED-12416). - crypto: qat - change signature of uof_get_num_objs() (jsc#PED-12416). - crypto: qat - disable arbitration before reset (jsc#PED-12416). - crypto: qat - ensure correct order in VF restarting handler (jsc#PED-12416). - crypto: qat - expand CSR operations for QAT GEN4 devices (jsc#PED-12416). - crypto: qat - fix "Full Going True" macro definition (jsc#PED-12416). - crypto: qat - fix arbiter mapping generation algorithm for QAT 402xx (jsc#PED-12416). - crypto: qat - fix comment structure (jsc#PED-12416). - crypto: qat - fix linking errors when PCI_IOV is disabled (jsc#PED-12416). - crypto: qat - fix recovery flow for VFs (jsc#PED-12416). - crypto: qat - fix ring to service map for dcc in 420xx (jsc#PED-12416). - crypto: qat - generate dynamically arbiter mappings (jsc#PED-12416). - crypto: qat - implement dh fallback for primes > 4K (jsc#PED-12416). - crypto: qat - implement interface for live migration (jsc#PED-12416). - crypto: qat - improve aer error reset handling (jsc#PED-12416). - crypto: qat - improve error message in adf_get_arbiter_mapping() (jsc#PED-12416). - crypto: qat - include pci.h for GET_DEV() (jsc#PED-12416). - crypto: qat - initialize user_input.lock for rate_limiting (jsc#PED-12416). - crypto: qat - limit heartbeat notifications (jsc#PED-12416). - crypto: qat - make adf_ctl_class constant (jsc#PED-12416). - crypto: qat - make ring to service map common for QAT GEN4 (jsc#PED-12416). - crypto: qat - move PFVF compat checker to a function (jsc#PED-12416). - crypto: qat - move fw config related structures (jsc#PED-12416). - crypto: qat - preserve ADF_GENERAL_SEC (jsc#PED-12416). - crypto: qat - re-enable sriov after pf reset (jsc#PED-12416). - crypto: qat - relocate CSR access code (jsc#PED-12416). - crypto: qat - relocate and rename 4xxx PF2VM definitions (jsc#PED-12416). - crypto: qat - relocate portions of qat_4xxx code (jsc#PED-12416). - crypto: qat - remove access to parity register for QAT GEN4 (git-fixes). - crypto: qat - remove unnecessary description from comment (jsc#PED-12416). - crypto: qat - remove unused adf_devmgr_get_first (jsc#PED-12416). - crypto: qat - rename get_sla_arr_of_type() (jsc#PED-12416). - crypto: qat - set parity error mask for qat_420xx (git-fixes). - crypto: qat - uninitialized variable in adf_hb_error_inject_write() (jsc#PED-12416). - crypto: qat - update PFVF protocol for recovery (jsc#PED-12416). - crypto: qat - use kcalloc_node() instead of kzalloc_node() (jsc#PED-12416). - crypto: qat - validate slices count returned by FW (jsc#PED-12416). - crypto: qat/qat_420xx - fix off by one in uof_get_name() (jsc#PED-12416). - cxgb4: Avoid removal of uninserted tid (git-fixes). - cxgb4: use port number to set mac addr (git-fixes). - devlink: avoid potential loop in devlink_rel_nested_in_notify_work() (bsc#1237234). - dlm: fix srcu_read_lock() return type to int (git-fixes). - dlm: prevent NPD when writing a positive value to event_done (git-fixes). - dm array: fix cursor index when skipping across block boundaries (git-fixes). - dm array: fix unreleased btree blocks on closing a faulty array cursor (git-fixes). - dm init: Handle minors larger than 255 (git-fixes). - dm integrity: fix out-of-range warning (git-fixes). - dm persistent data: fix memory allocation failure (git-fixes). - dm resume: do not return EINVAL when signalled (git-fixes). - dm suspend: return -ERESTARTSYS instead of -EINTR (git-fixes). - dm thin: Add missing destroy_work_on_stack() (git-fixes). - dm-crypt: do not update io->sector after kcryptd_crypt_write_io_submit() (git-fixes). - dm-crypt: track tag_offset in convert_context (git-fixes). - dm-delay: fix hung task introduced by kthread mode (git-fixes). - dm-delay: fix max_delay calculations (git-fixes). - dm-delay: fix workqueue delay_timer race (git-fixes). - dm-ebs: do not set the flag DM_TARGET_PASSES_INTEGRITY (git-fixes). - dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature (git-fixes). - dm-integrity: align the outgoing bio in integrity_recheck (git-fixes). - dm-integrity: fix a race condition when accessing recalc_sector (git-fixes). - dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume (git-fixes). - dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow (git-fixes). - dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) (git-fixes). - dm: Fix typo in error message (git-fixes). - dma: kmsan: export kmsan_handle_dma() for modules (git-fixes). - doc/README.SUSE: Point to the updated version of LKMPG - doc: update managed_irq documentation (bsc#1236897). - driver core: Remove needless return in void API device_remove_group() (git-fixes). - driver core: bus: add irq_get_affinity callback to bus_type (bsc#1236896). - drivers: core: fix device leak in __fw_devlink_relax_cycles() (git-fixes). - drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl (git-fixes). - drm/amd/display: Assign normalized_pix_clk when color depth = 14 (stable-fixes). - drm/amd/display: Disable PSR-SU on eDP panels (stable-fixes). - drm/amd/display: Disable unneeded hpd interrupts during dm_init (stable-fixes). - drm/amd/display: Fix HPD after gpu reset (stable-fixes). - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor (stable-fixes). - drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params (git-fixes). - drm/amd/display: Fix slab-use-after-free on hdcp_work (git-fixes). - drm/amd/display: Restore correct backlight brightness after a GPU reset (stable-fixes). - drm/amd/display: Use HW lock mgr for PSR1 when only one eDP (git-fixes). - drm/amd/display: avoid NPD when ASIC does not support DMUB (git-fixes). - drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters() (git-fixes). - drm/amd/pm: Mark MM activity as unsupported (stable-fixes). - drm/amdgpu/umsch: declare umsch firmware (git-fixes). - drm/amdgpu: Check extended configuration space register when system uses large bar (stable-fixes). - drm/amdgpu: Fix JPEG video caps max size for navi1x and raven (stable-fixes). - drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size (stable-fixes). - drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV (git-fixes). - drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (stable-fixes). - drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() (git-fixes). - drm/amdgpu: disable BAR resize on Dell G5 SE (git-fixes). - drm/amdgpu: fix UVD contiguous CS mapping problem (bsc#1236759). - drm/amdkfd: Fix Circular Locking Dependency in 'svm_range_cpu_invalidate_pagetables' (git-fixes). - drm/amdkfd: only flush the validate MES contex (stable-fixes). - drm/atomic: Filter out redundant DPMS calls (stable-fixes). - drm/bridge: Fix spelling mistake "gettin" -> "getting" (git-fixes). - drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT (stable-fixes). - drm/bridge: it6505: fix HDCP Bstatus check (stable-fixes). - drm/bridge: it6505: fix HDCP CTS KSV list wait timer (stable-fixes). - drm/bridge: it6505: fix HDCP CTS compare V matching (stable-fixes). - drm/bridge: it6505: fix HDCP V match check is not performed correctly (git-fixes). - drm/bridge: it6505: fix HDCP encryption when R0 ready (stable-fixes). - drm/bridge: ti-sn65dsi86: Fix multiple instances (git-fixes). - drm/dp_mst: Fix drm RAD print (git-fixes). - drm/dp_mst: Fix locking when skipping CSN before topology probing (git-fixes). - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() (git-fixes). - drm/hyperv: Fix address space leak when Hyper-V DRM device is removed (git-fixes). - drm/i915/cdclk: Do cdclk post plane programming later (stable-fixes). - drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL (git-fixes). - drm/i915/dp: Fix error handling during 128b/132b link training (stable-fixes). - drm/i915/dp: Iterate DSC BPP from high to low on all platforms (git-fixes). - drm/i915/dsi: Use TRANS_DDI_FUNC_CTL's own port width macro (git-fixes). - drm/i915/guc: Debug print LRC state entries only if the context is pinned (git-fixes). - drm/i915/pmu: Fix zero delta busyness issue (git-fixes). - drm/i915/selftests: avoid using uninitialized context (git-fixes). - drm/i915/xe2lpd: Move D2D enable/disable (stable-fixes). - drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes (stable-fixes). - drm/i915: Fix page cleanup on DMA remap failure (git-fixes). - drm/i915: Make sure all planes in use by the joiner have their crtc included (stable-fixes). - drm/komeda: Add check for komeda_get_layer_fourcc_list() (git-fixes). - drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr (git-fixes). - drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() (git-fixes). - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member (git-fixes). - drm/mediatek: mtk_hdmi: Unregister audio platform device on failure (git-fixes). - drm/mgag200: Added support for the new device G200eH5 (jsc#PED-12094) - drm/modeset: Handle tiled displays in pan_display_atomic (stable-fixes). - drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump (git-fixes). - drm/msm/a6xx: Fix stale rpmh votes from GPU (git-fixes). - drm/msm/dpu: Disable dither in phys encoder cleanup (git-fixes). - drm/msm/dpu: Do not leak bits_per_component into random DSC_ENC fields (git-fixes). - drm/msm/dpu: do not use active in atomic_check() (git-fixes). - drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host (git-fixes). - drm/msm/dsi: Use existing per-interface slice count in DSC timing (git-fixes). - drm/msm/gem: Demote userspace errors to DRM_UT_DRIVER (stable-fixes). - drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() (git-fixes). - drm/msm: Avoid rounding up to one jiffy (git-fixes). - drm/nouveau/pmu: Fix gp10b firmware guard (git-fixes). - drm/nouveau: Do not override forced connector status (stable-fixes). - drm/panel: ilitek-ili9882t: fix GPIO name in error message (git-fixes). - drm/radeon/ci_dpm: Remove needless NULL checks of dpm tables (git-fixes). - drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M (stable-fixes). - drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() (git-fixes). - drm/repaper: fix integer overflows in repeat functions (git-fixes). - drm/rockchip: move output interface related definition to rockchip_drm_drv.h (stable-fixes). - drm/rockchip: vop2: Fix the windows switch between different layers (git-fixes). - drm/rockchip: vop2: Set YUV/RGB overlay mode (stable-fixes). - drm/rockchip: vop2: include rockchip_drm_drv.h (git-fixes). - drm/rockchip: vop2: set bg dly and prescan dly at vop2_post_config (stable-fixes). - drm/sched: Fix fence reference count leak (git-fixes). - drm/sched: Fix preprocessor guard (git-fixes). - drm/ssd130x: Set SPI .id_table to prevent an SPI core warning (git-fixes). - drm/ssd130x: ensure ssd132x pitch is correct (git-fixes). - drm/ssd130x: fix ssd132x encoding (git-fixes). - drm/v3d: Do not run jobs that have errors flagged in its fence (git-fixes). - drm/virtio: New fence for every plane update (stable-fixes). - drm/vkms: Fix use after free and double free on init error (git-fixes). - drm/vkms: Round fixp2int conversion in lerp_u16 (stable-fixes). - drm: xlnx: zynqmp: Fix max dma segment size (git-fixes). - dummycon: fix default rows/cols (git-fixes). - eeprom: digsy_mtc: Make GPIO lookup table match the device (git-fixes). - efi/libstub: Bump up EFI_MMAP_NR_SLACK_SLOTS to 32 (bsc#1239349). - efi: Avoid cold plugged memory for placing the kernel (stable-fixes). - efi: libstub: Use '-std=gnu11' to fix build with GCC 15 (stable-fixes). - eth: gve: use appropriate helper to set xdp_features (git-fixes). - exfat: convert to ctime accessor functions (git-fixes). - exfat: do not zero the extended part (bsc#1237356). - exfat: fix appending discontinuous clusters to empty file (bsc#1237356). - exfat: fix file being changed by unaligned direct write (git-fixes). - exfat: fix timing of synchronizing bitmap and inode (bsc#1237356). - exfat: fix zero the unwritten part for dio read (git-fixes). - fbdev: au1100fb: Move a variable assignment behind a null pointer check (git-fixes). - fbdev: omap: use threaded IRQ for LCD DMA (stable-fixes). - fbdev: pxafb: Fix possible use after free in pxafb_task() (stable-fixes). - fbdev: sm501fb: Add some geometry checks (git-fixes). - firmware: arm_ffa: Explicitly cast return value from FFA_VERSION before comparison (git-fixes). - firmware: arm_scmi: use ioread64() instead of ioread64_hi_lo() (git-fixes). - firmware: cs_dsp: Remove async regmap writes (git-fixes). - firmware: imx-scu: fix OF node leak in .probe() (git-fixes). - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry (git-fixes). - flow_dissector: use RCU protection to fetch dev_net() (bsc#1239994). - futex: Do not include process MM in futex key on no-MMU (git-fixes). - gpio: aggregator: protect driver attr handlers against module unload (git-fixes). - gpio: bcm-kona: Add missing newline to dev_err format string (git-fixes). - gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 (git-fixes). - gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ (git-fixes). - gpio: pca953x: Improve interrupt support (git-fixes). - gpio: rcar: Fix missing of_node_put() call (git-fixes). - gpio: rcar: Use raw_spinlock to protect register access (stable-fixes). - gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock (git-fixes). - gpiolib: acpi: Add a quirk for Acer Nitro ANV14 (stable-fixes). - gpu: drm_dp_cec: fix broken CEC adapter properties check (git-fixes). - gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU (git-fixes). - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp() (git-fixes). - gup: make the stack expansion warning a bit more targeted (bsc#1238214). - hfs: Sanity check the root record (git-fixes). - hwmon: (ad7314) Validate leading zero bits and return error (git-fixes). - hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table (git-fixes). - hwmon: (pmbus) Initialise page count in pmbus_identify() (git-fixes). - hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe() (git-fixes). - i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz (stable-fixes). - i2c: ali1535: Fix an error handling path in ali1535_probe() (git-fixes). - i2c: ali15x3: Fix an error handling path in ali15x3_probe() (git-fixes). - i2c: amd-mp2: drop free_irq() of devm_request_irq() allocated irq (git-fixes). - i2c: ls2x: Fix frequency division register access (git-fixes). - i2c: npcm: disable interrupt enable bit before devm_request_irq (git-fixes). - i2c: omap: fix IRQ storms (git-fixes). - i2c: sis630: Fix an error handling path in sis630_probe() (git-fixes). - i3c: Add NULL pointer check in i3c_master_queue_ibi() (git-fixes). - i3c: master: svc: Fix missing the IBI rules (git-fixes). - i3c: master: svc: Use readsb helper for reading MDB (git-fixes). - iavf: allow changing VLAN state without calling PF (git-fixes). - ice: Remove and readd netdev during devlink reload (bsc#1230497 bsc#1239518). - ice: Skip PTP HW writes during PTP reset procedure (git-fixes). - ice: add ice_adapter for shared data across PFs on the same NIC (bsc#1237415). - ice: avoid the PTP hardware semaphore in gettimex64 path (bsc#1237415). - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset (git-fixes). - ice: fix incorrect PHY settings for 100 GB/s (git-fixes). - ice: fix max values for dpll pin phase adjust (git-fixes). - ice: fold ice_ptp_read_time into ice_ptp_gettimex64 (bsc#1237415). - ice: gather page_count()'s of each frag right before XDP prog call (git-fixes). - ice: pass VSI pointer into ice_vc_isvalid_q_id (bsc#1237848 bsc#1230497). - ice: put Rx buffers after being done with current frame (git-fixes). - ice: stop storing XDP verdict within ice_rx_buf (git-fixes). - ice: use internal pf id instead of function number (git-fixes). - idpf: add read memory barrier when checking descriptor done bit (git-fixes). - idpf: call set_real_num_queues in idpf_open (bsc#1236661). - idpf: convert workqueues to unbound (git-fixes). - idpf: fix VF dynamic interrupt ctl register initialization (git-fixes). - idpf: fix handling rsc packet with a single segment (git-fixes). - igc: Fix HW RX timestamp when passed by ZC XDP (git-fixes). - igc: Set buffer type for empty frames in igc_init_empty_frame (git-fixes). - igc: return early when failing to read EECD register (git-fixes). - iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio (git-fixes). - iio: accel: msa311: Fix failure to release runtime pm if direct mode claim fails (git-fixes). - iio: adc: ad4130: Fix comparison of channel setups (git-fixes). - iio: adc: ad7124: Fix comparison of channel configs (git-fixes). - iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value (git-fixes). - iio: dac: ad3552r: clear reset status flag (git-fixes). - iio: filter: admv8818: Force initialization of SDO (git-fixes). - include/linux/mmzone.h: clean up watermark accessors (bsc#1239600). - include: net: add static inline dst_dev_overhead() to dst.h (git-fixes). - init: add initramfs_internal.h (bsc#1232848). - initcall_blacklist: Does not allow kernel_lockdown be blacklisted (bsc#1237521). - initramfs: allocate heap buffers together (bsc#1232848). - initramfs: fix hardlink hash leak without TRAILER (bsc#1232848). - intel_idle: Add ibrs_off module parameter to force-disable IBRS (git-fixes). - intel_idle: Use __update_spec_ctrl() in intel_idle_ibrs() (git-fixes). - intel_th: pci: Add Arrow Lake support (stable-fixes). - intel_th: pci: Add Panther Lake-H support (stable-fixes). - intel_th: pci: Add Panther Lake-P/U support (stable-fixes). - ioam6: improve checks on user data (git-fixes). - iommu/arm-smmu-v3: Clean up more on probe failure (stable-fixes). - iommu/vt-d: Fix suspicious RCU usage (git-fixes). - ipv4: add RCU protection to ip4_dst_hoplimit() (bsc#1239994). - ipv4: use RCU protection in inet_select_addr() (bsc#1239994). - ipv4: use RCU protection in ip_dst_mtu_maybe_forward() (bsc#1239994). - ipv4: use RCU protection in ipv4_default_advmss() (bsc#1239994). - ipv4: use RCU protection in rt_is_expired() (bsc#1239994). - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses (git-fixes). - ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw() (git-fixes). - ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create() (git-fixes). - ipv6: Use RCU in ip6_input() (bsc#1239994). - ipv6: annotate data-races around cnf.disable_ipv6 (git-fixes). - ipv6: avoid atomic fragment on GSO packets (git-fixes). - ipv6: fib6_rules: flush route cache when rule is changed (git-fixes). - ipv6: fib: hide unused 'pn' variable (git-fixes). - ipv6: fix ndisc_is_useropt() handling for PIO (git-fixes). - ipv6: fix potential NULL deref in fib6_add() (git-fixes). - ipv6: icmp: convert to dev_net_rcu() (bsc#1239994). - ipv6: introduce dst_rt6_info() helper (git-fixes). - ipv6: ioam: block BH from ioam6_output() (git-fixes). - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid (git-fixes). - ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - ipv6: sr: add missing seg6_local_exit (git-fixes). - ipv6: sr: block BH in seg6_output_core() and seg6_input_core() (git-fixes). - ipv6: take care of scope when choosing the src addr (git-fixes). - jfs: add check read-only before truncation in jfs_truncate_nolock() (git-fixes). - jfs: add check read-only before txBeginAnon() call (git-fixes). - jfs: add index corruption check to DT_GETPAGE() (git-fixes). - jfs: fix slab-out-of-bounds read in ea_get() (git-fixes). - jfs: reject on-disk inodes of an unsupported type (git-fixes). - kABI fix for RDMA/core: Do not expose hw_counters outside (git-fixes) - kABI fix for ipv6: remove hard coded limitation on ipv6_pinfo (git-fixes). - kABI fix for net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - kABI fix for netlink: terminate outstanding dump on socket close (git-fixes). - kABI fix for tcp: fix cookie_init_timestamp() overflows (git-fixes). - kABI fix for tcp: replace tcp_time_stamp_raw() (git-fixes). - kABI workaround for intel-ish-hid (git-fixes). - kABI workaround for soc_mixer_control changes (git-fixes). - kabi: fix bus type (bsc#1236896). - kabi: fix group_cpus_evenly (bsc#1236897). - kabi: hide adding RCU head into struct netdev_name_node (bsc#1233749). - kasan: do not call find_vm_area() in a PREEMPT_RT kernel (git-fixes). - kbuild: hdrcheck: fix cross build with clang (git-fixes). - kbuild: userprogs: fix bitsize and target detection on clang (git-fixes). - kernel-source: Also replace bin/env - kunit: qemu_configs: sparc: use Zilog console (git-fixes). - l2tp: fix ICMP error handling for UDP-encap sockets (git-fixes). - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function (git-fixes). - l2tp: fix lockdep splat (git-fixes). - leds: rgb: leds-qcom-lpg: Fix calculation of best period Hi-Res PWMs (git-fixes). - leds: rgb: leds-qcom-lpg: Fix pwm resolution max for Hi-Res PWMs (git-fixes). - lib/group_cpus: honor housekeeping config when grouping CPUs (bsc#1236897). - lib/group_cpus: let group_cpu_evenly return number initialized masks (bsc#1236897). - lib/iov_iter: fix import_iovec_ubuf iovec management (git-fixes). - lib: 842: Improve error handling in sw842_compress() (git-fixes). - lib: stackinit: hide never-taken branch from compiler (stable-fixes). - lockdep: Do not disable interrupts on RT in disable_irq_nosync_lockdep.*() (git-fixes). - lockdep: Fix upper limit for LOCKDEP_*_BITS configs (stable-fixes). - lockdep: fix deadlock issue between lockdep and rcu (git-fixes). - locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() (git-fixes). - locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers (git-fixes). - loop: do not set QUEUE_FLAG_NOMERGES (git-fixes). - md/md-bitmap: Add missing destroy_work_on_stack() (git-fixes). - md/md-bitmap: add 'sync_size' into struct md_bitmap_stats (git-fixes). - md/md-bitmap: replace md_bitmap_status() with a new helper md_bitmap_get_stats() (git-fixes). - md/md-cluster: fix spares warnings for __le64 (git-fixes). - md/raid0: do not free conf on raid0_run failure (git-fixes). - md/raid1: do not free conf on raid0_run failure (git-fixes). - md/raid5: Wait sync io to finish before changing group cnt (git-fixes). - md: Do not flush sync_work in md_write_start() (git-fixes). - md: convert comma to semicolon (git-fixes). - mdacon: rework dependency list (git-fixes). - media: cxd2841er: fix 64-bit division on gcc-9 (stable-fixes). - media: dvb: mb86a16: check the return value of mb86a16_read() (git-fixes). - media: firewire: firedtv-avc.c: replace BUG with proper, error return (git-fixes). - media: i2c: adv748x: Fix test pattern selection mask (git-fixes). - media: i2c: ccs: Set the device's runtime PM status correctly in remove (git-fixes). - media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO (git-fixes). - media: i2c: ov7251: Set enable GPIO low in probe (git-fixes). - media: ov08x40: Fix hblank out of range issue (git-fixes). - media: platform: allgro-dvt: unregister v4l2_device on the error path (git-fixes). - media: platform: stm32: Add check for clk_enable() (git-fixes). - media: siano: Fix error handling in smsdvb_module_init() (git-fixes). - media: streamzap: fix race between device disconnection and urb callback (git-fixes). - media: streamzap: prevent processing IR data on URB failure (git-fixes). - media: uvcvideo: Add Kurokesu C1 PRO camera (stable-fixes). - media: uvcvideo: Add new quirk definition for the Sonix Technology Co. 292a camera (stable-fixes). - media: uvcvideo: Implement dual stream quirk to fix loss of usb packets (stable-fixes). - media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() (git-fixes). - media: venus: hfi: add a check to handle OOB in sfr region (git-fixes). - media: venus: hfi: add check to handle incorrect queue size (git-fixes). - media: venus: hfi_parser: add check to avoid out of bound access (git-fixes). - media: venus: hfi_parser: refactor hfi packet parsing logic (git-fixes). - media: verisilicon: HEVC: Initialize start_bit field (git-fixes). - media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread (stable-fixes). - media: vim2m: print device name after registering device (git-fixes). - media: visl: Fix ERANGE error when setting enum controls (git-fixes). - mei: me: add panther lake P DID (stable-fixes). - memblock tests: fix warning: "__ALIGN_KERNEL" redefined (git-fixes). - memory: mtk-smi: Add ostd setting for mt8192 (git-fixes). - memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (git-fixes). - mfd: ene-kb3930: Fix a potential NULL pointer dereference (git-fixes). - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id (stable-fixes). - mfd: sm501: Switch to BIT() to mitigate integer overflows (git-fixes). - mfd: syscon: Add of_syscon_register_regmap() API (stable-fixes). - mfd: syscon: Fix race in device_node_get_regmap() (git-fixes). - mfd: syscon: Remove extern from function prototypes (stable-fixes). - mfd: syscon: Use scoped variables with memory allocators to simplify error paths (stable-fixes). - mm/compaction: fix UBSAN shift-out-of-bounds warning (git fixes (mm/compaction)). - mm/page_alloc: fix memory accept before watermarks gets initialized (bsc#1239600). - mm: accept to promo watermark (bsc#1239600). - mm: create promo_wmark_pages and clean up open-coded sites (bsc#1239600). - mm: fix endless reclaim on machines with unaccepted memory (bsc#1239600). - mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() (git-fixes) - mm: zswap: move allocations during CPU init outside the lock (git-fixes). - mmc: atmel-mci: Add missing clk_disable_unprepare() (git-fixes). - mmc: core: Respect quirk_max_rate for non-UHS SDIO card (stable-fixes). - mmc: mtk-sd: Fix register settings for hs400(es) mode (git-fixes). - mmc: omap: Fix memory leak in mmc_omap_new_slot (git-fixes). - mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops (git-fixes). - mmc: sdhci-msm: Correctly set the load for the regulator (stable-fixes). - mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD (git-fixes). - mptcp: export local_address (git-fixes) - mptcp: fix NL PM announced address accounting (git-fixes) - mptcp: fix data races on local_id (git-fixes) - mptcp: fix inconsistent state on fastopen race (bsc#1222672). - mptcp: fix recvbuffer adjust on sleeping rcvmsg (git-fixes) - mptcp: fully established after ADD_ADDR echo on MPJ (git-fixes) - mptcp: pass addr to mptcp_pm_alloc_anno_list (git-fixes) - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR (git-fixes) - mptcp: pm: deny endp with signal + subflow + port (git-fixes) - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set (git-fixes) - mptcp: pm: do not try to create sf if alloc failed (git-fixes) - mptcp: pm: fullmesh: select the right ID later (git-fixes) - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID (git-fixes) - mptcp: pm: only in-kernel cannot have entries with ID 0 (git-fixes) - mptcp: pm: re-using ID of unused flushed subflows (git-fixes) - mptcp: pm: re-using ID of unused removed ADD_ADDR (git-fixes) - mptcp: pm: re-using ID of unused removed subflows (git-fixes) - mptcp: pm: reduce indentation blocks (git-fixes) - mptcp: pm: remove mptcp_pm_remove_subflow (git-fixes) - mptcp: unify pm get_flags_and_ifindex_by_id (git-fixes) - mptcp: unify pm get_local_id interfaces (git-fixes) - mptcp: unify pm set_flags interfaces (git-fixes) - mtd: Add check for devm_kcalloc() (git-fixes). - mtd: Replace kcalloc() with devm_kcalloc() (git-fixes). - mtd: nand: Fix a kdoc comment (git-fixes). - mtd: rawnand: brcmnand: fix PM resume warning (git-fixes). - mtd: rawnand: cadence: fix error code in cadence_nand_init() (git-fixes). - mtd: rawnand: cadence: fix incorrect device in dma_unmap_single (git-fixes). - mtd: rawnand: cadence: fix unchecked dereference (git-fixes). - mtd: rawnand: cadence: use dma_map_resource for sdma address (git-fixes). - nbd: Fix signal handling (git-fixes). - nbd: Improve the documentation of the locking assumptions (git-fixes). - nbd: do not allow reconnect after disconnect (git-fixes). - ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() (bsc#1239994). - ndisc: use RCU protection in ndisc_alloc_skb() (bsc#1239994). - net l2tp: drop flow hash on forward (git-fixes). - net/mlx5: Correct TASR typo into TSAR (git-fixes). - net/mlx5: Fix RDMA TX steering prio (git-fixes). - net/mlx5: Fix msix vectors to respect platform limit (bsc#1225981). - net/mlx5: SF, Fix add port error handling (git-fixes). - net/mlx5: Verify support for scheduling element and TSAR type (git-fixes). - net/mlx5e: Always start IPsec sequence number from 1 (git-fixes). - net/mlx5e: Rely on reqid in IPsec tunnel mode (git-fixes). - net/mlx5e: macsec: Maintain TX SA from encoding_sa (git-fixes). - net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers (git-fixes). - net/sched: act_api: rely on rcu in tcf_idr_check_alloc (git-fixes). - net/sched: adjust device watchdog timer to detect stopped queue at right time (git-fixes). - net/sched: cbs: Fix integer overflow in cbs_set_port_rate() (git-fixes). - net/sched: cls_u32: replace int refcounts with proper refcounts (git-fixes). - net/sched: flower: Add lock protection when remove filter handle (git-fixes). - net/sched: taprio: make q->picos_per_byte available to fill_sched_entry() (git-fixes). - net/sched: tbf: correct backlog statistic for GSO packets (git-fixes). - net/smc: support ipv4 mapped ipv6 addr client for smc-r v2 (bsc#1236994). - net: Fix undefined behavior in netdev name allocation (bsc#1233749). - net: add dev_net_rcu() helper (bsc#1239994). - net: avoid UAF on deleted altname (bsc#1233749). - net: check for altname conflicts when changing netdev's netns (bsc#1233749). - net: constify sk_dst_get() and __sk_dst_get() argument (git-fixes). - net: core: Use the bitmap API to allocate bitmaps (bsc#1233749). - net: do not send a MOVE event when netdev changes netns (bsc#1233749). - net: do not use input buffer of __dev_alloc_name() as a scratch space (bsc#1233749). - net: fix ifname in netlink ntf during netns move (bsc#1233749). - net: fix removing a namespace with conflicting altnames (bsc#1233749). - net: free altname using an RCU callback (bsc#1233749). - net: ipv6: fix dst ref loop in ila lwtunnel (git-fixes). - net: ipv6: fix dst ref loop on input in rpl lwt (git-fixes). - net: ipv6: fix dst ref loop on input in seg6 lwt (git-fixes). - net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels (git-fixes). - net: ipv6: fix missing dst ref drop in ila lwtunnel (git-fixes). - net: ipv6: fix wrong start position when receive hop-by-hop fragment (git-fixes). - net: ipv6: ioam6: code alignment (git-fixes). - net: ipv6: ioam6: new feature tunsrc (git-fixes). - net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input (git-fixes). - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() (git-fixes). - net: ipv6: rpl_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: seg6_iptunnel: mitigate 2-realloc issue (git-fixes). - net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL (git-fixes). - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX (git-fixes). - net: make dev_alloc_name() call dev_prep_valid_name() (bsc#1233749). - net: mana: Add flex array to struct mana_cfg_rx_steer_req_v2 (bsc#1239016). - net: mana: Add get_link and get_link_ksettings in ethtool (bsc#1236761). - net: mana: Allow variable size indirection table (bsc#1239016). - net: mana: Assigning IRQ affinity on HT cores (bsc#1239015). - net: mana: Avoid open coded arithmetic (bsc#1239016). - net: mana: Cleanup "mana" debugfs dir after cleanup of all children (bsc#1236760). - net: mana: Enable debugfs files for MANA device (bsc#1236758). - net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Fix memory leak in mana_gd_setup_irqs (bsc#1239015). - net: mana: Support holes in device list reply msg (git-fixes). - net: mana: add a function to spread IRQs per CPUs (bsc#1239015). - net: mana: cleanup mana struct after debugfs_remove() (git-fixes). - net: move altnames together with the netdevice (bsc#1233749). - net: netvsc: Update default VMBus channels (bsc#1236757). - net: reduce indentation of __dev_alloc_name() (bsc#1233749). - net: remove dev_valid_name() check from __dev_alloc_name() (bsc#1233749). - net: remove else after return in dev_prep_valid_name() (bsc#1233749). - net: rose: lock the socket in rose_bind() (git-fixes). - net: sfc: Correct key_len for efx_tc_ct_zone_ht_params (git-fixes). - net: smc: fix spurious error message from __sock_release() (bsc#1237126). - net: trust the bitmap in __dev_alloc_name() (bsc#1233749). - net: usb: usbnet: restore usb%d name exception for local mac addresses (bsc#1234480). - net: use unrcu_pointer() helper (git-fixes). - net: wwan: iosm: Fix hibernation by re-binding the driver around it (stable-fixes). - net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors (stable-fixes). - net_sched: Prevent creation of classes with TC_H_ROOT (git-fixes). - net_sched: sch_sfq: annotate data-races around q->perturb_period (git-fixes). - net_sched: sch_sfq: handle bigger packets (git-fixes). - nfsd: clear acl_access/acl_default after releasing them (git-fixes). - nouveau/svm: fix missing folio unlock + put after make_device_exclusive_range() (git-fixes). - null_blk: Do not allow runt zone with zone capacity smaller then zone size (git-fixes). - null_blk: Fix missing mutex_destroy() at module removal (git-fixes). - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() (git-fixes). - null_blk: Print correct max open zones limit in null_init_zoned_dev() (git-fixes). - null_blk: Remove usage of the deprecated ida_simple_xx() API (git-fixes). - null_blk: do not cap max_hw_sectors to BLK_DEF_MAX_SECTORS (git-fixes). - null_blk: fix validation of block size (git-fixes). - nvme-fc: do not ignore connectivity loss during connecting (git-fixes bsc#1222649). - nvme-fc: go straight to connecting state when initializing (git-fixes bsc#1222649). - nvme-fc: rely on state transitions to handle connectivity loss (git-fixes bsc#1222649). - nvme-fc: use ctrl state getter (git-fixes). - nvme-ioctl: fix leaked requests on mapping error (git-fixes). - nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk (git-fixes). - nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk (git-fixes). - nvme-pci: quirk Acer FA100 for non-uniqueue identifiers (git-fixes). - nvme-pci: remove stale comment (git-fixes). - nvme-pci: use block layer helpers to calculate num of queues (bsc#1236897). - nvme-tcp: Fix a C2HTermReq error message (git-fixes). - nvme-tcp: add basic support for the C2HTermReq PDU (git-fixes). - nvme-tcp: fix connect failure on receiving partial ICResp PDU (git-fixes). - nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() (git-fixes). - nvme-tcp: fix signedness bug in nvme_tcp_init_connection() (git-fixes). - nvme/ioctl: add missing space in err message (git-fixes). - nvme: handle connectivity loss in nvme_set_queue_count (git-fixes). - nvme: introduce nvme_disk_is_ns_head helper (git-fixes). - nvme: make nvme_tls_attrs_group static (git-fixes). - nvme: move error logging from nvme_end_req() to __nvme_end_req() (git-fixes). - nvme: move passthrough logging attribute to head (git-fixes). - nvme: only allow entering LIVE from CONNECTING state (git-fixes bsc#1222649). - nvme: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - nvme: tcp: Fix compilation warning with W=1 (git-fixes). - nvmet-fc: Remove unused functions (git-fixes). - nvmet-rdma: recheck queue state is LIVE in state lock in recv done (git-fixes). - nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch (git-fixes). - nvmet: Fix crash when a namespace is disabled (git-fixes). - nvmet: remove old function prototype (git-fixes). - ocfs2: check dir i_size in ocfs2_find_entry (git-fixes). - ocfs2: fix deadlock in ocfs2_get_system_file_inode (git-fixes). - ocfs2: fix incorrect CPU endianness conversion causing mount failure (bsc#1236138). - ocfs2: handle a symlink read error correctly (git-fixes). - ocfs2: mark dquot as inactive if failed to start trans while releasing dquot (git-fixes). - ocfs2: update seq_file index in ocfs2_dlm_seq_next (git-fixes). - orangefs: fix a oob in orangefs_debug_write (git-fixes). - padata: Clean up in padata_do_multithreaded() (bsc#1237563). - padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563). - padata: fix sysfs store callback check (git-fixes). - partitions: ldm: remove the initial kernel-doc notation (git-fixes). - partitions: mac: fix handling of bogus partition table (git-fixes). - phy: exynos5-usbdrd: fix MPLL_MULTIPLIER and SSC_REFCLKSEL masks in refclk (git-fixes). - phy: rockchip: naneng-combphy: compatible reset with old DT (git-fixes). - phy: tegra: xusb: reset VBUS & ID OVERRIDE (git-fixes). - pinctrl: bcm281xx: Fix incorrect regmap max_registers value (git-fixes). - pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware (git-fixes). - pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm() (git-fixes). - pinctrl: qcom: Clear latched interrupt status when changing IRQ type (git-fixes). - pinctrl: renesas: rza2: Fix missing of_node_put() call (git-fixes). - pinctrl: renesas: rzv2m: Fix missing of_node_put() call (git-fixes). - pinctrl: tegra: Set SFIO mode to Mux Register (git-fixes). - platform/x86/intel-uncore-freq: Ignore minor version change (bsc#1237452). - platform/x86/intel-uncore-freq: Increase minor number support (bsc#1237452). - platform/x86/intel/tpmi: Add defines to get version information (bsc#1237452). - platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() (stable-fixes). - platform/x86: ISST: Ignore minor version change (bsc#1237452). - platform/x86: acer-wmi: Ignore AC events (stable-fixes). - platform/x86: dell-ddv: Fix temperature calculation (git-fixes). - platform/x86: int3472: Check for adev == NULL (stable-fixes). - platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e (stable-fixes). - platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e (stable-fixes). - platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles (stable-fixes). - pnfs/flexfiles: retry getting layout segment for reads (git-fixes). - power: supply: da9150-fg: fix potential overflow (git-fixes). - power: supply: max77693: Fix wrong conversion of charge input threshold value (git-fixes). - powerpc/64s/mm: Move __real_pte stubs into hash-4k.h (bsc#1215199). - powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline (bsc#1215199). - powerpc/code-patching: Disable KASAN report during patching via temporary mm (bsc#1215199). - powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC (bsc#1215199). - powerpc/pseries/eeh: Fix pseries_eeh_err_inject (bsc#1239573). - powerpc/pseries/eeh: move pseries_eeh_err_inject() outside CONFIG_DEBUG_FS block (bsc#1239573). - powerpc/pseries/iommu: Split Dynamic DMA Window to be used in Hybrid mode (ltc#210895 bsc#1235933 ltc#210896 bsc#1235932). - powerpc/pseries/iommu: memory notifier incorrectly adds TCEs for pmemory (bsc#1239167 ltc#211055). - powerpc/trace: Add support for HAVE_FUNCTION_ARG_ACCESS_API (bsc#1236967 ltc#210988). - powerpc: Stop using no_llseek (bsc#1239573). - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX (bsc#1237950). - r8169: enable SG/TSO on selected chip versions per default (bsc#1235874). - rapidio: add check for rio_add_net() in rio_scan_alloc_net() (git-fixes). - rapidio: fix an API misues when rio_add_net() fails (git-fixes). - rbd: do not assume RBD_LOCK_STATE_LOCKED for exclusive mappings (git-fixes). - rbd: do not assume rbd_is_lock_owner() for exclusive mappings (git-fixes). - rbd: do not move requests to the running list on errors (git-fixes). - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (git-fixes). - regmap-irq: Add missing kfree() (git-fixes). - regulator: check that dummy regulator has been probed before using it (stable-fixes). - regulator: core: Fix deadlock in create_regulator() (git-fixes). - regulator: dummy: force synchronous probing (git-fixes). - rndis_host: Flag RNDIS modems as WWAN devices (git-fixes). - rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303) - rpm/release-projects: Update the ALP projects again (bsc#1231293). - rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570) - s390/cio: rename bitmap_size() -> idset_bitmap_size() (git-fixes bsc#1236205). - s390/futex: Fix FUTEX_OP_ANDN implementation (git-fixes bsc#1237158). - s390/iucv: fix receive buffer virtual vs physical address confusion (git-fixes bsc#1236200). - s390/pci: Fix SR-IOV for PFs initially in standby (git-fixes bsc#1236752). - s390/pci: Fix handling of isolated VFs (git-fixes bsc#1238368). - s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails (bsc#1236752). - s390/pci: Ignore RID for isolated VFs (bsc#1236752). - s390/pci: Pull search for parent PF out of zpci_iov_setup_virtfn() (git-fixes bsc#1238368). - s390/pci: Sort PCI functions prior to creating virtual busses (bsc#1236752). - s390/pci: Use topology ID for multi-function devices (bsc#1236752). - s390/smp,mcck: fix early IPI handling (git-fixes bsc#1236199). - s390/stackleak: Use exrl instead of ex in __stackleak_poison() (git-fixes bsc#1239594). - s390/topology: Improve topology detection (bsc#1236591). - s390/traps: Fix test_monitor_call() inline assembly (git-fixes bsc#1239595). - s390/vfio-ap: Remove gmap_convert_to_secure() from vfio_ap_ops (git-fixes bsc#1236203). - sched/membarrier: Fix redundant load of membarrier_state (bsc#1232743). - scripts/gdb: fix aarch64 userspace detection in get_current_task (stable-fixes). - scsi: core: Clear driver private data when retrying request (git-fixes). - scsi: core: Do not retry I/Os during depopulation (git-fixes). - scsi: core: Handle depopulation and restoration in progress (git-fixes). - scsi: hisi_sas: Allocate DFX memory during dump trigger (git-fixes). - scsi: hisi_sas: Directly call register snapshot instead of using workqueue (git-fixes). - scsi: hisi_sas: Enable all PHYs that are not disabled by user during controller reset (git-fixes). - scsi: hisi_sas: Fix a deadlock issue related to automatic dump (git-fixes). - scsi: hisi_sas: Remove redundant checks for automatic debugfs dump (git-fixes). - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request (git-fixes). - scsi: lpfc: Copyright updates for 14.4.0.8 patches (bsc#1238347). - scsi: lpfc: Free phba irq in lpfc_sli4_enable_msi() when pci_irq_vector() fails (bsc#1238347). - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine (bsc#1238347). - scsi: lpfc: Ignore ndlp rport mismatch in dev_loss_tmo callbk (bsc#1238347). - scsi: lpfc: Reduce log message generation during ELS ring clean up (bsc#1238347). - scsi: lpfc: Update lpfc version to 14.4.0.8 (bsc#1238347). - scsi: megaraid_sas: Fix for a potential deadlock (git-fixes). - scsi: mpi3mr: Fix possible crash when setting up bsg fails (git-fixes). - scsi: mpi3mr: Start controller indexing from 0 (git-fixes). - scsi: mpi3mr: Use ida to manage mrioc ID (git-fixes). - scsi: mpt3sas: Diag-Reset when Doorbell-In-Use bit is set during driver load time (jsc#PED-11253). - scsi: myrb: Remove dead code (git-fixes). - scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock (git-fixes). - scsi: qla1280: Fix hw revision numbering for ISP1020/1040 (git-fixes). - scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896). - scsi: scsi_debug: Fix hrtimer support for ndelay (git-fixes). - scsi: sg: Enable runtime power management (git-fixes). - scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device reset (git-fixes). - scsi: st: Do not modify unknown block number in MTIOCGET (git-fixes). - scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes). - scsi: use block layer helpers to calculate num of queues (bsc#1236897). - selftest: hugetlb_dio: fix test naming (git-fixes). - selftest: mm: Test if hugepage does not get leaked during __bio_release_pages() (git-fixes). - selftests/bpf: Fix flaky selftest lwt_redirect/lwt_reroute (git-fixes). - selftests/bpf: Fix flaky test btf_map_in_map/lookup_update (git-fixes). - selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh (git-fixes). - selftests/bpf: add fp-leaking precise subprog result tests (git-fixes). - selftests/futex: pass _GNU_SOURCE without a value to the compiler (git-fixes). - selftests/mm/cow: fix the incorrect error handling (git-fixes). - selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() (stable-fixes). - selftests/x86/syscall: Fix coccinelle WARNING recommending the use of ARRAY_SIZE() (git-fixes). - selftests: gpio: gpio-sim: Fix missing chip disablements (stable-fixes). - selftests: hugetlb_dio: check for initial conditions to skip in the start (git-fixes). - selftests: hugetlb_dio: fixup check for initial conditions to skip in the start (git-fixes). - selftests: mptcp: close fd_in before returning in main_loop (git-fixes). - selftests: mptcp: connect: -f: no reconnect (git-fixes). - selftests: mptcp: fix incorrect fd checks in main_loop (git-fixes). - selftests: rtnetlink: update netdevsim ipsec output format (stable-fixes). - seq_file: add helper macro to define attribute for rw file (jsc#PED-12416). - serial: 8250: Fix fifo underflow on flush (git-fixes). - serial: sc16is7xx: use device_property APIs when configuring irda mode (stable-fixes). - slimbus: messaging: Free transaction ID in delayed interrupt scenario (git-fixes). - smb3: fix creating FIFOs when mounting with "sfu" mount option (git-fixes). - smb3: request handle caching when caching directories (bsc#1231432). - smb3: retrying on failed server close (bsc#1231432). - smb: cached directories can be more than root file handle (bsc#1231432). - smb: cilent: set reparse mount points as automounts (git-fixes). - smb: client: Fix a NULL vs IS_ERR() check in wsl_set_xattrs() (git-fixes). - smb: client: Fix minor whitespace errors and warnings (git-fixes). - smb: client: Fix netns refcount imbalance causing leaks and use-after-free (git-fixes). - smb: client: add support for WSL reparse points (git-fixes). - smb: client: allow creating special files via reparse points (git-fixes). - smb: client: allow creating symlinks via reparse points (git-fixes). - smb: client: cleanup smb2_query_reparse_point() (git-fixes). - smb: client: destroy cfid_put_wq on module exit (git-fixes). - smb: client: do not query reparse points twice on symlinks (git-fixes). - smb: client: extend smb2_compound_op() to accept more commands (bsc#1231432). - smb: client: fix OOB in SMB2_query_info_init() (bsc#1231432). - smb: client: fix OOB in smb2_query_reparse_point() (git-fixes). - smb: client: fix corruption in cifs_extend_writeback (bsc#1235609). - smb: client: fix double put of @cfile in smb2_rename_path() (git-fixes). - smb: client: fix double put of @cfile in smb2_set_path_size() (git-fixes). - smb: client: fix hardlinking of reparse points (git-fixes). - smb: client: fix missing mode bits for SMB symlinks (git-fixes). - smb: client: fix possible double free in smb2_set_ea() (git-fixes). - smb: client: fix potential broken compound request (git-fixes). - smb: client: fix renaming of reparse points (git-fixes). - smb: client: get rid of smb311_posix_query_path_info() (git-fixes). - smb: client: handle STATUS_IO_REPARSE_TAG_NOT_HANDLED (git-fixes). - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support (git-fixes). - smb: client: handle path separator of created SMB symlinks (git-fixes). - smb: client: handle special files and symlinks in SMB3 POSIX (git-fixes). - smb: client: ignore unhandled reparse tags (git-fixes). - smb: client: implement ->query_reparse_point() for SMB1 (git-fixes). - smb: client: instantiate when creating SFU files (git-fixes). - smb: client: introduce ->parse_reparse_point() (git-fixes). - smb: client: introduce SMB2_OP_QUERY_WSL_EA (git-fixes). - smb: client: introduce cifs_sfu_make_node() (git-fixes). - smb: client: introduce reparse mount option (git-fixes). - smb: client: make smb2_compound_op() return resp buffer on success (bsc#1231432). - smb: client: move most of reparse point handling code to common file (git-fixes). - smb: client: move some params to cifs_open_info_data (bsc#1231432). - smb: client: optimise reparse point querying (git-fixes). - smb: client: parse owner/group when creating reparse points (git-fixes). - smb: client: parse reparse point flag in create response (bsc#1231432). - smb: client: parse uid, gid, mode and dev from WSL reparse points (git-fixes). - smb: client: properly close cfids on umount (bsc#1231432, bsc#1232299, bsc#1235599, bsc#1234896). - smb: client: reduce number of parameters in smb2_compound_op() (git-fixes). - smb: client: reduce stack usage in smb2_query_info_compound() (bsc#1231432). - smb: client: reduce stack usage in smb2_query_reparse_point() (git-fixes). - smb: client: reduce stack usage in smb2_set_ea() (bsc#1231432). - smb: client: retry compound request without reusing lease (git-fixes). - smb: client: return reparse type in /proc/mounts (git-fixes). - smb: client: reuse file lease key in compound operations (git-fixes). - smb: client: set correct d_type for reparse DFS/DFSR and mount point (git-fixes). - smb: client: set correct file type from NFS reparse points (git-fixes). - smb: client: stop revalidating reparse points unnecessarily (git-fixes). - smb: use kernel_connect() and kernel_bind() (git-fixes). - soc/mediatek: mtk-devapc: Convert to platform remove callback returning void (stable-fixes). - soc/tegra: fuse: Update Tegra234 nvmem keepout list (stable-fixes). - soc: imx8m: Remove global soc_uid (stable-fixes). - soc: imx8m: Unregister cpufreq and soc dev in cleanup path (git-fixes). - soc: imx8m: Use devm_* to simplify probe failure handling (stable-fixes). - soc: loongson: loongson2_guts: Add check for devm_kstrdup() (git-fixes). - soc: mediatek: mt8167-mmsys: Fix missing regval in all entries (git-fixes). - soc: mediatek: mt8365-mmsys: Fix routing table masks and values (git-fixes). - soc: mediatek: mtk-devapc: Fix leaking IO map on driver remove (git-fixes). - soc: qcom: pdr: Fix the potential deadlock (git-fixes). - soc: qcom: smem: introduce qcom_smem_get_soc_id() (git-fixes). - soc: qcom: socinfo: move SMEM item struct and defines to a header (git-fixes). - soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() (git-fixes). - soundwire: slave: fix an OF node reference leak in soundwire slave device (git-fixes). - spi: atmel-qspi: Memory barriers after memory-mapped I/O (git-fixes). - spi: atmel-quadspi: Create `atmel_qspi_ops` to support newer SoC families (stable-fixes). - spi: cadence-qspi: Fix probe on AM62A LP SK (git-fixes). - spi: microchip-core: Clean up redundant dev_err_probe() (git-fixes). - spi: microchip-core: Use helper function devm_clk_get_enabled() (git-fixes). - spi: sn-f-ospi: Fix division by zero (git-fixes). - splice: do not checksum AF_UNIX sockets (bsc#1240333). - sunrpc: suppress warnings for unused procfs functions (git-fixes). - supported.conf: add now-included qat_420xx (external, intel) - tcp: Add memory barrier to tcp_push() (git-fixes). - tcp: Adjust clamping window for applications specifying SO_RCVBUF (git-fixes). - tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset (git-fixes). - tcp: Defer ts_recent changes until req is owned (git-fixes). - tcp: Do not drop SYN+ACK for simultaneous connect() (git-fixes). - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge() (git-fixes). - tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses (git-fixes). - tcp: Update window clamping condition (git-fixes). - tcp: add tcp_done_with_error() helper (git-fixes). - tcp: adjust rcvq_space after updating scaling ratio (git-fixes). - tcp: annotate data-races around tp->window_clamp (git-fixes). - tcp: avoid premature drops in tcp_add_backlog() (git-fixes). - tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process (git-fixes). - tcp: check mptcp-level constraints for backlog coalescing (git-fixes). - tcp: check space before adding MPTCP SYN options (git-fixes). - tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack() (git-fixes). - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB (git-fixes). - tcp: define initial scaling factor value as a macro (git-fixes). - tcp: derive delack_max from rto_min (git-fixes). - tcp: fix TFO SYN_RECV to not zero retrans_stamp with retransmits out (git-fixes). - tcp: fix cookie_init_timestamp() overflows (git-fixes). - tcp: fix forever orphan socket caused by tcp_abort (git-fixes). - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function (git-fixes). - tcp: fix incorrect undo caused by DSACK of TLP retransmit (git-fixes). - tcp: fix mid stream window clamp (git-fixes). - tcp: fix race in tcp_v6_syn_recv_sock() (git-fixes). - tcp: fix race in tcp_write_err() (git-fixes). - tcp: fix races in tcp_abort() (git-fixes). - tcp: fix races in tcp_v_err() (git-fixes). - tcp: fix tcp_enter_recovery() to zero retrans_stamp when it's safe (git-fixes). - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO (git-fixes). - tcp: fix to allow timestamp undo if no retransmits were sent (git-fixes). - tcp: increase the default TCP scaling ratio (git-fixes). - tcp: introduce tcp_clock_ms() (git-fixes). - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP (git-fixes). - tcp: reduce accepted window in NEW_SYN_RECV state (git-fixes). - tcp: remove 64 KByte limit for initial tp->rcv_wnd value (git-fixes). - tcp: replace tcp_time_stamp_raw() (git-fixes). - tg3: Disable tg3 PCIe AER on system reboot (bsc#1219367). - thermal/drivers/rockchip: Add missing rk3328 mapping entry (git-fixes). - thermal: int340x: Add NULL check for adev (git-fixes). - tomoyo: do not emit warning in tomoyo_write_control() (stable-fixes). - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind (git-fixes). - tools: fix annoying "mkdir -p ..." logs when building tools in parallel (git-fixes). - tpm, tpm_tis: Fix timeout handling when waiting for TPM status (git-fixes). - tpm: do not start chip while suspended (git-fixes). - tpm: send_data: Wait longer for the TPM to become ready (bsc#1235870). - tty: xilinx_uartps: split sysrq handling (git-fixes). - ubi: Add a check for ubi_num (git-fixes). - ubi: block: Fix use-after-free in ubiblock_cleanup (git-fixes). - ubi: block: fix null-pointer-dereference in ubiblock_create() (git-fixes). - ubi: correct the calculation of fastmap size (stable-fixes). - ubi: eba: properly rollback inside self_check_eba (git-fixes). - ubi: fastmap: Fix missed ec updating after erasing old fastmap data block (git-fixes). - ubi: fastmap: may_reserve_for_fm: Do not reserve PEB if fm_anchor exists (git-fixes). - ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty (git-fixes). - ubi: wl: Put source PEB into correct list if trying locking LEB failed (git-fixes). - ublk: fix error code for unsupported command (git-fixes). - ublk: fix ublk_ch_mmap() for 64K page size (git-fixes). - ublk: move ublk_cancel_dev() out of ub->mutex (git-fixes). - ublk: move zone report data out of request pdu (git-fixes). - usb: atm: cxacru: fix a flaw in existing endpoint checks (git-fixes). - usb: cdc-acm: Check control transfer buffer size before access (git-fixes). - usb: cdc-acm: Fix handling of oversized fragments (git-fixes). - usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe() (git-fixes). - usb: core: fix pipe creation for get_bMaxPacketSize0 (git-fixes). - usb: dwc2: gadget: remove of_node reference upon udc_stop (git-fixes). - usb: dwc3: Fix timeout issue during controller enter/exit from halt state (git-fixes). - usb: dwc3: core: Defer the probe until USB power supply ready (git-fixes). - usb: dwc3: gadget: Prevent irq storm when TH re-executes (git-fixes). - usb: gadget: Check bmAttributes only if configuration is valid (git-fixes). - usb: gadget: Fix setting self-powered state on suspend (git-fixes). - usb: gadget: Set self-powered based on MaxPower and bmAttributes (git-fixes). - usb: gadget: core: flush gadget workqueue after device removal (git-fixes). - usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI bind retries (git-fixes). - usb: gadget: f_midi: fix MIDI Streaming descriptor lengths (git-fixes). - usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails (git-fixes). - usb: gadget: udc: renesas_usb3: Fix compiler warning (git-fixes). - usb: hub: lack of clearing xHC resources (git-fixes). - usb: phy: generic: Use proper helper for property detection (stable-fixes). - usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader (stable-fixes). - usb: quirks: Add NO_LPM quirk for TOSHIBA TransMemory-Mx device (git-fixes). - usb: renesas_usbhs: Call clk_put() (git-fixes). - usb: renesas_usbhs: Flush the notify_hotplug_work (git-fixes). - usb: renesas_usbhs: Use devm_usb_get_phy() (git-fixes). - usb: roles: set switch registered flag early on (git-fixes). - usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality (git-fixes). - usb: typec: ucsi: Fix NULL pointer access (git-fixes). - usb: typec: ucsi: increase timeout for PPM reset operations (git-fixes). - usb: xHCI: add XHCI_RESET_ON_RESUME quirk for Phytium xHCI host (git-fixes). - usb: xhci: Enable the TRB overfetch quirk on VIA VL805 (git-fixes). - usb: xhci: Fix NULL pointer dereference on certain command aborts (git-fixes). - usb: xhci: remove 'retval' from xhci_pci_resume() (git-fixes). - usbnet: gl620a: fix endpoint checking in genelink_bind() (git-fixes). - usbnet: ipheth: document scope of NCM implementation (stable-fixes). - util_macros.h: fix/rework find_closest() macros (git-fixes). - vboxsf: fix building with GCC 15 (stable-fixes). - vfio/pci: Lock external INTx masking ops (bsc#1222803). - vhost/net: Set num_buffers for virtio 1.0 (git-fixes). - virtio-mem: check if the config changed before fake offlining memory (git-fixes). - virtio-mem: convert most offline_and_remove_memory() errors to -EBUSY (git-fixes). - virtio-mem: keep retrying on offline_and_remove_memory() errors in Sub Block Mode (SBM) (git-fixes). - virtio-mem: remove unsafe unplug in Big Block Mode (BBM) (git-fixes). - virtio: blk/scsi: replace blk_mq_virtio_map_queues with blk_mq_map_hw_queues (bsc#1236896). - virtio: blk/scsi: use block layer helpers to calculate num of queues (bsc#1236897). - virtio: hookup irq_get_affinity callback (bsc#1236896). - virtio_blk: reverse request order in virtio_queue_rqs (git-fixes). - vsock/virtio: cancel close work in the destructor (git-fixes) - vsock: Keep the binding until socket destruction (git-fixes) - vsock: reset socket state when de-assigning the transport (git-fixes) - wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path (git-fixes). - wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode (git-fixes). - wifi: ath11k: choose default PM policy for hibernation (bsc#1207948). - wifi: ath11k: determine PM policy based on machine model (bsc#1207948). - wifi: ath11k: fix RCU stall while reaping monitor destination ring (git-fixes). - wifi: ath11k: fix wrong overriding for VHT Beamformee STS Capability (git-fixes). - wifi: ath11k: introduce ath11k_core_continue_suspend_resume() (bsc#1207948). - wifi: ath11k: refactor ath11k_core_suspend/_resume() (bsc#1207948). - wifi: ath11k: support non-WoWLAN mode suspend as well (bsc#1207948). - wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path (git-fixes). - wifi: ath12k: encode max Tx power in scan channel list command (git-fixes). - wifi: ath12k: fix handling of 6 GHz rules (git-fixes). - wifi: ath9k: do not submit zero bytes to the entropy pool (git-fixes). - wifi: brcmfmac: Check the return value of of_property_read_string_index() (stable-fixes). - wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() (stable-fixes). - wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (stable-fixes). - wifi: cfg80211: cancel wiphy_work before freeing wiphy (git-fixes). - wifi: cfg80211: init wiphy_work before allocating rfkill fails (git-fixes). - wifi: cfg80211: regulatory: improve invalid hints checking (git-fixes). - wifi: iwlwifi: avoid memory leak (stable-fixes). - wifi: iwlwifi: limit printed string from FW file (git-fixes). - wifi: iwlwifi: mvm: do not try to talk to a dead firmware (git-fixes). - wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms (git-fixes). - wifi: mac80211: fix integer overflow in hwmp_route_info_get() (git-fixes). - wifi: mt76: Add check for devm_kstrdup() (git-fixes). - wifi: mt76: connac: move mt7615_mcu_del_wtbl_all to connac (stable-fixes). - wifi: mt76: mt7915: fix omac index assignment after hardware reset (git-fixes). - wifi: mt76: mt7915: fix possible integer overflows in mt7915_muru_stats_show() (git-fixes). - wifi: mt76: mt7915: improve hardware restart reliability (stable-fixes). - wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH (stable-fixes). - wifi: mt76: mt7925: ensure wow pattern command align fw format (git-fixes). - wifi: mt76: mt7925: fix country count limitation for CLC (git-fixes). - wifi: mt76: mt7925: remove unused acpi function for clc (git-fixes). - wifi: mwifiex: Fix premature release of RF calibration data (git-fixes). - wifi: nl80211: reject cooked mode if it is set along with other flags (git-fixes). - wifi: rtl8xxxu: Perform update_beacon_work when beaconing is enabled (git-fixes). - wifi: rtw88: sdio: Fix disconnection after beacon loss (stable-fixes). - wifi: rtw89: add crystal_cap check to avoid setting as overflow value (stable-fixes). - wifi: rtw89: fw: correct debug message format in rtw89_build_txpwr_trk_tbl_from_elm() (git-fixes). - wifi: rtw89: pci: correct ISR RDU bit for 8922AE (git-fixes). - x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB (git-fixes). - x86/apic: Provide apic_force_nmi_on_cpu() (git-fixes). - x86/asm: Make serialize() always_inline (git-fixes). - x86/boot/32: De-uglify the 2/3 level paging difference in mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Disable stackprotector and tracing for mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Restructure mk_early_pgtbl_32() (git-fixes). - x86/boot/32: Temporarily map initrd for microcode loading (git-fixes). - x86/boot: Use __pa_nodebug() in mk_early_pgtbl_32() (git-fixes). - x86/bugs: Add SRSO_USER_KERNEL_NO support (git-fixes). - x86/coco: Replace 'static const cc_mask' with the newly introduced cc_get_mask() function (git-fixes). - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers (git-fixes). - x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (git-fixes). - x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation (git-fixes). - x86/cpu: Allow reducing x86_phys_bits during early_identify_cpu() (git-fixes). - x86/entry: Add __init to ia32_emulation_override_cmdline() (git-fixes). - x86/fpu: Fix guest FPU state buffer allocation size (git-fixes). - x86/hyperv/vtl: Stop kernel from probing VTL0 low memory (git-fixes). - x86/hyperv: Fix output argument to hypercall that changes page visibility (git-fixes). - x86/idle: Disable IBRS when CPU is offline to improve single-threaded performance (git-fixes). - x86/microcode/32: Move early loading after paging enable (git-fixes). - x86/microcode/amd: Cache builtin microcode too (git-fixes). - x86/microcode/amd: Cache builtin/initrd microcode early (git-fixes). - x86/microcode/amd: Use cached microcode for AP load (git-fixes). - x86/microcode/amd: Use correct per CPU ucode_cpu_info (git-fixes). - x86/microcode/intel: Add a minimum required revision for late loading (git-fixes). - x86/microcode/intel: Cleanup code further (git-fixes). - x86/microcode/intel: Move microcode functions out of cpu/intel.c (git-fixes). - x86/microcode/intel: Remove debug code (git-fixes). - x86/microcode/intel: Remove pointless mutex (git-fixes). - x86/microcode/intel: Rename get_datasize() since its used externally (git-fixes). - x86/microcode/intel: Reuse intel_cpu_collect_info() git-fixes). - x86/microcode/intel: Rework intel_cpu_collect_info() (git-fixes). - x86/microcode/intel: Rework intel_find_matching_signature() (git-fixes). - x86/microcode/intel: Rip out mixed stepping support for Intel CPUs (git-fixes). - x86/microcode/intel: Save the microcode only after a successful late-load (git-fixes). - x86/microcode/intel: Simplify and rename generic_load_microcode() (git-fixes). - x86/microcode/intel: Simplify early loading (git-fixes). - x86/microcode/intel: Simplify scan_microcode() (git-fixes). - x86/microcode/intel: Switch to kvmalloc() (git-fixes). - x86/microcode/intel: Unify microcode apply() functions (git-fixes). - x86/microcode: Add per CPU control field (git-fixes). - x86/microcode: Add per CPU result state (git-fixes). - x86/microcode: Clarify the late load logic (git-fixes). - x86/microcode: Clean up mc_cpu_down_prep() (git-fixes). - x86/microcode: Get rid of the schedule work indirection (git-fixes). - x86/microcode: Handle "nosmt" correctly (git-fixes). - x86/microcode: Handle "offline" CPUs correctly (git-fixes). - x86/microcode: Hide the config knob (git-fixes). - x86/microcode: Include vendor headers into microcode.h (git-fixes). - x86/microcode: Make reload_early_microcode() static (git-fixes). - x86/microcode: Mop up early loading leftovers (git-fixes). - x86/microcode: Move core specific defines to local header (git-fixes). - x86/microcode: Prepare for minimal revision check (git-fixes). - x86/microcode: Protect against instrumentation (git-fixes). - x86/microcode: Provide CONFIG_MICROCODE_INITRD32 (git-fixes). - x86/microcode: Provide new control functions (git-fixes). - x86/microcode: Remove microcode_mutex (git-fixes). - x86/microcode: Remove pointless apply() invocation (git-fixes). - x86/microcode: Rendezvous and load in NMI (git-fixes). - x86/microcode: Replace the all-in-one rendevous handler (git-fixes). - x86/microcode: Sanitize __wait_for_cpus() (git-fixes). - x86/mm: Carve out INVLPG inline asm for use by others (git-fixes). - x86/mm: Remove unused microcode.h include (git-fixes). - x86/platform/olpc: Remove unused variable 'len' in olpc_dt_compatible_match() (git-fixes). - x86/speculation: Add __update_spec_ctrl() helper (git-fixes). - x86/usercopy: Fix kernel-doc func param name in clean_cache_range()'s description (git-fixes). - x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes). - x86/xen: allow larger contiguous memory regions in PV guests (git-fixes). - x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes). - xen/swiotlb: relax alignment requirements (git-fixes). - xhci: Apply XHCI_RESET_TO_DEFAULT quirk to TGL (git-fixes). - xhci: Cleanup Candence controller PCI device and vendor ID usage (git-fixes). - xhci: Combine two if statements for Etron xHCI host (jsc#PED-10701). - xhci: Do not issue Reset Device command to Etron xHCI host (jsc#PED-10701). - xhci: Do not perform Soft Retry for Etron xHCI host (git-fixes). - xhci: dbc: Check for errors first in xhci_dbc_stop() (git-fixes). - xhci: dbc: Convert to use sysfs_streq() (git-fixes). - xhci: dbc: Drop duplicate checks for dma_free_coherent() (git-fixes). - xhci: dbc: Fix STALL transfer event handling (git-fixes). - xhci: dbc: Replace custom return value with proper Linux error code (git-fixes). - xhci: dbc: Use ATTRIBUTE_GROUPS() (git-fixes). - xhci: dbc: Use sysfs_emit() to instead of scnprintf() (git-fixes). - xhci: dbgtty: remove kfifo_out() wrapper (git-fixes). - xhci: pci: Fix indentation in the PCI device ID definitions (stable-fixes). - xhci: pci: Group out Thunderbolt xHCI IDs (git-fixes). - xhci: pci: Use PCI_VENDOR_ID_RENESAS (git-fixes). - xhci: pci: Use full names in PCI IDs for Intel platforms (git-fixes). - xhci: pci: Use standard pattern for device IDs (git-fixes). - zram: clear IDLE flag after recompression (git-fixes). - zram: clear IDLE flag in mark_idle() (git-fixes). - zram: do not mark idle slots that cannot be idle (git-fixes). - zram: fix potential UAF of zram table (git-fixes). - zram: fix uninitialized ZRAM not releasing backing device (git-fixes). - zram: refuse to use zero sized block device as backing device (git-fixes). - zram: split memory-tracking and ac-time tracking (git-fixes). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-8 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ Link for SUSE-SU-2025:20260-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021058.html E-Mail link for SUSE-SU-2025:20260-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1012628 SUSE Bug 1012628 https://bugzilla.suse.com/1207948 SUSE Bug 1207948 https://bugzilla.suse.com/1215199 SUSE Bug 1215199 https://bugzilla.suse.com/1215211 SUSE Bug 1215211 https://bugzilla.suse.com/1218470 SUSE Bug 1218470 https://bugzilla.suse.com/1219367 SUSE Bug 1219367 https://bugzilla.suse.com/1221651 SUSE Bug 1221651 https://bugzilla.suse.com/1222649 SUSE Bug 1222649 https://bugzilla.suse.com/1222672 SUSE Bug 1222672 https://bugzilla.suse.com/1222803 SUSE Bug 1222803 https://bugzilla.suse.com/1223047 SUSE Bug 1223047 https://bugzilla.suse.com/1224049 SUSE Bug 1224049 https://bugzilla.suse.com/1224489 SUSE Bug 1224489 https://bugzilla.suse.com/1224610 SUSE Bug 1224610 https://bugzilla.suse.com/1225533 SUSE Bug 1225533 https://bugzilla.suse.com/1225606 SUSE Bug 1225606 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1225770 SUSE Bug 1225770 https://bugzilla.suse.com/1225981 SUSE Bug 1225981 https://bugzilla.suse.com/1226871 SUSE Bug 1226871 https://bugzilla.suse.com/1227858 SUSE Bug 1227858 https://bugzilla.suse.com/1227937 SUSE Bug 1227937 https://bugzilla.suse.com/1228521 SUSE Bug 1228521 https://bugzilla.suse.com/1228653 SUSE Bug 1228653 https://bugzilla.suse.com/1229311 SUSE Bug 1229311 https://bugzilla.suse.com/1229361 SUSE Bug 1229361 https://bugzilla.suse.com/1230235 SUSE Bug 1230235 https://bugzilla.suse.com/1230438 SUSE Bug 1230438 https://bugzilla.suse.com/1230439 SUSE Bug 1230439 https://bugzilla.suse.com/1230497 SUSE Bug 1230497 https://bugzilla.suse.com/1230728 SUSE Bug 1230728 https://bugzilla.suse.com/1230769 SUSE Bug 1230769 https://bugzilla.suse.com/1230832 SUSE Bug 1230832 https://bugzilla.suse.com/1231088 SUSE Bug 1231088 https://bugzilla.suse.com/1231293 SUSE Bug 1231293 https://bugzilla.suse.com/1231432 SUSE Bug 1231432 https://bugzilla.suse.com/1231912 SUSE Bug 1231912 https://bugzilla.suse.com/1231920 SUSE Bug 1231920 https://bugzilla.suse.com/1231949 SUSE Bug 1231949 https://bugzilla.suse.com/1232159 SUSE Bug 1232159 https://bugzilla.suse.com/1232198 SUSE Bug 1232198 https://bugzilla.suse.com/1232201 SUSE Bug 1232201 https://bugzilla.suse.com/1232299 SUSE Bug 1232299 https://bugzilla.suse.com/1232364 SUSE Bug 1232364 https://bugzilla.suse.com/1232389 SUSE Bug 1232389 https://bugzilla.suse.com/1232421 SUSE Bug 1232421 https://bugzilla.suse.com/1232508 SUSE Bug 1232508 https://bugzilla.suse.com/1232520 SUSE Bug 1232520 https://bugzilla.suse.com/1232743 SUSE Bug 1232743 https://bugzilla.suse.com/1232812 SUSE Bug 1232812 https://bugzilla.suse.com/1232848 SUSE Bug 1232848 https://bugzilla.suse.com/1232895 SUSE Bug 1232895 https://bugzilla.suse.com/1232919 SUSE Bug 1232919 https://bugzilla.suse.com/1233028 SUSE Bug 1233028 https://bugzilla.suse.com/1233033 SUSE Bug 1233033 https://bugzilla.suse.com/1233060 SUSE Bug 1233060 https://bugzilla.suse.com/1233109 SUSE Bug 1233109 https://bugzilla.suse.com/1233221 SUSE Bug 1233221 https://bugzilla.suse.com/1233248 SUSE Bug 1233248 https://bugzilla.suse.com/1233259 SUSE Bug 1233259 https://bugzilla.suse.com/1233260 SUSE Bug 1233260 https://bugzilla.suse.com/1233479 SUSE Bug 1233479 https://bugzilla.suse.com/1233483 SUSE Bug 1233483 https://bugzilla.suse.com/1233522 SUSE Bug 1233522 https://bugzilla.suse.com/1233551 SUSE Bug 1233551 https://bugzilla.suse.com/1233557 SUSE Bug 1233557 https://bugzilla.suse.com/1233749 SUSE Bug 1233749 https://bugzilla.suse.com/1234070 SUSE Bug 1234070 https://bugzilla.suse.com/1234222 SUSE Bug 1234222 https://bugzilla.suse.com/1234480 SUSE Bug 1234480 https://bugzilla.suse.com/1234828 SUSE Bug 1234828 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234857 SUSE Bug 1234857 https://bugzilla.suse.com/1234891 SUSE Bug 1234891 https://bugzilla.suse.com/1234894 SUSE Bug 1234894 https://bugzilla.suse.com/1234895 SUSE Bug 1234895 https://bugzilla.suse.com/1234896 SUSE Bug 1234896 https://bugzilla.suse.com/1234936 SUSE Bug 1234936 https://bugzilla.suse.com/1234963 SUSE Bug 1234963 https://bugzilla.suse.com/1235054 SUSE Bug 1235054 https://bugzilla.suse.com/1235061 SUSE Bug 1235061 https://bugzilla.suse.com/1235073 SUSE Bug 1235073 https://bugzilla.suse.com/1235244 SUSE Bug 1235244 https://bugzilla.suse.com/1235435 SUSE Bug 1235435 https://bugzilla.suse.com/1235436 SUSE Bug 1235436 https://bugzilla.suse.com/1235441 SUSE Bug 1235441 https://bugzilla.suse.com/1235455 SUSE Bug 1235455 https://bugzilla.suse.com/1235485 SUSE Bug 1235485 https://bugzilla.suse.com/1235501 SUSE Bug 1235501 https://bugzilla.suse.com/1235524 SUSE Bug 1235524 https://bugzilla.suse.com/1235589 SUSE Bug 1235589 https://bugzilla.suse.com/1235591 SUSE Bug 1235591 https://bugzilla.suse.com/1235592 SUSE Bug 1235592 https://bugzilla.suse.com/1235599 SUSE Bug 1235599 https://bugzilla.suse.com/1235609 SUSE Bug 1235609 https://bugzilla.suse.com/1235621 SUSE Bug 1235621 https://bugzilla.suse.com/1235637 SUSE Bug 1235637 https://bugzilla.suse.com/1235698 SUSE Bug 1235698 https://bugzilla.suse.com/1235711 SUSE Bug 1235711 https://bugzilla.suse.com/1235712 SUSE Bug 1235712 https://bugzilla.suse.com/1235715 SUSE Bug 1235715 https://bugzilla.suse.com/1235729 SUSE Bug 1235729 https://bugzilla.suse.com/1235733 SUSE Bug 1235733 https://bugzilla.suse.com/1235761 SUSE Bug 1235761 https://bugzilla.suse.com/1235870 SUSE Bug 1235870 https://bugzilla.suse.com/1235874 SUSE Bug 1235874 https://bugzilla.suse.com/1235914 SUSE Bug 1235914 https://bugzilla.suse.com/1235932 SUSE Bug 1235932 https://bugzilla.suse.com/1235933 SUSE Bug 1235933 https://bugzilla.suse.com/1235973 SUSE Bug 1235973 https://bugzilla.suse.com/1236099 SUSE Bug 1236099 https://bugzilla.suse.com/1236111 SUSE Bug 1236111 https://bugzilla.suse.com/1236113 SUSE Bug 1236113 https://bugzilla.suse.com/1236114 SUSE Bug 1236114 https://bugzilla.suse.com/1236115 SUSE Bug 1236115 https://bugzilla.suse.com/1236122 SUSE Bug 1236122 https://bugzilla.suse.com/1236123 SUSE Bug 1236123 https://bugzilla.suse.com/1236133 SUSE Bug 1236133 https://bugzilla.suse.com/1236138 SUSE Bug 1236138 https://bugzilla.suse.com/1236199 SUSE Bug 1236199 https://bugzilla.suse.com/1236200 SUSE Bug 1236200 https://bugzilla.suse.com/1236203 SUSE Bug 1236203 https://bugzilla.suse.com/1236205 SUSE Bug 1236205 https://bugzilla.suse.com/1236206 SUSE Bug 1236206 https://bugzilla.suse.com/1236333 SUSE Bug 1236333 https://bugzilla.suse.com/1236573 SUSE Bug 1236573 https://bugzilla.suse.com/1236575 SUSE Bug 1236575 https://bugzilla.suse.com/1236576 SUSE Bug 1236576 https://bugzilla.suse.com/1236591 SUSE Bug 1236591 https://bugzilla.suse.com/1236661 SUSE Bug 1236661 https://bugzilla.suse.com/1236677 SUSE Bug 1236677 https://bugzilla.suse.com/1236680 SUSE Bug 1236680 https://bugzilla.suse.com/1236681 SUSE Bug 1236681 https://bugzilla.suse.com/1236682 SUSE Bug 1236682 https://bugzilla.suse.com/1236683 SUSE Bug 1236683 https://bugzilla.suse.com/1236684 SUSE Bug 1236684 https://bugzilla.suse.com/1236685 SUSE Bug 1236685 https://bugzilla.suse.com/1236689 SUSE Bug 1236689 https://bugzilla.suse.com/1236692 SUSE Bug 1236692 https://bugzilla.suse.com/1236694 SUSE Bug 1236694 https://bugzilla.suse.com/1236698 SUSE Bug 1236698 https://bugzilla.suse.com/1236700 SUSE Bug 1236700 https://bugzilla.suse.com/1236702 SUSE Bug 1236702 https://bugzilla.suse.com/1236752 SUSE Bug 1236752 https://bugzilla.suse.com/1236757 SUSE Bug 1236757 https://bugzilla.suse.com/1236758 SUSE Bug 1236758 https://bugzilla.suse.com/1236759 SUSE Bug 1236759 https://bugzilla.suse.com/1236760 SUSE Bug 1236760 https://bugzilla.suse.com/1236761 SUSE Bug 1236761 https://bugzilla.suse.com/1236821 SUSE Bug 1236821 https://bugzilla.suse.com/1236822 SUSE Bug 1236822 https://bugzilla.suse.com/1236896 SUSE Bug 1236896 https://bugzilla.suse.com/1236897 SUSE Bug 1236897 https://bugzilla.suse.com/1236952 SUSE Bug 1236952 https://bugzilla.suse.com/1236967 SUSE Bug 1236967 https://bugzilla.suse.com/1236994 SUSE Bug 1236994 https://bugzilla.suse.com/1237007 SUSE Bug 1237007 https://bugzilla.suse.com/1237017 SUSE Bug 1237017 https://bugzilla.suse.com/1237025 SUSE Bug 1237025 https://bugzilla.suse.com/1237028 SUSE Bug 1237028 https://bugzilla.suse.com/1237029 SUSE Bug 1237029 https://bugzilla.suse.com/1237045 SUSE Bug 1237045 https://bugzilla.suse.com/1237126 SUSE Bug 1237126 https://bugzilla.suse.com/1237132 SUSE Bug 1237132 https://bugzilla.suse.com/1237139 SUSE Bug 1237139 https://bugzilla.suse.com/1237155 SUSE Bug 1237155 https://bugzilla.suse.com/1237158 SUSE Bug 1237158 https://bugzilla.suse.com/1237159 SUSE Bug 1237159 https://bugzilla.suse.com/1237164 SUSE Bug 1237164 https://bugzilla.suse.com/1237232 SUSE Bug 1237232 https://bugzilla.suse.com/1237234 SUSE Bug 1237234 https://bugzilla.suse.com/1237313 SUSE Bug 1237313 https://bugzilla.suse.com/1237325 SUSE Bug 1237325 https://bugzilla.suse.com/1237356 SUSE Bug 1237356 https://bugzilla.suse.com/1237415 SUSE Bug 1237415 https://bugzilla.suse.com/1237452 SUSE Bug 1237452 https://bugzilla.suse.com/1237504 SUSE Bug 1237504 https://bugzilla.suse.com/1237521 SUSE Bug 1237521 https://bugzilla.suse.com/1237530 SUSE Bug 1237530 https://bugzilla.suse.com/1237558 SUSE Bug 1237558 https://bugzilla.suse.com/1237562 SUSE Bug 1237562 https://bugzilla.suse.com/1237563 SUSE Bug 1237563 https://bugzilla.suse.com/1237565 SUSE Bug 1237565 https://bugzilla.suse.com/1237571 SUSE Bug 1237571 https://bugzilla.suse.com/1237848 SUSE Bug 1237848 https://bugzilla.suse.com/1237849 SUSE Bug 1237849 https://bugzilla.suse.com/1237853 SUSE Bug 1237853 https://bugzilla.suse.com/1237856 SUSE Bug 1237856 https://bugzilla.suse.com/1237873 SUSE Bug 1237873 https://bugzilla.suse.com/1237875 SUSE Bug 1237875 https://bugzilla.suse.com/1237876 SUSE Bug 1237876 https://bugzilla.suse.com/1237877 SUSE Bug 1237877 https://bugzilla.suse.com/1237879 SUSE Bug 1237879 https://bugzilla.suse.com/1237881 SUSE Bug 1237881 https://bugzilla.suse.com/1237885 SUSE Bug 1237885 https://bugzilla.suse.com/1237889 SUSE Bug 1237889 https://bugzilla.suse.com/1237890 SUSE Bug 1237890 https://bugzilla.suse.com/1237891 SUSE Bug 1237891 https://bugzilla.suse.com/1237894 SUSE Bug 1237894 https://bugzilla.suse.com/1237897 SUSE Bug 1237897 https://bugzilla.suse.com/1237900 SUSE Bug 1237900 https://bugzilla.suse.com/1237901 SUSE Bug 1237901 https://bugzilla.suse.com/1237906 SUSE Bug 1237906 https://bugzilla.suse.com/1237907 SUSE Bug 1237907 https://bugzilla.suse.com/1237911 SUSE Bug 1237911 https://bugzilla.suse.com/1237912 SUSE Bug 1237912 https://bugzilla.suse.com/1237950 SUSE Bug 1237950 https://bugzilla.suse.com/1238212 SUSE Bug 1238212 https://bugzilla.suse.com/1238214 SUSE Bug 1238214 https://bugzilla.suse.com/1238303 SUSE Bug 1238303 https://bugzilla.suse.com/1238347 SUSE Bug 1238347 https://bugzilla.suse.com/1238368 SUSE Bug 1238368 https://bugzilla.suse.com/1238474 SUSE Bug 1238474 https://bugzilla.suse.com/1238475 SUSE Bug 1238475 https://bugzilla.suse.com/1238479 SUSE Bug 1238479 https://bugzilla.suse.com/1238494 SUSE Bug 1238494 https://bugzilla.suse.com/1238496 SUSE Bug 1238496 https://bugzilla.suse.com/1238497 SUSE Bug 1238497 https://bugzilla.suse.com/1238500 SUSE Bug 1238500 https://bugzilla.suse.com/1238501 SUSE Bug 1238501 https://bugzilla.suse.com/1238502 SUSE Bug 1238502 https://bugzilla.suse.com/1238503 SUSE Bug 1238503 https://bugzilla.suse.com/1238506 SUSE Bug 1238506 https://bugzilla.suse.com/1238507 SUSE Bug 1238507 https://bugzilla.suse.com/1238509 SUSE Bug 1238509 https://bugzilla.suse.com/1238510 SUSE Bug 1238510 https://bugzilla.suse.com/1238511 SUSE Bug 1238511 https://bugzilla.suse.com/1238512 SUSE Bug 1238512 https://bugzilla.suse.com/1238521 SUSE Bug 1238521 https://bugzilla.suse.com/1238523 SUSE Bug 1238523 https://bugzilla.suse.com/1238525 SUSE Bug 1238525 https://bugzilla.suse.com/1238526 SUSE Bug 1238526 https://bugzilla.suse.com/1238528 SUSE Bug 1238528 https://bugzilla.suse.com/1238529 SUSE Bug 1238529 https://bugzilla.suse.com/1238531 SUSE Bug 1238531 https://bugzilla.suse.com/1238532 SUSE Bug 1238532 https://bugzilla.suse.com/1238570 SUSE Bug 1238570 https://bugzilla.suse.com/1238715 SUSE Bug 1238715 https://bugzilla.suse.com/1238716 SUSE Bug 1238716 https://bugzilla.suse.com/1238734 SUSE Bug 1238734 https://bugzilla.suse.com/1238735 SUSE Bug 1238735 https://bugzilla.suse.com/1238736 SUSE Bug 1238736 https://bugzilla.suse.com/1238738 SUSE Bug 1238738 https://bugzilla.suse.com/1238739 SUSE Bug 1238739 https://bugzilla.suse.com/1238747 SUSE Bug 1238747 https://bugzilla.suse.com/1238751 SUSE Bug 1238751 https://bugzilla.suse.com/1238753 SUSE Bug 1238753 https://bugzilla.suse.com/1238754 SUSE Bug 1238754 https://bugzilla.suse.com/1238757 SUSE Bug 1238757 https://bugzilla.suse.com/1238759 SUSE Bug 1238759 https://bugzilla.suse.com/1238760 SUSE Bug 1238760 https://bugzilla.suse.com/1238762 SUSE Bug 1238762 https://bugzilla.suse.com/1238763 SUSE Bug 1238763 https://bugzilla.suse.com/1238767 SUSE Bug 1238767 https://bugzilla.suse.com/1238768 SUSE Bug 1238768 https://bugzilla.suse.com/1238771 SUSE Bug 1238771 https://bugzilla.suse.com/1238772 SUSE Bug 1238772 https://bugzilla.suse.com/1238773 SUSE Bug 1238773 https://bugzilla.suse.com/1238775 SUSE Bug 1238775 https://bugzilla.suse.com/1238780 SUSE Bug 1238780 https://bugzilla.suse.com/1238781 SUSE Bug 1238781 https://bugzilla.suse.com/1238785 SUSE Bug 1238785 https://bugzilla.suse.com/1238860 SUSE Bug 1238860 https://bugzilla.suse.com/1238863 SUSE Bug 1238863 https://bugzilla.suse.com/1238864 SUSE Bug 1238864 https://bugzilla.suse.com/1238865 SUSE Bug 1238865 https://bugzilla.suse.com/1238876 SUSE Bug 1238876 https://bugzilla.suse.com/1238877 SUSE Bug 1238877 https://bugzilla.suse.com/1238903 SUSE Bug 1238903 https://bugzilla.suse.com/1238904 SUSE Bug 1238904 https://bugzilla.suse.com/1238905 SUSE Bug 1238905 https://bugzilla.suse.com/1238909 SUSE Bug 1238909 https://bugzilla.suse.com/1238911 SUSE Bug 1238911 https://bugzilla.suse.com/1238917 SUSE Bug 1238917 https://bugzilla.suse.com/1238958 SUSE Bug 1238958 https://bugzilla.suse.com/1238959 SUSE Bug 1238959 https://bugzilla.suse.com/1238963 SUSE Bug 1238963 https://bugzilla.suse.com/1238964 SUSE Bug 1238964 https://bugzilla.suse.com/1238969 SUSE Bug 1238969 https://bugzilla.suse.com/1238971 SUSE Bug 1238971 https://bugzilla.suse.com/1238973 SUSE Bug 1238973 https://bugzilla.suse.com/1238975 SUSE Bug 1238975 https://bugzilla.suse.com/1238978 SUSE Bug 1238978 https://bugzilla.suse.com/1238979 SUSE Bug 1238979 https://bugzilla.suse.com/1238981 SUSE Bug 1238981 https://bugzilla.suse.com/1238984 SUSE Bug 1238984 https://bugzilla.suse.com/1238986 SUSE Bug 1238986 https://bugzilla.suse.com/1238993 SUSE Bug 1238993 https://bugzilla.suse.com/1238994 SUSE Bug 1238994 https://bugzilla.suse.com/1238997 SUSE Bug 1238997 https://bugzilla.suse.com/1239015 SUSE Bug 1239015 https://bugzilla.suse.com/1239016 SUSE Bug 1239016 https://bugzilla.suse.com/1239027 SUSE Bug 1239027 https://bugzilla.suse.com/1239029 SUSE Bug 1239029 https://bugzilla.suse.com/1239030 SUSE Bug 1239030 https://bugzilla.suse.com/1239033 SUSE Bug 1239033 https://bugzilla.suse.com/1239034 SUSE Bug 1239034 https://bugzilla.suse.com/1239036 SUSE Bug 1239036 https://bugzilla.suse.com/1239037 SUSE Bug 1239037 https://bugzilla.suse.com/1239038 SUSE Bug 1239038 https://bugzilla.suse.com/1239039 SUSE Bug 1239039 https://bugzilla.suse.com/1239045 SUSE Bug 1239045 https://bugzilla.suse.com/1239065 SUSE Bug 1239065 https://bugzilla.suse.com/1239068 SUSE Bug 1239068 https://bugzilla.suse.com/1239073 SUSE Bug 1239073 https://bugzilla.suse.com/1239076 SUSE Bug 1239076 https://bugzilla.suse.com/1239080 SUSE Bug 1239080 https://bugzilla.suse.com/1239085 SUSE Bug 1239085 https://bugzilla.suse.com/1239087 SUSE Bug 1239087 https://bugzilla.suse.com/1239095 SUSE Bug 1239095 https://bugzilla.suse.com/1239104 SUSE Bug 1239104 https://bugzilla.suse.com/1239105 SUSE Bug 1239105 https://bugzilla.suse.com/1239109 SUSE Bug 1239109 https://bugzilla.suse.com/1239112 SUSE Bug 1239112 https://bugzilla.suse.com/1239114 SUSE Bug 1239114 https://bugzilla.suse.com/1239115 SUSE Bug 1239115 https://bugzilla.suse.com/1239117 SUSE Bug 1239117 https://bugzilla.suse.com/1239167 SUSE Bug 1239167 https://bugzilla.suse.com/1239174 SUSE Bug 1239174 https://bugzilla.suse.com/1239346 SUSE Bug 1239346 https://bugzilla.suse.com/1239349 SUSE Bug 1239349 https://bugzilla.suse.com/1239435 SUSE Bug 1239435 https://bugzilla.suse.com/1239467 SUSE Bug 1239467 https://bugzilla.suse.com/1239468 SUSE Bug 1239468 https://bugzilla.suse.com/1239471 SUSE Bug 1239471 https://bugzilla.suse.com/1239473 SUSE Bug 1239473 https://bugzilla.suse.com/1239474 SUSE Bug 1239474 https://bugzilla.suse.com/1239477 SUSE Bug 1239477 https://bugzilla.suse.com/1239478 SUSE Bug 1239478 https://bugzilla.suse.com/1239479 SUSE Bug 1239479 https://bugzilla.suse.com/1239481 SUSE Bug 1239481 https://bugzilla.suse.com/1239482 SUSE Bug 1239482 https://bugzilla.suse.com/1239483 SUSE Bug 1239483 https://bugzilla.suse.com/1239484 SUSE Bug 1239484 https://bugzilla.suse.com/1239486 SUSE Bug 1239486 https://bugzilla.suse.com/1239508 SUSE Bug 1239508 https://bugzilla.suse.com/1239512 SUSE Bug 1239512 https://bugzilla.suse.com/1239518 SUSE Bug 1239518 https://bugzilla.suse.com/1239573 SUSE Bug 1239573 https://bugzilla.suse.com/1239594 SUSE Bug 1239594 https://bugzilla.suse.com/1239595 SUSE Bug 1239595 https://bugzilla.suse.com/1239600 SUSE Bug 1239600 https://bugzilla.suse.com/1239605 SUSE Bug 1239605 https://bugzilla.suse.com/1239615 SUSE Bug 1239615 https://bugzilla.suse.com/1239644 SUSE Bug 1239644 https://bugzilla.suse.com/1239707 SUSE Bug 1239707 https://bugzilla.suse.com/1239986 SUSE Bug 1239986 https://bugzilla.suse.com/1239994 SUSE Bug 1239994 https://bugzilla.suse.com/1240169 SUSE Bug 1240169 https://bugzilla.suse.com/1240172 SUSE Bug 1240172 https://bugzilla.suse.com/1240173 SUSE Bug 1240173 https://bugzilla.suse.com/1240175 SUSE Bug 1240175 https://bugzilla.suse.com/1240177 SUSE Bug 1240177 https://bugzilla.suse.com/1240179 SUSE Bug 1240179 https://bugzilla.suse.com/1240182 SUSE Bug 1240182 https://bugzilla.suse.com/1240183 SUSE Bug 1240183 https://bugzilla.suse.com/1240186 SUSE Bug 1240186 https://bugzilla.suse.com/1240188 SUSE Bug 1240188 https://bugzilla.suse.com/1240189 SUSE Bug 1240189 https://bugzilla.suse.com/1240191 SUSE Bug 1240191 https://bugzilla.suse.com/1240192 SUSE Bug 1240192 https://bugzilla.suse.com/1240333 SUSE Bug 1240333 https://bugzilla.suse.com/1240334 SUSE Bug 1240334 https://www.suse.com/security/cve/CVE-2023-52831/ SUSE CVE CVE-2023-52831 page https://www.suse.com/security/cve/CVE-2023-52924/ SUSE CVE CVE-2023-52924 page https://www.suse.com/security/cve/CVE-2023-52925/ SUSE CVE CVE-2023-52925 page https://www.suse.com/security/cve/CVE-2023-52926/ SUSE CVE CVE-2023-52926 page https://www.suse.com/security/cve/CVE-2023-52927/ SUSE CVE CVE-2023-52927 page https://www.suse.com/security/cve/CVE-2024-26634/ SUSE CVE CVE-2024-26634 page https://www.suse.com/security/cve/CVE-2024-26708/ SUSE CVE CVE-2024-26708 page https://www.suse.com/security/cve/CVE-2024-26810/ SUSE CVE CVE-2024-26810 page https://www.suse.com/security/cve/CVE-2024-26873/ SUSE CVE CVE-2024-26873 page https://www.suse.com/security/cve/CVE-2024-35826/ SUSE CVE CVE-2024-35826 page https://www.suse.com/security/cve/CVE-2024-35910/ SUSE CVE CVE-2024-35910 page https://www.suse.com/security/cve/CVE-2024-38606/ SUSE CVE CVE-2024-38606 page https://www.suse.com/security/cve/CVE-2024-40980/ SUSE CVE CVE-2024-40980 page https://www.suse.com/security/cve/CVE-2024-41005/ SUSE CVE CVE-2024-41005 page https://www.suse.com/security/cve/CVE-2024-41055/ SUSE CVE CVE-2024-41055 page https://www.suse.com/security/cve/CVE-2024-41077/ SUSE CVE CVE-2024-41077 page https://www.suse.com/security/cve/CVE-2024-41149/ SUSE CVE CVE-2024-41149 page https://www.suse.com/security/cve/CVE-2024-42307/ SUSE CVE CVE-2024-42307 page https://www.suse.com/security/cve/CVE-2024-43820/ SUSE CVE CVE-2024-43820 page https://www.suse.com/security/cve/CVE-2024-44974/ SUSE CVE CVE-2024-44974 page https://www.suse.com/security/cve/CVE-2024-45009/ SUSE CVE CVE-2024-45009 page https://www.suse.com/security/cve/CVE-2024-45010/ SUSE CVE CVE-2024-45010 page https://www.suse.com/security/cve/CVE-2024-46736/ SUSE CVE CVE-2024-46736 page https://www.suse.com/security/cve/CVE-2024-46782/ SUSE CVE CVE-2024-46782 page https://www.suse.com/security/cve/CVE-2024-46796/ SUSE CVE CVE-2024-46796 page https://www.suse.com/security/cve/CVE-2024-46858/ SUSE CVE CVE-2024-46858 page https://www.suse.com/security/cve/CVE-2024-47408/ SUSE CVE CVE-2024-47408 page https://www.suse.com/security/cve/CVE-2024-47701/ SUSE CVE CVE-2024-47701 page https://www.suse.com/security/cve/CVE-2024-47794/ SUSE CVE CVE-2024-47794 page https://www.suse.com/security/cve/CVE-2024-49571/ SUSE CVE CVE-2024-49571 page https://www.suse.com/security/cve/CVE-2024-49884/ SUSE CVE CVE-2024-49884 page https://www.suse.com/security/cve/CVE-2024-49924/ SUSE CVE CVE-2024-49924 page https://www.suse.com/security/cve/CVE-2024-49940/ SUSE CVE CVE-2024-49940 page https://www.suse.com/security/cve/CVE-2024-49950/ SUSE CVE CVE-2024-49950 page https://www.suse.com/security/cve/CVE-2024-49994/ SUSE CVE CVE-2024-49994 page https://www.suse.com/security/cve/CVE-2024-50029/ SUSE CVE CVE-2024-50029 page https://www.suse.com/security/cve/CVE-2024-50036/ SUSE CVE CVE-2024-50036 page https://www.suse.com/security/cve/CVE-2024-50056/ SUSE CVE CVE-2024-50056 page https://www.suse.com/security/cve/CVE-2024-50073/ SUSE CVE CVE-2024-50073 page https://www.suse.com/security/cve/CVE-2024-50085/ SUSE CVE CVE-2024-50085 page https://www.suse.com/security/cve/CVE-2024-50115/ SUSE CVE CVE-2024-50115 page https://www.suse.com/security/cve/CVE-2024-50126/ SUSE CVE CVE-2024-50126 page https://www.suse.com/security/cve/CVE-2024-50140/ SUSE CVE CVE-2024-50140 page https://www.suse.com/security/cve/CVE-2024-50142/ SUSE CVE CVE-2024-50142 page https://www.suse.com/security/cve/CVE-2024-50152/ SUSE CVE CVE-2024-50152 page https://www.suse.com/security/cve/CVE-2024-50185/ SUSE CVE CVE-2024-50185 page https://www.suse.com/security/cve/CVE-2024-50251/ SUSE CVE CVE-2024-50251 page https://www.suse.com/security/cve/CVE-2024-50258/ SUSE CVE CVE-2024-50258 page https://www.suse.com/security/cve/CVE-2024-50290/ SUSE CVE CVE-2024-50290 page https://www.suse.com/security/cve/CVE-2024-50294/ SUSE CVE CVE-2024-50294 page https://www.suse.com/security/cve/CVE-2024-50304/ SUSE CVE CVE-2024-50304 page https://www.suse.com/security/cve/CVE-2024-52559/ SUSE CVE CVE-2024-52559 page https://www.suse.com/security/cve/CVE-2024-53057/ SUSE CVE CVE-2024-53057 page https://www.suse.com/security/cve/CVE-2024-53063/ SUSE CVE CVE-2024-53063 page https://www.suse.com/security/cve/CVE-2024-53123/ SUSE CVE CVE-2024-53123 page https://www.suse.com/security/cve/CVE-2024-53140/ SUSE CVE CVE-2024-53140 page https://www.suse.com/security/cve/CVE-2024-53147/ SUSE CVE CVE-2024-53147 page https://www.suse.com/security/cve/CVE-2024-53163/ SUSE CVE CVE-2024-53163 page https://www.suse.com/security/cve/CVE-2024-53173/ SUSE CVE CVE-2024-53173 page https://www.suse.com/security/cve/CVE-2024-53176/ SUSE CVE CVE-2024-53176 page https://www.suse.com/security/cve/CVE-2024-53177/ SUSE CVE CVE-2024-53177 page https://www.suse.com/security/cve/CVE-2024-53178/ SUSE CVE CVE-2024-53178 page https://www.suse.com/security/cve/CVE-2024-53226/ SUSE CVE CVE-2024-53226 page https://www.suse.com/security/cve/CVE-2024-53239/ SUSE CVE CVE-2024-53239 page https://www.suse.com/security/cve/CVE-2024-53680/ SUSE CVE CVE-2024-53680 page https://www.suse.com/security/cve/CVE-2024-54683/ SUSE CVE CVE-2024-54683 page https://www.suse.com/security/cve/CVE-2024-56539/ SUSE CVE CVE-2024-56539 page https://www.suse.com/security/cve/CVE-2024-56548/ SUSE CVE CVE-2024-56548 page https://www.suse.com/security/cve/CVE-2024-56579/ SUSE CVE CVE-2024-56579 page https://www.suse.com/security/cve/CVE-2024-56592/ SUSE CVE CVE-2024-56592 page https://www.suse.com/security/cve/CVE-2024-56605/ SUSE CVE CVE-2024-56605 page https://www.suse.com/security/cve/CVE-2024-56633/ SUSE CVE CVE-2024-56633 page https://www.suse.com/security/cve/CVE-2024-56638/ SUSE CVE CVE-2024-56638 page https://www.suse.com/security/cve/CVE-2024-56640/ SUSE CVE CVE-2024-56640 page https://www.suse.com/security/cve/CVE-2024-56647/ SUSE CVE CVE-2024-56647 page https://www.suse.com/security/cve/CVE-2024-56658/ SUSE CVE CVE-2024-56658 page https://www.suse.com/security/cve/CVE-2024-56702/ SUSE CVE CVE-2024-56702 page https://www.suse.com/security/cve/CVE-2024-56703/ SUSE CVE CVE-2024-56703 page https://www.suse.com/security/cve/CVE-2024-56718/ SUSE CVE CVE-2024-56718 page https://www.suse.com/security/cve/CVE-2024-56719/ SUSE CVE CVE-2024-56719 page https://www.suse.com/security/cve/CVE-2024-56720/ SUSE CVE CVE-2024-56720 page https://www.suse.com/security/cve/CVE-2024-56751/ SUSE CVE CVE-2024-56751 page https://www.suse.com/security/cve/CVE-2024-56758/ SUSE CVE CVE-2024-56758 page https://www.suse.com/security/cve/CVE-2024-56770/ SUSE CVE CVE-2024-56770 page https://www.suse.com/security/cve/CVE-2024-57807/ SUSE CVE CVE-2024-57807 page https://www.suse.com/security/cve/CVE-2024-57834/ SUSE CVE CVE-2024-57834 page https://www.suse.com/security/cve/CVE-2024-57882/ SUSE CVE CVE-2024-57882 page https://www.suse.com/security/cve/CVE-2024-57889/ SUSE CVE CVE-2024-57889 page https://www.suse.com/security/cve/CVE-2024-57900/ SUSE CVE CVE-2024-57900 page https://www.suse.com/security/cve/CVE-2024-57947/ SUSE CVE CVE-2024-57947 page https://www.suse.com/security/cve/CVE-2024-57948/ SUSE CVE CVE-2024-57948 page https://www.suse.com/security/cve/CVE-2024-57973/ SUSE CVE CVE-2024-57973 page https://www.suse.com/security/cve/CVE-2024-57974/ SUSE CVE CVE-2024-57974 page https://www.suse.com/security/cve/CVE-2024-57978/ SUSE CVE CVE-2024-57978 page https://www.suse.com/security/cve/CVE-2024-57979/ SUSE CVE CVE-2024-57979 page https://www.suse.com/security/cve/CVE-2024-57980/ SUSE CVE CVE-2024-57980 page https://www.suse.com/security/cve/CVE-2024-57981/ SUSE CVE CVE-2024-57981 page https://www.suse.com/security/cve/CVE-2024-57986/ SUSE CVE CVE-2024-57986 page https://www.suse.com/security/cve/CVE-2024-57990/ SUSE CVE CVE-2024-57990 page https://www.suse.com/security/cve/CVE-2024-57993/ SUSE CVE CVE-2024-57993 page https://www.suse.com/security/cve/CVE-2024-57994/ SUSE CVE CVE-2024-57994 page https://www.suse.com/security/cve/CVE-2024-57996/ SUSE CVE CVE-2024-57996 page https://www.suse.com/security/cve/CVE-2024-57997/ SUSE CVE CVE-2024-57997 page https://www.suse.com/security/cve/CVE-2024-57999/ SUSE CVE CVE-2024-57999 page https://www.suse.com/security/cve/CVE-2024-58002/ SUSE CVE CVE-2024-58002 page https://www.suse.com/security/cve/CVE-2024-58005/ SUSE CVE CVE-2024-58005 page https://www.suse.com/security/cve/CVE-2024-58006/ SUSE CVE CVE-2024-58006 page https://www.suse.com/security/cve/CVE-2024-58007/ SUSE CVE CVE-2024-58007 page https://www.suse.com/security/cve/CVE-2024-58009/ SUSE CVE CVE-2024-58009 page https://www.suse.com/security/cve/CVE-2024-58011/ SUSE CVE CVE-2024-58011 page https://www.suse.com/security/cve/CVE-2024-58012/ SUSE CVE CVE-2024-58012 page https://www.suse.com/security/cve/CVE-2024-58013/ SUSE CVE CVE-2024-58013 page https://www.suse.com/security/cve/CVE-2024-58014/ SUSE CVE CVE-2024-58014 page https://www.suse.com/security/cve/CVE-2024-58017/ SUSE CVE CVE-2024-58017 page https://www.suse.com/security/cve/CVE-2024-58019/ SUSE CVE CVE-2024-58019 page https://www.suse.com/security/cve/CVE-2024-58020/ SUSE CVE CVE-2024-58020 page https://www.suse.com/security/cve/CVE-2024-58034/ SUSE CVE CVE-2024-58034 page https://www.suse.com/security/cve/CVE-2024-58051/ SUSE CVE CVE-2024-58051 page https://www.suse.com/security/cve/CVE-2024-58052/ SUSE CVE CVE-2024-58052 page https://www.suse.com/security/cve/CVE-2024-58054/ SUSE CVE CVE-2024-58054 page https://www.suse.com/security/cve/CVE-2024-58055/ SUSE CVE CVE-2024-58055 page https://www.suse.com/security/cve/CVE-2024-58056/ SUSE CVE CVE-2024-58056 page https://www.suse.com/security/cve/CVE-2024-58057/ SUSE CVE CVE-2024-58057 page https://www.suse.com/security/cve/CVE-2024-58058/ SUSE CVE CVE-2024-58058 page https://www.suse.com/security/cve/CVE-2024-58061/ SUSE CVE CVE-2024-58061 page https://www.suse.com/security/cve/CVE-2024-58063/ SUSE CVE CVE-2024-58063 page https://www.suse.com/security/cve/CVE-2024-58069/ SUSE CVE CVE-2024-58069 page https://www.suse.com/security/cve/CVE-2024-58072/ SUSE CVE CVE-2024-58072 page https://www.suse.com/security/cve/CVE-2024-58076/ SUSE CVE CVE-2024-58076 page https://www.suse.com/security/cve/CVE-2024-58078/ SUSE CVE CVE-2024-58078 page https://www.suse.com/security/cve/CVE-2024-58079/ SUSE CVE CVE-2024-58079 page https://www.suse.com/security/cve/CVE-2024-58080/ SUSE CVE CVE-2024-58080 page https://www.suse.com/security/cve/CVE-2024-58083/ SUSE CVE CVE-2024-58083 page https://www.suse.com/security/cve/CVE-2024-58085/ SUSE CVE CVE-2024-58085 page https://www.suse.com/security/cve/CVE-2024-58086/ SUSE CVE CVE-2024-58086 page https://www.suse.com/security/cve/CVE-2025-21631/ SUSE CVE CVE-2025-21631 page https://www.suse.com/security/cve/CVE-2025-21635/ SUSE CVE CVE-2025-21635 page https://www.suse.com/security/cve/CVE-2025-21636/ SUSE CVE CVE-2025-21636 page https://www.suse.com/security/cve/CVE-2025-21637/ SUSE CVE CVE-2025-21637 page https://www.suse.com/security/cve/CVE-2025-21638/ SUSE CVE CVE-2025-21638 page https://www.suse.com/security/cve/CVE-2025-21639/ SUSE CVE CVE-2025-21639 page https://www.suse.com/security/cve/CVE-2025-21640/ SUSE CVE CVE-2025-21640 page https://www.suse.com/security/cve/CVE-2025-21647/ SUSE CVE CVE-2025-21647 page https://www.suse.com/security/cve/CVE-2025-21659/ SUSE CVE CVE-2025-21659 page https://www.suse.com/security/cve/CVE-2025-21665/ SUSE CVE CVE-2025-21665 page https://www.suse.com/security/cve/CVE-2025-21666/ SUSE CVE CVE-2025-21666 page https://www.suse.com/security/cve/CVE-2025-21667/ SUSE CVE CVE-2025-21667 page https://www.suse.com/security/cve/CVE-2025-21668/ SUSE CVE CVE-2025-21668 page https://www.suse.com/security/cve/CVE-2025-21669/ SUSE CVE CVE-2025-21669 page https://www.suse.com/security/cve/CVE-2025-21670/ SUSE CVE CVE-2025-21670 page https://www.suse.com/security/cve/CVE-2025-21671/ SUSE CVE CVE-2025-21671 page https://www.suse.com/security/cve/CVE-2025-21673/ SUSE CVE CVE-2025-21673 page https://www.suse.com/security/cve/CVE-2025-21675/ SUSE CVE CVE-2025-21675 page https://www.suse.com/security/cve/CVE-2025-21678/ SUSE CVE CVE-2025-21678 page https://www.suse.com/security/cve/CVE-2025-21680/ SUSE CVE CVE-2025-21680 page https://www.suse.com/security/cve/CVE-2025-21681/ SUSE CVE CVE-2025-21681 page https://www.suse.com/security/cve/CVE-2025-21684/ SUSE CVE CVE-2025-21684 page https://www.suse.com/security/cve/CVE-2025-21687/ SUSE CVE CVE-2025-21687 page https://www.suse.com/security/cve/CVE-2025-21688/ SUSE CVE CVE-2025-21688 page https://www.suse.com/security/cve/CVE-2025-21689/ SUSE CVE CVE-2025-21689 page https://www.suse.com/security/cve/CVE-2025-21690/ SUSE CVE CVE-2025-21690 page https://www.suse.com/security/cve/CVE-2025-21692/ SUSE CVE CVE-2025-21692 page https://www.suse.com/security/cve/CVE-2025-21693/ SUSE CVE CVE-2025-21693 page https://www.suse.com/security/cve/CVE-2025-21697/ SUSE CVE CVE-2025-21697 page https://www.suse.com/security/cve/CVE-2025-21699/ SUSE CVE CVE-2025-21699 page https://www.suse.com/security/cve/CVE-2025-21700/ SUSE CVE CVE-2025-21700 page https://www.suse.com/security/cve/CVE-2025-21701/ SUSE CVE CVE-2025-21701 page https://www.suse.com/security/cve/CVE-2025-21703/ SUSE CVE CVE-2025-21703 page https://www.suse.com/security/cve/CVE-2025-21704/ SUSE CVE CVE-2025-21704 page https://www.suse.com/security/cve/CVE-2025-21705/ SUSE CVE CVE-2025-21705 page https://www.suse.com/security/cve/CVE-2025-21706/ SUSE CVE CVE-2025-21706 page https://www.suse.com/security/cve/CVE-2025-21708/ SUSE CVE CVE-2025-21708 page https://www.suse.com/security/cve/CVE-2025-21711/ SUSE CVE CVE-2025-21711 page https://www.suse.com/security/cve/CVE-2025-21714/ SUSE CVE CVE-2025-21714 page https://www.suse.com/security/cve/CVE-2025-21715/ SUSE CVE CVE-2025-21715 page https://www.suse.com/security/cve/CVE-2025-21716/ SUSE CVE CVE-2025-21716 page https://www.suse.com/security/cve/CVE-2025-21718/ SUSE CVE CVE-2025-21718 page https://www.suse.com/security/cve/CVE-2025-21719/ SUSE CVE CVE-2025-21719 page https://www.suse.com/security/cve/CVE-2025-21723/ SUSE CVE CVE-2025-21723 page https://www.suse.com/security/cve/CVE-2025-21724/ SUSE CVE CVE-2025-21724 page https://www.suse.com/security/cve/CVE-2025-21725/ SUSE CVE CVE-2025-21725 page https://www.suse.com/security/cve/CVE-2025-21726/ SUSE CVE CVE-2025-21726 page https://www.suse.com/security/cve/CVE-2025-21727/ SUSE CVE CVE-2025-21727 page https://www.suse.com/security/cve/CVE-2025-21728/ SUSE CVE CVE-2025-21728 page https://www.suse.com/security/cve/CVE-2025-21731/ SUSE CVE CVE-2025-21731 page https://www.suse.com/security/cve/CVE-2025-21732/ SUSE CVE CVE-2025-21732 page https://www.suse.com/security/cve/CVE-2025-21733/ SUSE CVE CVE-2025-21733 page https://www.suse.com/security/cve/CVE-2025-21734/ SUSE CVE CVE-2025-21734 page https://www.suse.com/security/cve/CVE-2025-21735/ SUSE CVE CVE-2025-21735 page https://www.suse.com/security/cve/CVE-2025-21736/ SUSE CVE CVE-2025-21736 page https://www.suse.com/security/cve/CVE-2025-21738/ SUSE CVE CVE-2025-21738 page https://www.suse.com/security/cve/CVE-2025-21739/ SUSE CVE CVE-2025-21739 page https://www.suse.com/security/cve/CVE-2025-21741/ SUSE CVE CVE-2025-21741 page https://www.suse.com/security/cve/CVE-2025-21742/ SUSE CVE CVE-2025-21742 page https://www.suse.com/security/cve/CVE-2025-21743/ SUSE CVE CVE-2025-21743 page https://www.suse.com/security/cve/CVE-2025-21744/ SUSE CVE CVE-2025-21744 page https://www.suse.com/security/cve/CVE-2025-21745/ SUSE CVE CVE-2025-21745 page https://www.suse.com/security/cve/CVE-2025-21749/ SUSE CVE CVE-2025-21749 page https://www.suse.com/security/cve/CVE-2025-21750/ SUSE CVE CVE-2025-21750 page https://www.suse.com/security/cve/CVE-2025-21753/ SUSE CVE CVE-2025-21753 page https://www.suse.com/security/cve/CVE-2025-21754/ SUSE CVE CVE-2025-21754 page https://www.suse.com/security/cve/CVE-2025-21756/ SUSE CVE CVE-2025-21756 page https://www.suse.com/security/cve/CVE-2025-21759/ SUSE CVE CVE-2025-21759 page https://www.suse.com/security/cve/CVE-2025-21760/ SUSE CVE CVE-2025-21760 page https://www.suse.com/security/cve/CVE-2025-21761/ SUSE CVE CVE-2025-21761 page https://www.suse.com/security/cve/CVE-2025-21762/ SUSE CVE CVE-2025-21762 page https://www.suse.com/security/cve/CVE-2025-21763/ SUSE CVE CVE-2025-21763 page https://www.suse.com/security/cve/CVE-2025-21764/ SUSE CVE CVE-2025-21764 page https://www.suse.com/security/cve/CVE-2025-21765/ SUSE CVE CVE-2025-21765 page https://www.suse.com/security/cve/CVE-2025-21766/ SUSE CVE CVE-2025-21766 page https://www.suse.com/security/cve/CVE-2025-21767/ SUSE CVE CVE-2025-21767 page https://www.suse.com/security/cve/CVE-2025-21772/ SUSE CVE CVE-2025-21772 page https://www.suse.com/security/cve/CVE-2025-21773/ SUSE CVE CVE-2025-21773 page https://www.suse.com/security/cve/CVE-2025-21775/ SUSE CVE CVE-2025-21775 page https://www.suse.com/security/cve/CVE-2025-21776/ SUSE CVE CVE-2025-21776 page https://www.suse.com/security/cve/CVE-2025-21779/ SUSE CVE CVE-2025-21779 page https://www.suse.com/security/cve/CVE-2025-21780/ SUSE CVE CVE-2025-21780 page https://www.suse.com/security/cve/CVE-2025-21781/ SUSE CVE CVE-2025-21781 page https://www.suse.com/security/cve/CVE-2025-21782/ SUSE CVE CVE-2025-21782 page https://www.suse.com/security/cve/CVE-2025-21784/ SUSE CVE CVE-2025-21784 page https://www.suse.com/security/cve/CVE-2025-21785/ SUSE CVE CVE-2025-21785 page https://www.suse.com/security/cve/CVE-2025-21790/ SUSE CVE CVE-2025-21790 page https://www.suse.com/security/cve/CVE-2025-21791/ SUSE CVE CVE-2025-21791 page https://www.suse.com/security/cve/CVE-2025-21793/ SUSE CVE CVE-2025-21793 page https://www.suse.com/security/cve/CVE-2025-21794/ SUSE CVE CVE-2025-21794 page https://www.suse.com/security/cve/CVE-2025-21795/ SUSE CVE CVE-2025-21795 page https://www.suse.com/security/cve/CVE-2025-21796/ SUSE CVE CVE-2025-21796 page https://www.suse.com/security/cve/CVE-2025-21799/ SUSE CVE CVE-2025-21799 page https://www.suse.com/security/cve/CVE-2025-21802/ SUSE CVE CVE-2025-21802 page https://www.suse.com/security/cve/CVE-2025-21804/ SUSE CVE CVE-2025-21804 page https://www.suse.com/security/cve/CVE-2025-21810/ SUSE CVE CVE-2025-21810 page https://www.suse.com/security/cve/CVE-2025-21815/ SUSE CVE CVE-2025-21815 page https://www.suse.com/security/cve/CVE-2025-21819/ SUSE CVE CVE-2025-21819 page https://www.suse.com/security/cve/CVE-2025-21820/ SUSE CVE CVE-2025-21820 page https://www.suse.com/security/cve/CVE-2025-21821/ SUSE CVE CVE-2025-21821 page https://www.suse.com/security/cve/CVE-2025-21823/ SUSE CVE CVE-2025-21823 page https://www.suse.com/security/cve/CVE-2025-21825/ SUSE CVE CVE-2025-21825 page https://www.suse.com/security/cve/CVE-2025-21828/ SUSE CVE CVE-2025-21828 page https://www.suse.com/security/cve/CVE-2025-21829/ SUSE CVE CVE-2025-21829 page https://www.suse.com/security/cve/CVE-2025-21830/ SUSE CVE CVE-2025-21830 page https://www.suse.com/security/cve/CVE-2025-21831/ SUSE CVE CVE-2025-21831 page https://www.suse.com/security/cve/CVE-2025-21832/ SUSE CVE CVE-2025-21832 page https://www.suse.com/security/cve/CVE-2025-21835/ SUSE CVE CVE-2025-21835 page https://www.suse.com/security/cve/CVE-2025-21838/ SUSE CVE CVE-2025-21838 page https://www.suse.com/security/cve/CVE-2025-21844/ SUSE CVE CVE-2025-21844 page https://www.suse.com/security/cve/CVE-2025-21846/ SUSE CVE CVE-2025-21846 page https://www.suse.com/security/cve/CVE-2025-21847/ SUSE CVE CVE-2025-21847 page https://www.suse.com/security/cve/CVE-2025-21848/ SUSE CVE CVE-2025-21848 page https://www.suse.com/security/cve/CVE-2025-21850/ SUSE CVE CVE-2025-21850 page https://www.suse.com/security/cve/CVE-2025-21855/ SUSE CVE CVE-2025-21855 page https://www.suse.com/security/cve/CVE-2025-21856/ SUSE CVE CVE-2025-21856 page https://www.suse.com/security/cve/CVE-2025-21857/ SUSE CVE CVE-2025-21857 page https://www.suse.com/security/cve/CVE-2025-21858/ SUSE CVE CVE-2025-21858 page https://www.suse.com/security/cve/CVE-2025-21859/ SUSE CVE CVE-2025-21859 page https://www.suse.com/security/cve/CVE-2025-21861/ SUSE CVE CVE-2025-21861 page https://www.suse.com/security/cve/CVE-2025-21862/ SUSE CVE CVE-2025-21862 page https://www.suse.com/security/cve/CVE-2025-21864/ SUSE CVE CVE-2025-21864 page https://www.suse.com/security/cve/CVE-2025-21865/ SUSE CVE CVE-2025-21865 page https://www.suse.com/security/cve/CVE-2025-21866/ SUSE CVE CVE-2025-21866 page https://www.suse.com/security/cve/CVE-2025-21869/ SUSE CVE CVE-2025-21869 page https://www.suse.com/security/cve/CVE-2025-21870/ SUSE CVE CVE-2025-21870 page https://www.suse.com/security/cve/CVE-2025-21871/ SUSE CVE CVE-2025-21871 page https://www.suse.com/security/cve/CVE-2025-21876/ SUSE CVE CVE-2025-21876 page https://www.suse.com/security/cve/CVE-2025-21877/ SUSE CVE CVE-2025-21877 page https://www.suse.com/security/cve/CVE-2025-21878/ SUSE CVE CVE-2025-21878 page https://www.suse.com/security/cve/CVE-2025-21883/ SUSE CVE CVE-2025-21883 page https://www.suse.com/security/cve/CVE-2025-21885/ SUSE CVE CVE-2025-21885 page https://www.suse.com/security/cve/CVE-2025-21886/ SUSE CVE CVE-2025-21886 page https://www.suse.com/security/cve/CVE-2025-21888/ SUSE CVE CVE-2025-21888 page https://www.suse.com/security/cve/CVE-2025-21890/ SUSE CVE CVE-2025-21890 page https://www.suse.com/security/cve/CVE-2025-21891/ SUSE CVE CVE-2025-21891 page https://www.suse.com/security/cve/CVE-2025-21892/ SUSE CVE CVE-2025-21892 page SUSE Linux Micro 6.1 kernel-devel-rt-6.4.0-28.1 kernel-livepatch-6_4_0-28-rt-1-3.1 kernel-rt-6.4.0-28.1 kernel-rt-devel-6.4.0-28.1 kernel-rt-livepatch-6.4.0-28.1 kernel-source-rt-6.4.0-28.1 kernel-devel-rt-6.4.0-28.1 as a component of SUSE Linux Micro 6.1 kernel-livepatch-6_4_0-28-rt-1-3.1 as a component of SUSE Linux Micro 6.1 kernel-rt-6.4.0-28.1 as a component of SUSE Linux Micro 6.1 kernel-rt-devel-6.4.0-28.1 as a component of SUSE Linux Micro 6.1 kernel-rt-livepatch-6.4.0-28.1 as a component of SUSE Linux Micro 6.1 kernel-source-rt-6.4.0-28.1 as a component of SUSE Linux Micro 6.1 In the Linux kernel, the following vulnerability has been resolved: cpu/hotplug: Don't offline the last non-isolated CPU If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked(). cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN)); Thus results in an empty CPU mask which triggers the warning and then the subsequent crash: WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930 Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798 Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU. Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue. CVE-2023-52831 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2023-52831.html CVE-2023-52831 https://bugzilla.suse.com/1225533 SUSE Bug 1225533 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't skip expired elements during walk There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors. CVE-2023-52924 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2023-52924.html CVE-2023-52924 https://bugzilla.suse.com/1236821 SUSE Bug 1236821 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error. CVE-2023-52925 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2023-52925.html CVE-2023-52925 https://bugzilla.suse.com/1236822 SUSE Bug 1236822 In the Linux kernel, the following vulnerability has been resolved: IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context. CVE-2023-52926 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2023-52926.html CVE-2023-52926 https://bugzilla.suse.com/1237565 SUSE Bug 1237565 https://bugzilla.suse.com/1237567 SUSE Bug 1237567 In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl. CVE-2023-52927 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2023-52927.html CVE-2023-52927 https://bugzilla.suse.com/1239644 SUSE Bug 1239644 In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get "refunded" to init_net when that namespace disappears. The main interface name may get overwritten in the process if it would have conflicted. We need to also discard all conflicting altnames. Recent fixes addressed ensuring that altnames get moved with the main interface, which surfaced this problem. CVE-2024-26634 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-26634.html CVE-2024-26634 https://bugzilla.suse.com/1221651 SUSE Bug 1221651 In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked. Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1. CVE-2024-26708 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-26708.html CVE-2024-26708 https://bugzilla.suse.com/1222672 SUSE Bug 1222672 In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Lock external INTx masking ops Mask operations through config space changes to DisINTx may race INTx configuration changes via ioctl. Create wrappers that add locking for paths outside of the core interrupt code. In particular, irq_type is updated holding igate, therefore testing is_intx() requires holding igate. For example clearing DisINTx from config space can otherwise race changes of the interrupt configuration. This aligns interfaces which may trigger the INTx eventfd into two camps, one side serialized by igate and the other only enabled while INTx is configured. A subsequent patch introduces synchronization for the latter flows. CVE-2024-26810 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-26810.html CVE-2024-26810 https://bugzilla.suse.com/1222803 SUSE Bug 1222803 In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix a deadlock issue related to automatic dump If we issue a disabling PHY command, the device attached with it will go offline, if a 2 bit ECC error occurs at the same time, a hung task may be found: [ 4613.652388] INFO: task kworker/u256:0:165233 blocked for more than 120 seconds. [ 4613.666297] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.674809] task:kworker/u256:0 state:D stack: 0 pid:165233 ppid: 2 flags:0x00000208 [ 4613.683959] Workqueue: 0000:74:02.0_disco_q sas_revalidate_domain [libsas] [ 4613.691518] Call trace: [ 4613.694678] __switch_to+0xf8/0x17c [ 4613.698872] __schedule+0x660/0xee0 [ 4613.703063] schedule+0xac/0x240 [ 4613.706994] schedule_timeout+0x500/0x610 [ 4613.711705] __down+0x128/0x36c [ 4613.715548] down+0x240/0x2d0 [ 4613.719221] hisi_sas_internal_abort_timeout+0x1bc/0x260 [hisi_sas_main] [ 4613.726618] sas_execute_internal_abort+0x144/0x310 [libsas] [ 4613.732976] sas_execute_internal_abort_dev+0x44/0x60 [libsas] [ 4613.739504] hisi_sas_internal_task_abort_dev.isra.0+0xbc/0x1b0 [hisi_sas_main] [ 4613.747499] hisi_sas_dev_gone+0x174/0x250 [hisi_sas_main] [ 4613.753682] sas_notify_lldd_dev_gone+0xec/0x2e0 [libsas] [ 4613.759781] sas_unregister_common_dev+0x4c/0x7a0 [libsas] [ 4613.765962] sas_destruct_devices+0xb8/0x120 [libsas] [ 4613.771709] sas_do_revalidate_domain.constprop.0+0x1b8/0x31c [libsas] [ 4613.778930] sas_revalidate_domain+0x60/0xa4 [libsas] [ 4613.784716] process_one_work+0x248/0x950 [ 4613.789424] worker_thread+0x318/0x934 [ 4613.793878] kthread+0x190/0x200 [ 4613.797810] ret_from_fork+0x10/0x18 [ 4613.802121] INFO: task kworker/u256:4:316722 blocked for more than 120 seconds. [ 4613.816026] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.824538] task:kworker/u256:4 state:D stack: 0 pid:316722 ppid: 2 flags:0x00000208 [ 4613.833670] Workqueue: 0000:74:02.0 hisi_sas_rst_work_handler [hisi_sas_main] [ 4613.841491] Call trace: [ 4613.844647] __switch_to+0xf8/0x17c [ 4613.848852] __schedule+0x660/0xee0 [ 4613.853052] schedule+0xac/0x240 [ 4613.856984] schedule_timeout+0x500/0x610 [ 4613.861695] __down+0x128/0x36c [ 4613.865542] down+0x240/0x2d0 [ 4613.869216] hisi_sas_controller_prereset+0x58/0x1fc [hisi_sas_main] [ 4613.876324] hisi_sas_rst_work_handler+0x40/0x8c [hisi_sas_main] [ 4613.883019] process_one_work+0x248/0x950 [ 4613.887732] worker_thread+0x318/0x934 [ 4613.892204] kthread+0x190/0x200 [ 4613.896118] ret_from_fork+0x10/0x18 [ 4613.900423] INFO: task kworker/u256:1:348985 blocked for more than 121 seconds. [ 4613.914341] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4613.922852] task:kworker/u256:1 state:D stack: 0 pid:348985 ppid: 2 flags:0x00000208 [ 4613.931984] Workqueue: 0000:74:02.0_event_q sas_port_event_worker [libsas] [ 4613.939549] Call trace: [ 4613.942702] __switch_to+0xf8/0x17c [ 4613.946892] __schedule+0x660/0xee0 [ 4613.951083] schedule+0xac/0x240 [ 4613.955015] schedule_timeout+0x500/0x610 [ 4613.959725] wait_for_common+0x200/0x610 [ 4613.964349] wait_for_completion+0x3c/0x5c [ 4613.969146] flush_workqueue+0x198/0x790 [ 4613.973776] sas_porte_broadcast_rcvd+0x1e8/0x320 [libsas] [ 4613.979960] sas_port_event_worker+0x54/0xa0 [libsas] [ 4613.985708] process_one_work+0x248/0x950 [ 4613.990420] worker_thread+0x318/0x934 [ 4613.994868] kthread+0x190/0x200 [ 4613.998800] ret_from_fork+0x10/0x18 This is because when the device goes offline, we obtain the hisi_hba semaphore and send the ABORT_DEV command to the device. However, the internal abort timed out due to the 2 bit ECC error and triggers automatic dump. In addition, since the hisi_hba semaphore has been obtained, the dump cannot be executed and the controller cannot be reset. Therefore, the deadlocks occur on the following circular dependencies ---truncated--- CVE-2024-26873 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-26873.html CVE-2024-26873 https://bugzilla.suse.com/1223047 SUSE Bug 1223047 In the Linux kernel, the following vulnerability has been resolved: block: Fix page refcounts for unaligned buffers in __bio_release_pages() Fix an incorrect number of pages being released for buffers that do not start at the beginning of a page. CVE-2024-35826 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-35826.html CVE-2024-35826 https://bugzilla.suse.com/1224610 SUSE Bug 1224610 In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing after the corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often, and could test a patch I wrote two years ago. When TCP sockets are closed, we call inet_csk_clear_xmit_timers() to 'stop' the timers. inet_csk_clear_xmit_timers() can be called from any context, including when socket lock is held. This is the reason it uses sk_stop_timer(), aka del_timer(). This means that ongoing timers might finish much later. For user sockets, this is fine because each running timer holds a reference on the socket, and the user socket holds a reference on the netns. For kernel sockets, we risk that the netns is freed before timer can complete, because kernel sockets do not hold reference on the netns. This patch adds inet_csk_clear_xmit_timers_sync() function that using sk_stop_timer_sync() to make sure all timers are terminated before the kernel socket is released. Modules using kernel sockets close them in their netns exit() handler. Also add sock_not_owned_by_me() helper to get LOCKDEP support : inet_csk_clear_xmit_timers_sync() must not be called while socket lock is held. It is very possible we can revert in the future commit 3a58f13a881e ("net: rds: acquire refcount on TCP sockets") which attempted to solve the issue in rds only. (net/smc/af_smc.c and net/mptcp/subflow.c have similar code) We probably can remove the check_net() tests from tcp_out_of_resources() and __tcp_close() in the future. CVE-2024-35910 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-35910.html CVE-2024-35910 https://bugzilla.suse.com/1224489 SUSE Bug 1224489 In the Linux kernel, the following vulnerability has been resolved: crypto: qat - validate slices count returned by FW The function adf_send_admin_tl_start() enables the telemetry (TL) feature on a QAT device by sending the ICP_QAT_FW_TL_START message to the firmware. This triggers the FW to start writing TL data to a DMA buffer in memory and returns an array containing the number of accelerators of each type (slices) supported by this HW. The pointer to this array is stored in the adf_tl_hw_data data structure called slice_cnt. The array slice_cnt is then used in the function tl_print_dev_data() to report in debugfs only statistics about the supported accelerators. An incorrect value of the elements in slice_cnt might lead to an out of bounds memory read. At the moment, there isn't an implementation of FW that returns a wrong value, but for robustness validate the slice count array returned by FW. CVE-2024-38606 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-38606.html CVE-2024-38606 https://bugzilla.suse.com/1226871 SUSE Bug 1226871 In the Linux kernel, the following vulnerability has been resolved: drop_monitor: replace spin_lock by raw_spin_lock trace_drop_common() is called with preemption disabled, and it acquires a spin_lock. This is problematic for RT kernels because spin_locks are sleeping locks in this configuration, which causes the following splat: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47 preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 2 5 locks held by rcuc/47/449: #0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210 #1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130 #2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210 #3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70 #4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290 irq event stamp: 139909 hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80 hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290 softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170 softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0 Preemption disabled at: [<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0 CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7 Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 __might_resched+0x21e/0x2f0 rt_spin_lock+0x5e/0x130 ? trace_drop_common.constprop.0+0xb5/0x290 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_drop_common.constprop.0+0xb5/0x290 ? preempt_count_sub+0x1c/0xd0 ? _raw_spin_unlock_irqrestore+0x4a/0x80 ? __pfx_trace_drop_common.constprop.0+0x10/0x10 ? rt_mutex_slowunlock+0x26a/0x2e0 ? skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_rt_mutex_slowunlock+0x10/0x10 ? skb_queue_purge_reason.part.0+0x1bf/0x230 trace_kfree_skb_hit+0x15/0x20 trace_kfree_skb+0xe9/0x150 kfree_skb_reason+0x7b/0x110 skb_queue_purge_reason.part.0+0x1bf/0x230 ? __pfx_skb_queue_purge_reason.part.0+0x10/0x10 ? mark_lock.part.0+0x8a/0x520 ... trace_drop_common() also disables interrupts, but this is a minor issue because we could easily replace it with a local_lock. Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic context. CVE-2024-40980 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-40980.html CVE-2024-40980 https://bugzilla.suse.com/1227937 SUSE Bug 1227937 In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix race condition in netpoll_owner_active KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) <snip> read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) netpoll_send_udp (net/core/netpoll.c:?) <snip> value changed: 0x0000000a -> 0xffffffff This happens because netpoll_owner_active() needs to check if the current CPU is the owner of the lock, touching napi->poll_owner non atomically. The ->poll_owner field contains the current CPU holding the lock. Use an atomic read to check if the poll owner is the current CPU. CVE-2024-41005 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-41005.html CVE-2024-41005 https://bugzilla.suse.com/1227858 SUSE Bug 1227858 In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it. CVE-2024-41055 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-41055.html CVE-2024-41055 https://bugzilla.suse.com/1228521 SUSE Bug 1228521 In the Linux kernel, the following vulnerability has been resolved: null_blk: fix validation of block size Block size should be between 512 and PAGE_SIZE and be a power of 2. The current check does not validate this, so update the check. Without this patch, null_blk would Oops due to a null pointer deref when loaded with bs=1536 [1]. [axboe: remove unnecessary braces and != 0 check] CVE-2024-41077 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-41077.html CVE-2024-41077 https://bugzilla.suse.com/1228653 SUSE Bug 1228653 In the Linux kernel, the following vulnerability has been resolved: block: avoid to reuse `hctx` not removed from cpuhp callback list If the 'hctx' isn't removed from cpuhp callback list, we can't reuse it, otherwise use-after-free may be triggered. CVE-2024-41149 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-41149.html CVE-2024-41149 https://bugzilla.suse.com/1235698 SUSE Bug 1235698 In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential null pointer use in destroy_workqueue in init_cifs error path Dan Carpenter reported a Smack static checker warning: fs/smb/client/cifsfs.c:1981 init_cifs() error: we previously assumed 'serverclose_wq' could be null (see line 1895) The patch which introduced the serverclose workqueue used the wrong oredering in error paths in init_cifs() for freeing it on errors. CVE-2024-42307 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-42307.html CVE-2024-42307 https://bugzilla.suse.com/1229361 SUSE Bug 1229361 In the Linux kernel, the following vulnerability has been resolved: dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume rm-raid devices will occasionally trigger the following warning when being resumed after a table load because DM_RECOVERY_RUNNING is set: WARNING: CPU: 7 PID: 5660 at drivers/md/dm-raid.c:4105 raid_resume+0xee/0x100 [dm_raid] The failing check is: WARN_ON_ONCE(test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)); This check is designed to make sure that the sync thread isn't registered, but md_check_recovery can set MD_RECOVERY_RUNNING without the sync_thread ever getting registered. Instead of checking if MD_RECOVERY_RUNNING is set, check if sync_thread is non-NULL. CVE-2024-43820 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-43820.html CVE-2024-43820 https://bugzilla.suse.com/1229311 SUSE Bug 1229311 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. CVE-2024-44974 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-44974.html CVE-2024-44974 https://bugzilla.suse.com/1230235 SUSE Bug 1230235 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only decrement add_addr_accepted for MPJ req Adding the following warning ... WARN_ON_ONCE(msk->pm.add_addr_accepted == 0) ... before decrementing the add_addr_accepted counter helped to find a bug when running the "remove single subflow" subtest from the mptcp_join.sh selftest. Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the subflow closure. Before this patch, and upon the reception of the RM_ADDR, the other peer will then try to decrement this add_addr_accepted. That's not correct because the attached subflows have not been created upon the reception of an ADD_ADDR. A way to solve that is to decrement the counter only if the attached subflow was an MP_JOIN to a remote id that was not 0, and initiated by the host receiving the RM_ADDR. CVE-2024-45009 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-45009.html CVE-2024-45009 https://bugzilla.suse.com/1230438 SUSE Bug 1230438 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal' endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to 'subflow' endpoints, and here it is a 'signal' endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and if the ID is not 0 -- local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before. CVE-2024-45010 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-45010.html CVE-2024-45010 https://bugzilla.suse.com/1230439 SUSE Bug 1230439 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_rename_path() If smb2_set_path_attr() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() again as the reference of @cfile was already dropped by previous smb2_compound_op() call. CVE-2024-46736 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-46736.html CVE-2024-46736 https://bugzilla.suse.com/1230728 SUSE Bug 1230728 In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated--- CVE-2024-46782 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-46782.html CVE-2024-46782 https://bugzilla.suse.com/1230769 SUSE Bug 1230769 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double put of @cfile in smb2_set_path_size() If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call. This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022: CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176 CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfx___cancel_work+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-46796 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-46796.html CVE-2024-46796 https://bugzilla.suse.com/1230832 SUSE Bug 1230832 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf. CVE-2024-46858 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-46858.html CVE-2024-46858 https://bugzilla.suse.com/1231088 SUSE Bug 1231088 In the Linux kernel, the following vulnerability has been resolved: net/smc: check smcd_v2_ext_offset when receiving proposal msg When receiving proposal msg in server, the field smcd_v2_ext_offset in proposal msg is from the remote client and can not be fully trusted. Once the value of smcd_v2_ext_offset exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the value of smcd_v2_ext_offset before using it. CVE-2024-47408 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-47408.html CVE-2024-47408 https://bugzilla.suse.com/1235711 SUSE Bug 1235711 In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. CVE-2024-47701 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-47701.html CVE-2024-47701 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1231920 SUSE Bug 1231920 In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent tailcall infinite loop caused by freplace There is a potential infinite loop issue that can occur when using a combination of tail calls and freplace. In an upcoming selftest, the attach target for entry_freplace of tailcall_freplace.c is subprog_tc of tc_bpf2bpf.c, while the tail call in entry_freplace leads to entry_tc. This results in an infinite loop: entry_tc -> subprog_tc -> entry_freplace --tailcall-> entry_tc. The problem arises because the tail_call_cnt in entry_freplace resets to zero each time entry_freplace is executed, causing the tail call mechanism to never terminate, eventually leading to a kernel panic. To fix this issue, the solution is twofold: 1. Prevent updating a program extended by an freplace program to a prog_array map. 2. Prevent extending a program that is already part of a prog_array map with an freplace program. This ensures that: * If a program or its subprogram has been extended by an freplace program, it can no longer be updated to a prog_array map. * If a program has been added to a prog_array map, neither it nor its subprograms can be extended by an freplace program. Moreover, an extension program should not be tailcalled. As such, return -EINVAL if the program has a type of BPF_PROG_TYPE_EXT when adding it to a prog_array map. Additionally, fix a minor code style issue by replacing eight spaces with a tab for proper formatting. CVE-2024-47794 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-47794.html CVE-2024-47794 https://bugzilla.suse.com/1235712 SUSE Bug 1235712 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-49571 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49571.html CVE-2024-49571 https://bugzilla.suse.com/1235733 SUSE Bug 1235733 In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. CVE-2024-49884 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49884.html CVE-2024-49884 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1232198 SUSE Bug 1232198 In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime. CVE-2024-49924 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49924.html CVE-2024-49924 https://bugzilla.suse.com/1232364 SUSE Bug 1232364 In the Linux kernel, the following vulnerability has been resolved: l2tp: prevent possible tunnel refcount underflow When a session is created, it sets a backpointer to its tunnel. When the session refcount drops to 0, l2tp_session_free drops the tunnel refcount if session->tunnel is non-NULL. However, session->tunnel is set in l2tp_session_create, before the tunnel refcount is incremented by l2tp_session_register, which leaves a small window where session->tunnel is non-NULL when the tunnel refcount hasn't been bumped. Moving the assignment to l2tp_session_register is trivial but l2tp_session_create calls l2tp_session_set_header_len which uses session->tunnel to get the tunnel's encap. Add an encap arg to l2tp_session_set_header_len to avoid using session->tunnel. If l2tpv3 sessions have colliding IDs, it is possible for l2tp_v3_session_get to race with l2tp_session_register and fetch a session which doesn't yet have session->tunnel set. Add a check for this case. CVE-2024-49940 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49940.html CVE-2024-49940 https://bugzilla.suse.com/1232812 SUSE Bug 1232812 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CVE-2024-49950 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49950.html CVE-2024-49950 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1232159 SUSE Bug 1232159 In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed CVE-2024-49994 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-49994.html CVE-2024-49994 https://bugzilla.suse.com/1237757 SUSE Bug 1237757 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30 CVE-2024-50029 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50029.html CVE-2024-50029 https://bugzilla.suse.com/1231949 SUSE Bug 1231949 In the Linux kernel, the following vulnerability has been resolved: net: do not delay dst_entries_add() in dst_release() dst_entries_add() uses per-cpu data that might be freed at netns dismantle from ip6_route_net_exit() calling dst_entries_destroy() Before ip6_route_net_exit() can be called, we release all the dsts associated with this netns, via calls to dst_release(), which waits an rcu grace period before calling dst_destroy() dst_entries_add() use in dst_destroy() is racy, because dst_entries_destroy() could have been called already. Decrementing the number of dsts must happen sooner. Notes: 1) in CONFIG_XFRM case, dst_destroy() can call dst_release_immediate(child), this might also cause UAF if the child does not have DST_NOCOUNT set. IPSEC maintainers might take a look and see how to address this. 2) There is also discussion about removing this count of dst, which might happen in future kernels. CVE-2024-50036 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50036.html CVE-2024-50036 https://bugzilla.suse.com/1231912 SUSE Bug 1231912 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Fix potential dereferencing of ERR_PTR() in find_format_by_pix() and uvc_v4l2_enum_format(). Fix the following smatch errors: drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix() error: 'fmtdesc' dereferencing possible ERR_PTR() drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format() error: 'fmtdesc' dereferencing possible ERR_PTR() Also, fix similar issue in uvc_v4l2_try_format() for potential dereferencing of ERR_PTR(). CVE-2024-50056 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50056.html CVE-2024-50056 https://bugzilla.suse.com/1232389 SUSE Bug 1232389 In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. CVE-2024-50073 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50073.html CVE-2024-50073 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1232520 SUSE Bug 1232520 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated--- CVE-2024-50085 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50085.html CVE-2024-50085 https://bugzilla.suse.com/1232508 SUSE Bug 1232508 In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. CVE-2024-50115 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50115.html CVE-2024-50115 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1232919 SUSE Bug 1232919 https://bugzilla.suse.com/1233019 SUSE Bug 1233019 In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20 CVE-2024-50126 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50126.html CVE-2024-50126 https://bugzilla.suse.com/1232895 SUSE Bug 1232895 In the Linux kernel, the following vulnerability has been resolved: sched/core: Disable page allocation in task_tick_mm_cid() With KASAN and PREEMPT_RT enabled, calling task_work_add() in task_tick_mm_cid() may cause the following splat. [ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, expected: 0 [ 63.696416] RCU nest depth: 1, expected: 1 This problem is caused by the following call trace. sched_tick() [ acquire rq->__lock ] -> task_tick_mm_cid() -> task_work_add() -> __kasan_record_aux_stack() -> kasan_save_stack() -> stack_depot_save_flags() -> alloc_pages_mpol_noprof() -> __alloc_pages_noprof() -> get_page_from_freelist() -> rmqueue() -> rmqueue_pcplist() -> __rmqueue_pcplist() -> rmqueue_bulk() -> rt_spin_lock() The rq lock is a raw_spinlock_t. We can't sleep while holding it. IOW, we can't call alloc_pages() in stack_depot_save_flags(). The task_tick_mm_cid() function with its task_work_add() call was introduced by commit 223baf9d17f2 ("sched: Fix performance regression introduced by mm_cid") in v6.4 kernel. Fortunately, there is a kasan_record_aux_stack_noalloc() variant that calls stack_depot_save_flags() while not allowing it to allocate new pages. To allow task_tick_mm_cid() to use task_work without page allocation, a new TWAF_NO_ALLOC flag is added to enable calling kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack() if set. The task_tick_mm_cid() function is modified to add this new flag. The possible downside is the missing stack trace in a KASAN report due to new page allocation required when task_work_add_noallloc() is called which should be rare. CVE-2024-50140 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50140.html CVE-2024-50140 https://bugzilla.suse.com/1233060 SUSE Bug 1233060 In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on. CVE-2024-50142 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50142.html CVE-2024-50142 https://bugzilla.suse.com/1233028 SUSE Bug 1233028 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix possible double free in smb2_set_ea() Clang static checker(scan-build) warning: fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. 1304 | kfree(ea); | ^~~~~~~~~ There is a double free in such case: 'ea is initialized to NULL' -> 'first successful memory allocation for ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' -> 'goto replay_again' -> 'second goto sea_exit before allocate memory for ea' -> 'second memory release for ea resulted in double free'. Re-initialie 'ea' to NULL near to the replay_again label, it can fix this double free problem. CVE-2024-50152 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50152.html CVE-2024-50152 https://bugzilla.suse.com/1233033 SUSE Bug 1233033 In the Linux kernel, the following vulnerability has been resolved: mptcp: handle consistently DSS corruption Bugged peer implementation can send corrupted DSS options, consistently hitting a few warning in the data path. Use DEBUG_NET assertions, to avoid the splat on some builds and handle consistently the error, dumping related MIBs and performing fallback and/or reset according to the subflow type. CVE-2024-50185 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50185.html CVE-2024-50185 https://bugzilla.suse.com/1233109 SUSE Bug 1233109 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed. CVE-2024-50251 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50251.html CVE-2024-50251 https://bugzilla.suse.com/1233248 SUSE Bug 1233248 In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. CVE-2024-50258 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50258.html CVE-2024-50258 https://bugzilla.suse.com/1233221 SUSE Bug 1233221 In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that. CVE-2024-50290 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50290.html CVE-2024-50290 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1233479 SUSE Bug 1233479 https://bugzilla.suse.com/1233681 SUSE Bug 1233681 In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing locking causing hanging calls If a call gets aborted (e.g. because kafs saw a signal) between it being queued for connection and the I/O thread picking up the call, the abort will be prioritised over the connection and it will be removed from local->new_client_calls by rxrpc_disconnect_client_call() without a lock being held. This may cause other calls on the list to disappear if a race occurs. Fix this by taking the client_call_lock when removing a call from whatever list its ->wait_link happens to be on. CVE-2024-50294 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50294.html CVE-2024-50294 https://bugzilla.suse.com/1233483 SUSE Bug 1233483 In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-50304 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-50304.html CVE-2024-50304 https://bugzilla.suse.com/1233522 SUSE Bug 1233522 In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32 values that come from the user via the submit_lookup_cmds() function. This addition could lead to an integer wrapping bug so use size_add() to prevent that. Patchwork: https://patchwork.freedesktop.org/patch/624696/ CVE-2024-52559 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-52559.html CVE-2024-52559 https://bugzilla.suse.com/1238507 SUSE Bug 1238507 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-53057 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53057.html CVE-2024-53057 https://bugzilla.suse.com/1233551 SUSE Bug 1233551 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-53063 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53063.html CVE-2024-53063 https://bugzilla.suse.com/1225742 SUSE Bug 1225742 https://bugzilla.suse.com/1233557 SUSE Bug 1233557 https://bugzilla.suse.com/1233619 SUSE Bug 1233619 In the Linux kernel, the following vulnerability has been resolved: mptcp: error out earlier on disconnect Eric reported a division by zero splat in the MPTCP protocol: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 6094 Comm: syz-executor317 Not tainted 6.12.0-rc5-syzkaller-00291-g05b92660cdfe #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__tcp_select_window+0x5b4/0x1310 net/ipv4/tcp_output.c:3163 Code: f6 44 01 e3 89 df e8 9b 75 09 f8 44 39 f3 0f 8d 11 ff ff ff e8 0d 74 09 f8 45 89 f4 e9 04 ff ff ff e8 00 74 09 f8 44 89 f0 99 <f7> 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff e8 e8 73 09 f8 48 89 RSP: 0018:ffffc900041f7930 EFLAGS: 00010293 RAX: 0000000000017e67 RBX: 0000000000017e67 RCX: ffffffff8983314b RDX: 0000000000000000 RSI: ffffffff898331b0 RDI: 0000000000000004 RBP: 00000000005d6000 R08: 0000000000000004 R09: 0000000000017e67 R10: 0000000000003e80 R11: 0000000000000000 R12: 0000000000003e80 R13: ffff888031d9b440 R14: 0000000000017e67 R15: 00000000002eb000 FS: 00007feb5d7f16c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb5d8adbb8 CR3: 0000000074e4c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __tcp_cleanup_rbuf+0x3e7/0x4b0 net/ipv4/tcp.c:1493 mptcp_rcv_space_adjust net/mptcp/protocol.c:2085 [inline] mptcp_recvmsg+0x2156/0x2600 net/mptcp/protocol.c:2289 inet_recvmsg+0x469/0x6a0 net/ipv4/af_inet.c:885 sock_recvmsg_nosec net/socket.c:1051 [inline] sock_recvmsg+0x1b2/0x250 net/socket.c:1073 __sys_recvfrom+0x1a5/0x2e0 net/socket.c:2265 __do_sys_recvfrom net/socket.c:2283 [inline] __se_sys_recvfrom net/socket.c:2279 [inline] __x64_sys_recvfrom+0xe0/0x1c0 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb5d857559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feb5d7f1208 EFLAGS: 00000246 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007feb5d8e1318 RCX: 00007feb5d857559 RDX: 000000800000000e RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007feb5d8e1310 R08: 0000000000000000 R09: ffffffff81000000 R10: 0000000000000100 R11: 0000000000000246 R12: 00007feb5d8e131c R13: 00007feb5d8ae074 R14: 000000800000000e R15: 00000000fffffdef and provided a nice reproducer. The root cause is the current bad handling of racing disconnect. After the blamed commit below, sk_wait_data() can return (with error) with the underlying socket disconnected and a zero rcv_mss. Catch the error and return without performing any additional operations on the current socket. CVE-2024-53123 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53123.html CVE-2024-53123 https://bugzilla.suse.com/1234070 SUSE Bug 1234070 In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. Some async code may still access the socket after close, queue notification skbs to it etc. but no dumps can start, end or otherwise make progress. Delete the workqueue and flush the dump state directly from the release handler. Note that further cleanup is possible in -next, for instance we now always call .done before releasing the main module reference, so dump doesn't have to take a reference of its own. CVE-2024-53140 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53140.html CVE-2024-53140 https://bugzilla.suse.com/1234222 SUSE Bug 1234222 In the Linux kernel, the following vulnerability has been resolved: exfat: fix out-of-bounds access of directory entries In the case of the directory size is greater than or equal to the cluster size, if start_clu becomes an EOF cluster(an invalid cluster) due to file system corruption, then the directory entry where ei->hint_femp.eidx hint is outside the directory, resulting in an out-of-bounds access, which may cause further file system corruption. This commit adds a check for start_clu, if it is an invalid cluster, the file or directory will be treated as empty. CVE-2024-53147 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53147.html CVE-2024-53147 https://bugzilla.suse.com/1234857 SUSE Bug 1234857 In the Linux kernel, the following vulnerability has been resolved: crypto: qat/qat_420xx - fix off by one in uof_get_name() This is called from uof_get_name_420xx() where "num_objs" is the ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of bounds access. CVE-2024-53163 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53163.html CVE-2024-53163 https://bugzilla.suse.com/1234828 SUSE Bug 1234828 In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open() Yang Erkun reports that when two threads are opening files at the same time, and are forced to abort before a reply is seen, then the call to nfs_release_seqid() in nfs4_opendata_free() can result in a use-after-free of the pointer to the defunct rpc task of the other thread. The fix is to ensure that if the RPC call is aborted before the call to nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() in nfs4_open_release() before the rpc_task is freed. CVE-2024-53173 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53173.html CVE-2024-53173 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234891 SUSE Bug 1234891 https://bugzilla.suse.com/1234892 SUSE Bug 1234892 In the Linux kernel, the following vulnerability has been resolved: smb: During unmount, ensure all cached dir instances drop their dentry The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs: BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------ kernel BUG at fs/super.c:661! This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including: - Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid. To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal. The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations. Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing. While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry. CVE-2024-53176 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53176.html CVE-2024-53176 https://bugzilla.suse.com/1234894 SUSE Bug 1234894 In the Linux kernel, the following vulnerability has been resolved: smb: prevent use-after-free due to open_cached_dir error paths If open_cached_dir() encounters an error parsing the lease from the server, the error handling may race with receiving a lease break, resulting in open_cached_dir() freeing the cfid while the queued work is pending. Update open_cached_dir() to drop refs rather than directly freeing the cfid. Have cached_dir_lease_break(), cfids_laundromat_worker(), and invalidate_all_cached_dirs() clear has_lease immediately while still holding cfids->cfid_list_lock, and then use this to also simplify the reference counting in cfids_laundromat_worker() and invalidate_all_cached_dirs(). Fixes this KASAN splat (which manually injects an error and lease break in open_cached_dir()): ================================================================== BUG: KASAN: slab-use-after-free in smb2_cached_lease_break+0x27/0xb0 Read of size 8 at addr ffff88811cc24c10 by task kworker/3:1/65 CPU: 3 UID: 0 PID: 65 Comm: kworker/3:1 Not tainted 6.12.0-rc6-g255cf264e6e5-dirty #87 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Workqueue: cifsiod smb2_cached_lease_break Call Trace: <TASK> dump_stack_lvl+0x77/0xb0 print_report+0xce/0x660 kasan_report+0xd3/0x110 smb2_cached_lease_break+0x27/0xb0 process_one_work+0x50a/0xc50 worker_thread+0x2ba/0x530 kthread+0x17c/0x1c0 ret_from_fork+0x34/0x60 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 open_cached_dir+0xa7d/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2464: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x51/0x70 kfree+0x174/0x520 open_cached_dir+0x97f/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x32/0x100 __queue_work+0x5c9/0x870 queue_work_on+0x82/0x90 open_cached_dir+0x1369/0x1fb0 smb2_query_path_info+0x43c/0x6e0 cifs_get_fattr+0x346/0xf10 cifs_get_inode_info+0x157/0x210 cifs_revalidate_dentry_attr+0x2d1/0x460 cifs_getattr+0x173/0x470 vfs_statx_path+0x10f/0x160 vfs_statx+0xe9/0x150 vfs_fstatat+0x5e/0xc0 __do_sys_newfstatat+0x91/0xf0 do_syscall_64+0x95/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff88811cc24c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff88811cc24c00, ffff88811cc25000) CVE-2024-53177 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53177.html CVE-2024-53177 https://bugzilla.suse.com/1234896 SUSE Bug 1234896 https://bugzilla.suse.com/1235103 SUSE Bug 1235103 In the Linux kernel, the following vulnerability has been resolved: smb: Don't leak cfid when reconnect races with open_cached_dir open_cached_dir() may either race with the tcon reconnection even before compound_send_recv() or directly trigger a reconnection via SMB2_open_init() or SMB_query_info_init(). The reconnection process invokes invalidate_all_cached_dirs() via cifs_mark_open_files_invalid(), which removes all cfids from the cfids->entries list but doesn't drop a ref if has_lease isn't true. This results in the currently-being-constructed cfid not being on the list, but still having a refcount of 2. It leaks if returned from open_cached_dir(). Fix this by setting cfid->has_lease when the ref is actually taken; the cfid will not be used by other threads until it has a valid time. Addresses these kmemleaks: unreferenced object 0xffff8881090c4000 (size 1024): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 32 bytes): 00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de ........"....... 00 ca 45 22 81 88 ff ff f8 dc 4f 04 81 88 ff ff ..E"......O..... backtrace (crc 6f58c20f): [<ffffffff8b895a1e>] __kmalloc_cache_noprof+0x2be/0x350 [<ffffffff8bda06e3>] open_cached_dir+0x993/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e unreferenced object 0xffff8881044fdcf8 (size 8): comm "bash", pid 1860, jiffies 4295126592 hex dump (first 8 bytes): 00 cc cc cc cc cc cc cc ........ backtrace (crc 10c106a9): [<ffffffff8b89a3d3>] __kmalloc_node_track_caller_noprof+0x363/0x480 [<ffffffff8b7d7256>] kstrdup+0x36/0x60 [<ffffffff8bda0700>] open_cached_dir+0x9b0/0x1fb0 [<ffffffff8bdaa750>] cifs_readdir+0x15a0/0x1d50 [<ffffffff8b9a853f>] iterate_dir+0x28f/0x4b0 [<ffffffff8b9a9aed>] __x64_sys_getdents64+0xfd/0x200 [<ffffffff8cf6da05>] do_syscall_64+0x95/0x1a0 [<ffffffff8d00012f>] entry_SYSCALL_64_after_hwframe+0x76/0x7e And addresses these BUG splats when unmounting the SMB filesystem: BUG: Dentry ffff888140590ba0{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs] WARNING: CPU: 3 PID: 3433 at fs/dcache.c:1536 umount_check+0xd0/0x100 Modules linked in: CPU: 3 UID: 0 PID: 3433 Comm: bash Not tainted 6.12.0-rc4-g850925a8133c-dirty #49 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:umount_check+0xd0/0x100 Code: 8d 7c 24 40 e8 31 5a f4 ff 49 8b 54 24 40 41 56 49 89 e9 45 89 e8 48 89 d9 41 57 48 89 de 48 c7 c7 80 e7 db ac e8 f0 72 9a ff <0f> 0b 58 31 c0 5a 5b 5d 41 5c 41 5d 41 5e 41 5f e9 2b e5 5d 01 41 RSP: 0018:ffff88811cc27978 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888140590ba0 RCX: ffffffffaaf20bae RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881f6fb6f40 RBP: ffff8881462ec000 R08: 0000000000000001 R09: ffffed1023984ee3 R10: ffff88811cc2771f R11: 00000000016cfcc0 R12: ffff888134383e08 R13: 0000000000000002 R14: ffff8881462ec668 R15: ffffffffaceab4c0 FS: 00007f23bfa98740(0000) GS:ffff8881f6f80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556de4a6f808 CR3: 0000000123c80000 CR4: 0000000000350ef0 Call Trace: <TASK> d_walk+0x6a/0x530 shrink_dcache_for_umount+0x6a/0x200 generic_shutdown_super+0x52/0x2a0 kill_anon_super+0x22/0x40 cifs_kill_sb+0x159/0x1e0 deactivate_locked_super+0x66/0xe0 cleanup_mnt+0x140/0x210 task_work_run+0xfb/0x170 syscall_exit_to_user_mode+0x29f/0x2b0 do_syscall_64+0xa1/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f23bfb93ae7 Code: ff ff ff ff c3 66 0f 1f 44 00 00 48 8b 0d 11 93 0d 00 f7 d8 64 89 01 b8 ff ff ff ff eb bf 0f 1f 44 00 00 b8 50 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e9 92 0d 00 f7 d8 64 89 ---truncated--- CVE-2024-53178 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53178.html CVE-2024-53178 https://bugzilla.suse.com/1234895 SUSE Bug 1234895 In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument. The driver needs to check whether it is a NULL pointer before dereferencing it. CVE-2024-53226 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53226.html CVE-2024-53226 https://bugzilla.suse.com/1236576 SUSE Bug 1236576 In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: Release resources at card release The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()). For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback. CVE-2024-53239 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53239.html CVE-2024-53239 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235054 SUSE Bug 1235054 https://bugzilla.suse.com/1235055 SUSE Bug 1235055 In the Linux kernel, the following vulnerability has been resolved: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB. CVE-2024-53680 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-53680.html CVE-2024-53680 https://bugzilla.suse.com/1235715 SUSE Bug 1235715 In the Linux kernel, the following vulnerability has been resolved: netfilter: IDLETIMER: Fix for possible ABBA deadlock Deletion of the last rule referencing a given idletimer may happen at the same time as a read of its file in sysfs: | ====================================================== | WARNING: possible circular locking dependency detected | 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted | ------------------------------------------------------ | iptables/3303 is trying to acquire lock: | ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20 | | but task is already holding lock: | ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v] | | which lock already depends on the new lock. A simple reproducer is: | #!/bin/bash | | while true; do | iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme" | done & | while true; do | cat /sys/class/xt_idletimer/timers/testme >/dev/null | done Avoid this by freeing list_mutex right after deleting the element from the list, then continuing with the teardown. CVE-2024-54683 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-54683.html CVE-2024-54683 https://bugzilla.suse.com/1235729 SUSE Bug 1235729 In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() Replace one-element array with a flexible-array member in `struct mwifiex_ie_types_wildcard_ssid_params` to fix the following warning on a MT8173 Chromebook (mt8173-elm-hana): [ 356.775250] ------------[ cut here ]------------ [ 356.784543] memcpy: detected field-spanning write (size 6) of single field "wildcard_ssid_tlv->ssid" at drivers/net/wireless/marvell/mwifiex/scan.c:904 (size 1) [ 356.813403] WARNING: CPU: 3 PID: 742 at drivers/net/wireless/marvell/mwifiex/scan.c:904 mwifiex_scan_networks+0x4fc/0xf28 [mwifiex] The "(size 6)" above is exactly the length of the SSID of the network this device was connected to. The source of the warning looks like: ssid_len = user_scan_in->ssid_list[i].ssid_len; [...] memcpy(wildcard_ssid_tlv->ssid, user_scan_in->ssid_list[i].ssid, ssid_len); There is a #define WILDCARD_SSID_TLV_MAX_SIZE that uses sizeof() on this struct, but it already didn't account for the size of the one-element array, so it doesn't need to be changed. CVE-2024-56539 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56539.html CVE-2024-56539 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1234963 SUSE Bug 1234963 https://bugzilla.suse.com/1234964 SUSE Bug 1234964 In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't query the device logical block size multiple times Devices block sizes may change. One of these cases is a loop device by using ioctl LOOP_SET_BLOCK_SIZE. While this may cause other issues like IO being rejected, in the case of hfsplus, it will allocate a block by using that size and potentially write out-of-bounds when hfsplus_read_wrapper calls hfsplus_submit_bio and the latter function reads a different io_size. Using a new min_io_size initally set to sb_min_blocksize works for the purposes of the original fix, since it will be set to the max between HFSPLUS_SECTOR_SIZE and the first seen logical block size. We still use the max between HFSPLUS_SECTOR_SIZE and min_io_size in case the latter is not initialized. Tested by mounting an hfsplus filesystem with loop block sizes 512, 1024 and 4096. The produced KASAN report before the fix looks like this: [ 419.944641] ================================================================== [ 419.945655] BUG: KASAN: slab-use-after-free in hfsplus_read_wrapper+0x659/0xa0a [ 419.946703] Read of size 2 at addr ffff88800721fc00 by task repro/10678 [ 419.947612] [ 419.947846] CPU: 0 UID: 0 PID: 10678 Comm: repro Not tainted 6.12.0-rc5-00008-gdf56e0f2f3ca #84 [ 419.949007] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 419.950035] Call Trace: [ 419.950384] <TASK> [ 419.950676] dump_stack_lvl+0x57/0x78 [ 419.951212] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.951830] print_report+0x14c/0x49e [ 419.952361] ? __virt_addr_valid+0x267/0x278 [ 419.952979] ? kmem_cache_debug_flags+0xc/0x1d [ 419.953561] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.954231] kasan_report+0x89/0xb0 [ 419.954748] ? hfsplus_read_wrapper+0x659/0xa0a [ 419.955367] hfsplus_read_wrapper+0x659/0xa0a [ 419.955948] ? __pfx_hfsplus_read_wrapper+0x10/0x10 [ 419.956618] ? do_raw_spin_unlock+0x59/0x1a9 [ 419.957214] ? _raw_spin_unlock+0x1a/0x2e [ 419.957772] hfsplus_fill_super+0x348/0x1590 [ 419.958355] ? hlock_class+0x4c/0x109 [ 419.958867] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.959499] ? __pfx_string+0x10/0x10 [ 419.960006] ? lock_acquire+0x3e2/0x454 [ 419.960532] ? bdev_name.constprop.0+0xce/0x243 [ 419.961129] ? __pfx_bdev_name.constprop.0+0x10/0x10 [ 419.961799] ? pointer+0x3f0/0x62f [ 419.962277] ? __pfx_pointer+0x10/0x10 [ 419.962761] ? vsnprintf+0x6c4/0xfba [ 419.963178] ? __pfx_vsnprintf+0x10/0x10 [ 419.963621] ? setup_bdev_super+0x376/0x3b3 [ 419.964029] ? snprintf+0x9d/0xd2 [ 419.964344] ? __pfx_snprintf+0x10/0x10 [ 419.964675] ? lock_acquired+0x45c/0x5e9 [ 419.965016] ? set_blocksize+0x139/0x1c1 [ 419.965381] ? sb_set_blocksize+0x6d/0xae [ 419.965742] ? __pfx_hfsplus_fill_super+0x10/0x10 [ 419.966179] mount_bdev+0x12f/0x1bf [ 419.966512] ? __pfx_mount_bdev+0x10/0x10 [ 419.966886] ? vfs_parse_fs_string+0xce/0x111 [ 419.967293] ? __pfx_vfs_parse_fs_string+0x10/0x10 [ 419.967702] ? __pfx_hfsplus_mount+0x10/0x10 [ 419.968073] legacy_get_tree+0x104/0x178 [ 419.968414] vfs_get_tree+0x86/0x296 [ 419.968751] path_mount+0xba3/0xd0b [ 419.969157] ? __pfx_path_mount+0x10/0x10 [ 419.969594] ? kmem_cache_free+0x1e2/0x260 [ 419.970311] do_mount+0x99/0xe0 [ 419.970630] ? __pfx_do_mount+0x10/0x10 [ 419.971008] __do_sys_mount+0x199/0x1c9 [ 419.971397] do_syscall_64+0xd0/0x135 [ 419.971761] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 419.972233] RIP: 0033:0x7c3cb812972e [ 419.972564] Code: 48 8b 0d f5 46 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c2 46 0d 00 f7 d8 64 89 01 48 [ 419.974371] RSP: 002b:00007ffe30632548 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 419.975048] RAX: ffffffffffffffda RBX: 00007ffe306328d8 RCX: 00007c3cb812972e [ 419.975701] RDX: 0000000020000000 RSI: 0000000020000c80 RDI: ---truncated--- CVE-2024-56548 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56548.html CVE-2024-56548 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235073 SUSE Bug 1235073 https://bugzilla.suse.com/1235074 SUSE Bug 1235074 In the Linux kernel, the following vulnerability has been resolved: media: amphion: Set video drvdata before register video device The video drvdata should be set before the video device is registered, otherwise video_drvdata() may return NULL in the open() file ops, and led to oops. CVE-2024-56579 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56579.html CVE-2024-56579 https://bugzilla.suse.com/1236575 SUSE Bug 1236575 In the Linux kernel, the following vulnerability has been resolved: bpf: Call free_htab_elem() after htab_unlock_bucket() For htab of maps, when the map is removed from the htab, it may hold the last reference of the map. bpf_map_fd_put_ptr() will invoke bpf_map_free_id() to free the id of the removed map element. However, bpf_map_fd_put_ptr() is invoked while holding a bucket lock (raw_spin_lock_t), and bpf_map_free_id() attempts to acquire map_idr_lock (spinlock_t), triggering the following lockdep warning: ============================= [ BUG: Invalid wait context ] 6.11.0-rc4+ #49 Not tainted ----------------------------- test_maps/4881 is trying to lock: ffffffff84884578 (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.0+0x21/0x70 other info that might help us debug this: context-{5:5} 2 locks held by test_maps/4881: #0: ffffffff846caf60 (rcu_read_lock){....}-{1:3}, at: bpf_fd_htab_map_update_elem+0xf9/0x270 #1: ffff888149ced148 (&htab->lockdep_key#2){....}-{2:2}, at: htab_map_update_elem+0x178/0xa80 stack backtrace: CPU: 0 UID: 0 PID: 4881 Comm: test_maps Not tainted 6.11.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... Call Trace: <TASK> dump_stack_lvl+0x6e/0xb0 dump_stack+0x10/0x20 __lock_acquire+0x73e/0x36c0 lock_acquire+0x182/0x450 _raw_spin_lock_irqsave+0x43/0x70 bpf_map_free_id.part.0+0x21/0x70 bpf_map_put+0xcf/0x110 bpf_map_fd_put_ptr+0x9a/0xb0 free_htab_elem+0x69/0xe0 htab_map_update_elem+0x50f/0xa80 bpf_fd_htab_map_update_elem+0x131/0x270 htab_map_update_elem+0x50f/0xa80 bpf_fd_htab_map_update_elem+0x131/0x270 bpf_map_update_value+0x266/0x380 __sys_bpf+0x21bb/0x36b0 __x64_sys_bpf+0x45/0x60 x64_sys_call+0x1b2a/0x20d0 do_syscall_64+0x5d/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e One way to fix the lockdep warning is using raw_spinlock_t for map_idr_lock as well. However, bpf_map_alloc_id() invokes idr_alloc_cyclic() after acquiring map_idr_lock, it will trigger a similar lockdep warning because the slab's lock (s->cpu_slab->lock) is still a spinlock. Instead of changing map_idr_lock's type, fix the issue by invoking htab_put_fd_value() after htab_unlock_bucket(). However, only deferring the invocation of htab_put_fd_value() is not enough, because the old map pointers in htab of maps can not be saved during batched deletion. Therefore, also defer the invocation of free_htab_elem(), so these to-be-freed elements could be linked together similar to lru map. There are four callers for ->map_fd_put_ptr: (1) alloc_htab_elem() (through htab_put_fd_value()) It invokes ->map_fd_put_ptr() under a raw_spinlock_t. The invocation of htab_put_fd_value() can not simply move after htab_unlock_bucket(), because the old element has already been stashed in htab->extra_elems. It may be reused immediately after htab_unlock_bucket() and the invocation of htab_put_fd_value() after htab_unlock_bucket() may release the newly-added element incorrectly. Therefore, saving the map pointer of the old element for htab of maps before unlocking the bucket and releasing the map_ptr after unlock. Beside the map pointer in the old element, should do the same thing for the special fields in the old element as well. (2) free_htab_elem() (through htab_put_fd_value()) Its caller includes __htab_map_lookup_and_delete_elem(), htab_map_delete_elem() and __htab_map_lookup_and_delete_batch(). For htab_map_delete_elem(), simply invoke free_htab_elem() after htab_unlock_bucket(). For __htab_map_lookup_and_delete_batch(), just like lru map, linking the to-be-freed element into node_to_free list and invoking free_htab_elem() for these element after unlock. It is safe to reuse batch_flink as the link for node_to_free, because these elements have been removed from the hash llist. Because htab of maps doesn't support lookup_and_delete operation, __htab_map_lookup_and_delete_elem() doesn't have the problem, so kept it as ---truncated--- CVE-2024-56592 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56592.html CVE-2024-56592 https://bugzilla.suse.com/1235244 SUSE Bug 1235244 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() bt_sock_alloc() allocates the sk object and attaches it to the provided sock object. On error l2cap_sock_alloc() frees the sk object, but the dangling pointer is still attached to the sock object, which may create use-after-free in other code. CVE-2024-56605 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56605.html CVE-2024-56605 https://bugzilla.suse.com/1234853 SUSE Bug 1234853 https://bugzilla.suse.com/1235061 SUSE Bug 1235061 https://bugzilla.suse.com/1235062 SUSE Bug 1235062 In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging tosend bytes, which is either msg->sg.size or a smaller value apply_bytes. Potential problems with this strategy are as follows: - If the actual sent bytes are smaller than tosend, we need to charge some bytes back, as in line 487, which is okay but seems not clean. - When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may miss uncharging (msg->sg.size - apply_bytes) bytes. [...] 415 tosend = msg->sg.size; 416 if (psock->apply_bytes && psock->apply_bytes < tosend) 417 tosend = psock->apply_bytes; [...] 443 sk_msg_return(sk, msg, tosend); 444 release_sock(sk); 446 origsize = msg->sg.size; 447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress, 448 msg, tosend, flags); 449 sent = origsize - msg->sg.size; [...] 454 lock_sock(sk); 455 if (unlikely(ret < 0)) { 456 int free = sk_msg_free_nocharge(sk, msg); 458 if (!cork) 459 *copied -= free; 460 } [...] 487 if (eval == __SK_REDIRECT) 488 sk_mem_charge(sk, tosend - sent); [...] When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply, the following warning will be reported: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0 Modules linked in: CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events sk_psock_destroy RIP: 0010:inet_sock_destruct+0x190/0x1a0 RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206 RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800 RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900 RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0 R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400 R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100 FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x89/0x130 ? inet_sock_destruct+0x190/0x1a0 ? report_bug+0xfc/0x1e0 ? handle_bug+0x5c/0xa0 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x190/0x1a0 __sk_destruct+0x25/0x220 sk_psock_destroy+0x2b2/0x310 process_scheduled_works+0xa3/0x3e0 worker_thread+0x117/0x240 ? __pfx_worker_thread+0x10/0x10 kthread+0xcf/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- In __SK_REDIRECT, a more concise way is delaying the uncharging after sent bytes are finalized, and uncharge this value. When (ret < 0), we shall invoke sk_msg_free. Same thing happens in case __SK_DROP, when tosend is set to apply_bytes, we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same warning will be reported in selftest. [...] 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); 473 return -EACCES; [...] So instead of sk_msg_free_partial we can do sk_msg_free here. CVE-2024-56633 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56633.html CVE-2024-56633 https://bugzilla.suse.com/1235485 SUSE Bug 1235485 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: incorrect percpu area handling under softirq Softirq can interrupt ongoing packet from process context that is walking over the percpu area that contains inner header offsets. Disable bh and perform three checks before restoring the percpu inner header offsets to validate that the percpu area is valid for this skbuff: 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff has already been parsed before for inner header fetching to register. 2) Validate that the percpu area refers to this skbuff using the skbuff pointer as a cookie. If there is a cookie mismatch, then this skbuff needs to be parsed again. 3) Finally, validate if the percpu area refers to this tunnel type. Only after these three checks the percpu area is restored to a on-stack copy and bh is enabled again. After inner header fetching, the on-stack copy is stored back to the percpu area. CVE-2024-56638 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56638.html CVE-2024-56638 https://bugzilla.suse.com/1235524 SUSE Bug 1235524 In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations. CVE-2024-56640 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56640.html CVE-2024-56640 https://bugzilla.suse.com/1235436 SUSE Bug 1235436 In the Linux kernel, the following vulnerability has been resolved: net: Fix icmp host relookup triggering ip_rt_bug arp link failure may trigger ip_rt_bug while xfrm enabled, call trace is: WARNING: CPU: 0 PID: 0 at net/ipv4/route.c:1241 ip_rt_bug+0x14/0x20 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ip_rt_bug+0x14/0x20 Call Trace: <IRQ> ip_send_skb+0x14/0x40 __icmp_send+0x42d/0x6a0 ipv4_link_failure+0xe2/0x1d0 arp_error_report+0x3c/0x50 neigh_invalidate+0x8d/0x100 neigh_timer_handler+0x2e1/0x330 call_timer_fn+0x21/0x120 __run_timer_base.part.0+0x1c9/0x270 run_timer_softirq+0x4c/0x80 handle_softirqs+0xac/0x280 irq_exit_rcu+0x62/0x80 sysvec_apic_timer_interrupt+0x77/0x90 The script below reproduces this scenario: ip xfrm policy add src 0.0.0.0/0 dst 0.0.0.0/0 \ dir out priority 0 ptype main flag localok icmp ip l a veth1 type veth ip a a 192.168.141.111/24 dev veth0 ip l s veth0 up ping 192.168.141.155 -c 1 icmp_route_lookup() create input routes for locally generated packets while xfrm relookup ICMP traffic.Then it will set input route (dst->out = ip_rt_bug) to skb for DESTUNREACH. For ICMP err triggered by locally generated packets, dst->dev of output route is loopback. Generally, xfrm relookup verification is not required on loopback interfaces (net.ipv4.conf.lo.disable_xfrm = 1). Skip icmp relookup for locally generated packets to fix it. CVE-2024-56647 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56647.html CVE-2024-56647 https://bugzilla.suse.com/1235435 SUSE Bug 1235435 In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated--- CVE-2024-56658 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56658.html CVE-2024-56658 https://bugzilla.suse.com/1235441 SUSE Bug 1235441 https://bugzilla.suse.com/1235442 SUSE Bug 1235442 In the Linux kernel, the following vulnerability has been resolved: bpf: Mark raw_tp arguments with PTR_MAYBE_NULL Arguments to a raw tracepoint are tagged as trusted, which carries the semantics that the pointer will be non-NULL. However, in certain cases, a raw tracepoint argument may end up being NULL. More context about this issue is available in [0]. Thus, there is a discrepancy between the reality, that raw_tp arguments can actually be NULL, and the verifier's knowledge, that they are never NULL, causing explicit NULL checks to be deleted, and accesses to such pointers potentially crashing the kernel. To fix this, mark raw_tp arguments as PTR_MAYBE_NULL, and then special case the dereference and pointer arithmetic to permit it, and allow passing them into helpers/kfuncs; these exceptions are made for raw_tp programs only. Ensure that we don't do this when ref_obj_id > 0, as in that case this is an acquired object and doesn't need such adjustment. The reason we do mask_raw_tp_trusted_reg logic is because other will recheck in places whether the register is a trusted_reg, and then consider our register as untrusted when detecting the presence of the PTR_MAYBE_NULL flag. To allow safe dereference, we enable PROBE_MEM marking when we see loads into trusted pointers with PTR_MAYBE_NULL. While trusted raw_tp arguments can also be passed into helpers or kfuncs where such broken assumption may cause issues, a future patch set will tackle their case separately, as PTR_TO_BTF_ID (without PTR_TRUSTED) can already be passed into helpers and causes similar problems. Thus, they are left alone for now. It is possible that these checks also permit passing non-raw_tp args that are trusted PTR_TO_BTF_ID with null marking. In such a case, allowing dereference when pointer is NULL expands allowed behavior, so won't regress existing programs, and the case of passing these into helpers is the same as above and will be dealt with later. Also update the failure case in tp_btf_nullable selftest to capture the new behavior, as the verifier will no longer cause an error when directly dereference a raw tracepoint argument marked as __nullable. [0]: https://lore.kernel.org/bpf/ZrCZS6nisraEqehw@jlelli-thinkpadt14gen4.remote.csb CVE-2024-56702 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56702.html CVE-2024-56702 https://bugzilla.suse.com/1235501 SUSE Bug 1235501 In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb CVE-2024-56703 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56703.html CVE-2024-56703 https://bugzilla.suse.com/1235455 SUSE Bug 1235455 In the Linux kernel, the following vulnerability has been resolved: net/smc: protect link down work from execute after lgr freed link down work may be scheduled before lgr freed but execute after lgr freed, which may result in crash. So it is need to hold a reference before shedule link down work, and put the reference after work executed or canceled. The relevant crash call stack as follows: list_del corruption. prev->next should be ffffb638c9c0fe20, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:51! invalid opcode: 0000 [#1] SMP NOPTI CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 Workqueue: events smc_link_down_work [smc] RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: rwsem_down_write_slowpath+0x17e/0x470 smc_link_down_work+0x3c/0x60 [smc] process_one_work+0x1ac/0x350 worker_thread+0x49/0x2f0 ? rescuer_thread+0x360/0x360 kthread+0x118/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x1f/0x30 CVE-2024-56718 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56718.html CVE-2024-56718 https://bugzilla.suse.com/1235589 SUSE Bug 1235589 In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/ CVE-2024-56719 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56719.html CVE-2024-56719 https://bugzilla.suse.com/1235591 SUSE Bug 1235591 In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Several fixes to bpf_msg_pop_data Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG. CVE-2024-56720 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56720.html CVE-2024-56720 https://bugzilla.suse.com/1235592 SUSE Bug 1235592 In the Linux kernel, the following vulnerability has been resolved: ipv6: release nexthop on device removal The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test: unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6 ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at dst_init+0x84/0x4a0 dst_alloc+0x97/0x150 ip6_dst_alloc+0x23/0x90 ip6_rt_pcpu_alloc+0x1e6/0x520 ip6_pol_route+0x56f/0x840 fib6_rule_lookup+0x334/0x630 ip6_route_output_flags+0x259/0x480 ip6_dst_lookup_tail.constprop.0+0x5c2/0x940 ip6_dst_lookup_flow+0x88/0x190 udp_tunnel6_dst_lookup+0x2a7/0x4c0 vxlan_xmit_one+0xbde/0x4a50 [vxlan] vxlan_xmit+0x9ad/0xf20 [vxlan] dev_hard_start_xmit+0x10e/0x360 __dev_queue_xmit+0xf95/0x18c0 arp_solicit+0x4a2/0xe00 neigh_probe+0xaa/0xf0 While the first suspect is the dst_cache, explicitly tracking the dst owing the last device reference via probes proved such dst is held by the nexthop in the originating fib6_info. Similar to commit f5b51fe804ec ("ipv6: route: purge exception on removal"), we need to explicitly release the originating fib info when disconnecting a to-be-removed device from a live ipv6 dst: move the fib6_info cleanup into ip6_dst_ifdown(). Tested running: ./pmtu.sh cleanup_ipv6_exception in a tight loop for more than 400 iterations with no spat, running an unpatched kernel I observed a splat every ~10 iterations. CVE-2024-56751 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56751.html CVE-2024-56751 https://bugzilla.suse.com/1234936 SUSE Bug 1234936 In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice. CVE-2024-56758 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56758.html CVE-2024-56758 https://bugzilla.suse.com/1235621 SUSE Bug 1235621 In the Linux kernel, the following vulnerability has been resolved: net/sched: netem: account for backlog updates from child qdisc In general, 'qlen' of any classful qdisc should keep track of the number of packets that the qdisc itself and all of its children holds. In case of netem, 'qlen' only accounts for the packets in its internal tfifo. When netem is used with a child qdisc, the child qdisc can use 'qdisc_tree_reduce_backlog' to inform its parent, netem, about created or dropped SKBs. This function updates 'qlen' and the backlog statistics of netem, but netem does not account for changes made by a child qdisc. 'qlen' then indicates the wrong number of packets in the tfifo. If a child qdisc creates new SKBs during enqueue and informs its parent about this, netem's 'qlen' value is increased. When netem dequeues the newly created SKBs from the child, the 'qlen' in netem is not updated. If 'qlen' reaches the configured sch->limit, the enqueue function stops working, even though the tfifo is not full. Reproduce the bug: Ensure that the sender machine has GSO enabled. Configure netem as root qdisc and tbf as its child on the outgoing interface of the machine as follows: $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100 $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms Send bulk TCP traffic out via this interface, e.g., by running an iPerf3 client on the machine. Check the qdisc statistics: $ tc -s qdisc show dev <oif> Statistics after 10s of iPerf3 TCP test before the fix (note that netem's backlog > limit, netem stopped accepting packets): qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0) backlog 4294528236b 1155p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0) backlog 0b 0p requeues 0 Statistics after the fix: qdisc netem 1: root refcnt 2 limit 1000 delay 100ms Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0) backlog 0b 0p requeues 0 tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'. The interface fully stops transferring packets and "locks". In this case, the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at its limit and no more packets are accepted. This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is only decreased when a packet is returned by its dequeue function, and not during enqueuing into the child qdisc. External updates to 'qlen' are thus accounted for and only the behavior of the backlog statistics changes. As in other qdiscs, 'qlen' then keeps track of how many packets are held in netem and all of its children. As before, sch->limit remains as the maximum number of packets in the tfifo. The same applies to netem's backlog statistics. CVE-2024-56770 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-56770.html CVE-2024-56770 https://bugzilla.suse.com/1235637 SUSE Bug 1235637 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-57807 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57807.html CVE-2024-57807 https://bugzilla.suse.com/1235761 SUSE Bug 1235761 In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] If dvb->mux is not initialized successfully by vidtv_mux_init() in the vidtv_start_streaming(), it will trigger null pointer dereference about mux in vidtv_mux_stop_thread(). Adjust the timing of streaming initialization and check it before stopping it. [1] KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 get_signal+0x1d3/0x2610 kernel/signal.c:2790 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-57834 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57834.html CVE-2024-57834 https://bugzilla.suse.com/1238993 SUSE Bug 1238993 In the Linux kernel, the following vulnerability has been resolved: mptcp: fix TCP options overflow. Syzbot reported the following splat: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0000:ffffc90003916c90 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007 R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1204 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0033:0x7f34f4519ad5 Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5 RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0 RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000 R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4 R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68 </TASK> Eric noted a probable shinfo->nr_frags corruption, which indeed occurs. The root cause is a buggy MPTCP option len computation in some circumstances: the ADD_ADDR option should be mutually exclusive with DSS since the blamed commit. Still, mptcp_established_options_add_addr() tries to set the relevant info in mptcp_out_options, if ---truncated--- CVE-2024-57882 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57882.html CVE-2024-57882 https://bugzilla.suse.com/1235914 SUSE Bug 1235914 https://bugzilla.suse.com/1235916 SUSE Bug 1235916 In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. CVE-2024-57889 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57889.html CVE-2024-57889 https://bugzilla.suse.com/1236573 SUSE Bug 1236573 In the Linux kernel, the following vulnerability has been resolved: ila: serialize calls to nf_register_net_hooks() syzbot found a race in ila_add_mapping() [1] commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner") attempted to fix a similar issue. Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands. Add a mutex to make sure at most one thread is calling nf_register_net_hooks(). [1] BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501 CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785 process_backlog+0x443/0x15f0 net/core/dev.c:6117 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0xa94/0x1010 net/core/dev.c:7074 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 CVE-2024-57900 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57900.html CVE-2024-57900 https://bugzilla.suse.com/1235973 SUSE Bug 1235973 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo: fix initial map fill The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. CVE-2024-57947 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57947.html CVE-2024-57947 https://bugzilla.suse.com/1236333 SUSE Bug 1236333 In the Linux kernel, the following vulnerability has been resolved: mac802154: check local interfaces before deleting sdata list syzkaller reported a corrupted list in ieee802154_if_remove. [1] Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 hardware device from the system. CPU0 CPU1 ==== ==== genl_family_rcv_msg_doit ieee802154_unregister_hw ieee802154_del_iface ieee802154_remove_interfaces rdev_del_virtual_intf_deprecated list_del(&sdata->list) ieee802154_if_remove list_del_rcu The net device has been unregistered, since the rcu grace period, unregistration must be run before ieee802154_if_remove. To avoid this issue, add a check for local->interfaces before deleting sdata list. [1] kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_rcu include/linux/rculist.h:157 [inline] ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:744 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 ___sys_sendmsg net/socket.c:2661 [inline] __sys_sendmsg+0x292/0x380 net/socket.c:2690 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-57948 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57948.html CVE-2024-57948 https://bugzilla.suse.com/1236677 SUSE Bug 1236677 In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this. CVE-2024-57973 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57973.html CVE-2024-57973 https://bugzilla.suse.com/1238531 SUSE Bug 1238531 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2024-57974 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57974.html CVE-2024-57974 https://bugzilla.suse.com/1238532 SUSE Bug 1238532 In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() The proble is on the first line: if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) If jpeg->pd_dev[i] is an error pointer, then passing it to pm_runtime_suspended() will lead to an Oops. The other conditions check for both error pointers and NULL, but it would be more clear to use the IS_ERR_OR_NULL() check for that. CVE-2024-57978 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57978.html CVE-2024-57978 https://bugzilla.suse.com/1238523 SUSE Bug 1238523 In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1 CVE-2024-57979 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57979.html CVE-2024-57979 https://bugzilla.suse.com/1238521 SUSE Bug 1238521 In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix double free in error path If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it. Reviewed by: Ricardo Ribalda <ribalda@chromium.org> CVE-2024-57980 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57980.html CVE-2024-57980 https://bugzilla.suse.com/1237911 SUSE Bug 1237911 In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes. CVE-2024-57981 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57981.html CVE-2024-57981 https://bugzilla.suse.com/1237912 SUSE Bug 1237912 In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop in hid_apply_multiplier."), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: * "The Resolution Multiplier control must be contained in the same * Logical Collection as the control(s) to which it is to be applied. ... * If no Logical Collection is * defined, the Resolution Multiplier is associated with all * controls in the report." * HID Usage Table, v1.12, Section 4.3.1, p30 * * Thus, search from the current collection upwards until we find a * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection. CVE-2024-57986 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57986.html CVE-2024-57986 https://bugzilla.suse.com/1237907 SUSE Bug 1237907 In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison should be >= instead of > to prevent an out of bounds read and write. CVE-2024-57990 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57990.html CVE-2024-57990 https://bugzilla.suse.com/1237900 SUSE Bug 1237900 In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check syzbot has found a type mismatch between a USB pipe and the transfer endpoint, which is triggered by the hid-thrustmaster driver[1]. There is a number of similar, already fixed issues [2]. In this case as in others, implementing check for endpoint type fixes the issue. [1] https://syzkaller.appspot.com/bug?extid=040e8b3db6a96908d470 [2] https://syzkaller.appspot.com/bug?extid=348331f63b034f89b622 CVE-2024-57993 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57993.html CVE-2024-57993 https://bugzilla.suse.com/1237894 SUSE Bug 1237894 In the Linux kernel, the following vulnerability has been resolved: ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple() Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page() to increase test coverage. syzbot found a splat caused by hard irq blocking in ptr_ring_resize_multiple() [1] As current users of ptr_ring_resize_multiple() do not require hard irqs being masked, replace it to only block BH. Rename helpers to better reflect they are safe against BH only. - ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh() - skb_array_resize_multiple() to skb_array_resize_multiple_bh() [1] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline] WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Modules linked in: CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline] RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780 Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85 RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083 RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843 RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040 R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline] ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline] tun_queue_resize drivers/net/tun.c:3694 [inline] tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024 do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923 rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201 rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 CVE-2024-57994 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57994.html CVE-2024-57994 https://bugzilla.suse.com/1237901 SUSE Bug 1237901 In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access. CVE-2024-57996 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57996.html CVE-2024-57996 https://bugzilla.suse.com/1239076 SUSE Bug 1239076 https://bugzilla.suse.com/1239077 SUSE Bug 1239077 In the Linux kernel, the following vulnerability has been resolved: wifi: wcn36xx: fix channel survey memory allocation size KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel. CVE-2024-57997 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57997.html CVE-2024-57997 https://bugzilla.suse.com/1238529 SUSE Bug 1238529 In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing. These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range. The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100 LR [c00000000005e830] iommu_init_table+0x80/0x1e0 Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable) [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net] [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18 There are 2 issues in the code 1. The index is "int" while the address is "unsigned long". This results in negative value when setting the bitmap. 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well. CVE-2024-57999 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-57999.html CVE-2024-57999 https://bugzilla.suse.com/1238526 SUSE Bug 1238526 In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. CVE-2024-58002 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58002.html CVE-2024-58002 https://bugzilla.suse.com/1238503 SUSE Bug 1238503 In the Linux kernel, the following vulnerability has been resolved: tpm: Change to kvalloc() in eventlog/acpi.c The following failure was reported on HPE ProLiant D320: [ 10.693310][ T1] tpm_tis STM0925:00: 2.0 TPM (device-id 0x3, rev-id 0) [ 10.848132][ T1] ------------[ cut here ]------------ [ 10.853559][ T1] WARNING: CPU: 59 PID: 1 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x2ca/0x330 [ 10.862827][ T1] Modules linked in: [ 10.866671][ T1] CPU: 59 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-lp155.2.g52785e2-default #1 openSUSE Tumbleweed (unreleased) 588cd98293a7c9eba9013378d807364c088c9375 [ 10.882741][ T1] Hardware name: HPE ProLiant DL320 Gen12/ProLiant DL320 Gen12, BIOS 1.20 10/28/2024 [ 10.892170][ T1] RIP: 0010:__alloc_pages_noprof+0x2ca/0x330 [ 10.898103][ T1] Code: 24 08 e9 4a fe ff ff e8 34 36 fa ff e9 88 fe ff ff 83 fe 0a 0f 86 b3 fd ff ff 80 3d 01 e7 ce 01 00 75 09 c6 05 f8 e6 ce 01 01 <0f> 0b 45 31 ff e9 e5 fe ff ff f7 c2 00 00 08 00 75 42 89 d9 80 e1 [ 10.917750][ T1] RSP: 0000:ffffb7cf40077980 EFLAGS: 00010246 [ 10.923777][ T1] RAX: 0000000000000000 RBX: 0000000000040cc0 RCX: 0000000000000000 [ 10.931727][ T1] RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000040cc0 The above transcript shows that ACPI pointed a 16 MiB buffer for the log events because RSI maps to the 'order' parameter of __alloc_pages_noprof(). Address the bug by moving from devm_kmalloc() to devm_add_action() and kvmalloc() and devm_add_action(). CVE-2024-58005 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58005.html CVE-2024-58005 https://bugzilla.suse.com/1237873 SUSE Bug 1237873 In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update inbound map address") set_bar() was modified to support dynamically changing the backing physical address of a BAR that was already configured. This means that set_bar() can be called twice, without ever calling clear_bar() (as calling clear_bar() would clear the BAR's PCI address assigned by the host). This can only be done if the new BAR size/flags does not differ from the existing BAR configuration. Add these missing checks. If we allow set_bar() to set e.g. a new BAR size that differs from the existing BAR size, the new address translation range will be smaller than the BAR size already determined by the host, which would mean that a read past the new BAR size would pass the iATU untranslated, which could allow the host to read memory not belonging to the new struct pci_epf_bar. While at it, add comments which clarifies the support for dynamically changing the physical address of a BAR. (Which was also missing.) CVE-2024-58006 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58006.html CVE-2024-58006 https://bugzilla.suse.com/1238772 SUSE Bug 1238772 In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account. CVE-2024-58007 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58007.html CVE-2024-58007 https://bugzilla.suse.com/1238511 SUSE Bug 1238511 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. CVE-2024-58009 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58009.html CVE-2024-58009 https://bugzilla.suse.com/1238760 SUSE Bug 1238760 In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer(). CVE-2024-58011 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58011.html CVE-2024-58011 https://bugzilla.suse.com/1239080 SUSE Bug 1239080 In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps. CVE-2024-58012 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58012.html CVE-2024-58012 https://bugzilla.suse.com/1239104 SUSE Bug 1239104 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961 CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 16026: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296 remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568 hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 sock_write_iter+0x2d7/0x3f0 net/socket.c:1147 new_sync_write fs/read_write.c:586 [inline] vfs_write+0xaeb/0xd30 fs/read_write.c:679 ksys_write+0x18f/0x2b0 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16022: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kfree+0x196/0x420 mm/slub.c:4746 mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259 __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550 hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508 sock_do_ioctl+0x158/0x460 net/socket.c:1209 sock_ioctl+0x626/0x8e0 net/socket.c:1328 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2024-58013 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58013.html CVE-2024-58013 https://bugzilla.suse.com/1239095 SUSE Bug 1239095 https://bugzilla.suse.com/1239096 SUSE Bug 1239096 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN() instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2024-58014 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58014.html CVE-2024-58014 https://bugzilla.suse.com/1239109 SUSE Bug 1239109 https://bugzilla.suse.com/1239110 SUSE Bug 1239110 In the Linux kernel, the following vulnerability has been resolved: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer. CVE-2024-58017 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58017.html CVE-2024-58017 https://bugzilla.suse.com/1239112 SUSE Bug 1239112 In the Linux kernel, the following vulnerability has been resolved: nvkm/gsp: correctly advance the read pointer of GSP message queue A GSP event message consists three parts: message header, RPC header, message body. GSP calculates the number of pages to write from the total size of a GSP message. This behavior can be observed from the movement of the write pointer. However, nvkm takes only the size of RPC header and message body as the message size when advancing the read pointer. When handling a two-page GSP message in the non rollback case, It wrongly takes the message body of the previous message as the message header of the next message. As the "message length" tends to be zero, in the calculation of size needs to be copied (0 - size of (message header)), the size needs to be copied will be "0xffffffxx". It also triggers a kernel panic due to a NULL pointer error. [ 547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00 ........@....... [ 547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ [ 547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ................ [ 547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ [ 547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0 [ 547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 547.669485] #PF: supervisor read access in kernel mode [ 547.674624] #PF: error_code(0x0000) - not-present page [ 547.679755] PGD 0 P4D 0 [ 547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G E 6.9.0-rc6+ #1 [ 547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 547.702626] Workqueue: events r535_gsp_msgq_work [nvkm] [ 547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05 [ 547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203 [ 547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f [ 547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010 [ 547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0 [ 547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000 [ 547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000 [ 547.772958] FS: 0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000 [ 547.781035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0 [ 547.793896] PKRU: 55555554 [ 547.796600] Call Trace: [ 547.799046] <TASK> [ 547.801152] ? __die+0x20/0x70 [ 547.804211] ? page_fault_oops+0x75/0x170 [ 547.808221] ? print_hex_dump+0x100/0x160 [ 547.812226] ? exc_page_fault+0x64/0x150 [ 547.816152] ? asm_exc_page_fault+0x22/0x30 [ 547.820341] ? r535_gsp_msg_recv+0x87/0x230 [nvkm] [ 547.825184] r535_gsp_msgq_work+0x42/0x50 [nvkm] [ 547.829845] process_one_work+0x196/0x3d0 [ 547.833861] worker_thread+0x2fc/0x410 [ 547.837613] ? __pfx_worker_thread+0x10/0x10 [ 547.841885] kthread+0xdf/0x110 [ 547.845031] ? __pfx_kthread+0x10/0x10 [ 547.848775] ret_from_fork+0x30/0x50 [ 547.852354] ? __pfx_kthread+0x10/0x10 [ 547.856097] ret_from_fork_asm+0x1a/0x30 [ 547.860019] </TASK> [ 547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd ---truncated--- CVE-2024-58019 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58019.html CVE-2024-58019 https://bugzilla.suse.com/1238997 SUSE Bug 1238997 In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt_input_configured() is not checked. Add NULL check in mt_input_configured(), to handle kernel NULL pointer dereference error. CVE-2024-58020 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58020.html CVE-2024-58020 https://bugzilla.suse.com/1239346 SUSE Bug 1239346 In the Linux kernel, the following vulnerability has been resolved: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() As of_find_node_by_name() release the reference of the argument device node, tegra_emc_find_node_by_ram_code() releases some device nodes while still in use, resulting in possible UAFs. According to the bindings and the in-tree DTS files, the "emc-tables" node is always device's child node with the property "nvidia,use-ram-code", and the "lpddr2" node is a child of the "emc-tables" node. Thus utilize the for_each_child_of_node() macro and of_get_child_by_name() instead of of_find_node_by_name() to simplify the code. This bug was found by an experimental verification tool that I am developing. [krzysztof: applied v1, adjust the commit msg to incorporate v2 parts] CVE-2024-58034 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58034.html CVE-2024-58034 https://bugzilla.suse.com/1238773 SUSE Bug 1238773 In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: Add check devm_kasprintf() returned value devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. CVE-2024-58051 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58051.html CVE-2024-58051 https://bugzilla.suse.com/1238963 SUSE Bug 1238963 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table The function atomctrl_get_smc_sclk_range_table() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve SMU_Info table, it returns NULL which is later dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE. In practice this should never happen as this code only gets called on polaris chips and the vbios data table will always be present on those chips. CVE-2024-58052 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58052.html CVE-2024-58052 https://bugzilla.suse.com/1238986 SUSE Bug 1238986 In the Linux kernel, the following vulnerability has been resolved: staging: media: max96712: fix kernel oops when removing module The following kernel oops is thrown when trying to remove the max96712 module: Unable to handle kernel paging request at virtual address 00007375746174db Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 [00007375746174db] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi] CPU: 0 UID: 0 PID: 754 Comm: rmmod Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 Tainted: [C]=CRAP Hardware name: NXP i.MX95 19X19 board (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : led_put+0x1c/0x40 lr : v4l2_subdev_put_privacy_led+0x48/0x58 sp : ffff80008699bbb0 x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) ---[ end trace 0000000000000000 ]--- This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() is called again and the data is overwritten to point to sd, instead of priv. So, in remove(), the wrong pointer is passed to v4l2_async_unregister_subdev(), leading to a crash. CVE-2024-58054 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58054.html CVE-2024-58054 https://bugzilla.suse.com/1238975 SUSE Bug 1238975 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Don't free command immediately Don't prematurely free the command. Wait for the status completion of the sense status. It can be freed then. Otherwise we will double-free the command. CVE-2024-58055 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58055.html CVE-2024-58055 https://bugzilla.suse.com/1238959 SUSE Bug 1238959 In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set. CVE-2024-58056 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58056.html CVE-2024-58056 https://bugzilla.suse.com/1238981 SUSE Bug 1238981 In the Linux kernel, the following vulnerability has been resolved: idpf: convert workqueues to unbound When a workqueue is created with `WQ_UNBOUND`, its work items are served by special worker-pools, whose host workers are not bound to any specific CPU. In the default configuration (i.e. when `queue_delayed_work` and friends do not specify which CPU to run the work item on), `WQ_UNBOUND` allows the work item to be executed on any CPU in the same node of the CPU it was enqueued on. While this solution potentially sacrifices locality, it avoids contention with other processes that might dominate the CPU time of the processor the work item was scheduled on. This is not just a theoretical problem: in a particular scenario misconfigured process was hogging most of the time from CPU0, leaving less than 0.5% of its CPU time to the kworker. The IDPF workqueues that were using the kworker on CPU0 suffered large completion delays as a result, causing performance degradation, timeouts and eventual system crash. * I have also run a manual test to gauge the performance improvement. The test consists of an antagonist process (`./stress --cpu 2`) consuming as much of CPU 0 as possible. This process is run under `taskset 01` to bind it to CPU0, and its priority is changed with `chrt -pQ 9900 10000 ${pid}` and `renice -n -20 ${pid}` after start. Then, the IDPF driver is forced to prefer CPU0 by editing all calls to `queue_delayed_work`, `mod_delayed_work`, etc... to use CPU 0. Finally, `ktraces` for the workqueue events are collected. Without the current patch, the antagonist process can force arbitrary delays between `workqueue_queue_work` and `workqueue_execute_start`, that in my tests were as high as `30ms`. With the current patch applied, the workqueue can be migrated to another unloaded CPU in the same node, and, keeping everything else equal, the maximum delay I could see was `6us`. CVE-2024-58057 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58057.html CVE-2024-58057 https://bugzilla.suse.com/1238969 SUSE Bug 1238969 In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference. CVE-2024-58058 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58058.html CVE-2024-58058 https://bugzilla.suse.com/1238979 SUSE Bug 1238979 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly. CVE-2024-58061 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58061.html CVE-2024-58061 https://bugzilla.suse.com/1238973 SUSE Bug 1238973 In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory"). CVE-2024-58063 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58063.html CVE-2024-58063 https://bugzilla.suse.com/1238984 SUSE Bug 1238984 In the Linux kernel, the following vulnerability has been resolved: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value. CVE-2024-58069 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58069.html CVE-2024-58069 https://bugzilla.suse.com/1238978 SUSE Bug 1238978 In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures. Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails. CVE-2024-58072 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58072.html CVE-2024-58072 https://bugzilla.suse.com/1238964 SUSE Bug 1238964 In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for two clocks where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together. CVE-2024-58076 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58076.html CVE-2024-58076 https://bugzilla.suse.com/1239037 SUSE Bug 1239037 In the Linux kernel, the following vulnerability has been resolved: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors misc_minor_alloc was allocating id using ida for minor only in case of MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids using ida_free causing a mismatch and following warn: > > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f > > ida_free called for id=127 which is not allocated. > > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ... > > [<60941eb4>] ida_free+0x3e0/0x41f > > [<605ac993>] misc_minor_free+0x3e/0xbc > > [<605acb82>] misc_deregister+0x171/0x1b3 misc_minor_alloc is changed to allocate id from ida for all minors falling in the range of dynamic/ misc dynamic minors CVE-2024-58078 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58078.html CVE-2024-58078 https://bugzilla.suse.com/1239034 SUSE Bug 1239034 In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix crash during unbind if gpio unit is in use We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions may be called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error. CVE-2024-58079 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58079.html CVE-2024-58079 https://bugzilla.suse.com/1239029 SUSE Bug 1239029 In the Linux kernel, the following vulnerability has been resolved: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock If a clk_rcg2 has a parent, it should also have parent_map defined, otherwise we'll get a NULL pointer dereference when calling clk_set_rate like the following: [ 3.388105] Call trace: [ 3.390664] qcom_find_src_index+0x3c/0x70 (P) [ 3.395301] qcom_find_src_index+0x1c/0x70 (L) [ 3.399934] _freq_tbl_determine_rate+0x48/0x100 [ 3.404753] clk_rcg2_determine_rate+0x1c/0x28 [ 3.409387] clk_core_determine_round_nolock+0x58/0xe4 [ 3.421414] clk_core_round_rate_nolock+0x48/0xfc [ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc [ 3.444483] clk_core_set_rate_nolock+0x8c/0x300 [ 3.455886] clk_set_rate+0x38/0x14c Add the parent_map property for the clock where it's missing and also un-inline the parent_data as well to keep the matching parent_map and parent_data together. CVE-2024-58080 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58080.html CVE-2024-58080 https://bugzilla.suse.com/1239027 SUSE Bug 1239027 In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. CVE-2024-58083 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58083.html CVE-2024-58083 https://bugzilla.suse.com/1239036 SUSE Bug 1239036 In the Linux kernel, the following vulnerability has been resolved: tomoyo: don't emit warning in tomoyo_write_control() syzbot is reporting too large allocation warning at tomoyo_write_control(), for one can write a very very long line without new line character. To fix this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE, for practically a valid line should be always shorter than 32KB where the "too small to fail" memory-allocation rule applies. One might try to write a valid line that is longer than 32KB, but such request will likely fail with -ENOMEM. Therefore, I feel that separately returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant. There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE. CVE-2024-58085 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58085.html CVE-2024-58085 https://bugzilla.suse.com/1239085 SUSE Bug 1239085 In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop active perfmon if it is being destroyed If the active performance monitor (`v3d->active_perfmon`) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the `v3d->active_perfmon` pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed"). CVE-2024-58086 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2024-58086.html CVE-2024-58086 https://bugzilla.suse.com/1239038 SUSE Bug 1239038 In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Our syzkaller report a following UAF for v6.6: BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726 CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 hlist_add_head include/linux/list.h:1023 [inline] bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230 __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567 ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947 ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569 iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91 iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811 __do_sys_ioctl fs/ioctl.c:869 [inline] __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Allocated by task 232719: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:768 [inline] slab_alloc_node mm/slub.c:3492 [inline] kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537 bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869 bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776 bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323 blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660 blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143 __submit_bio+0xa0/0x6b0 block/blk-core.c:639 __submit_bio_noacct_mq block/blk-core.c:718 [inline] submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747 submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847 __ext4_read_bh fs/ext4/super.c:205 [inline] ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217 ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242 ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958 __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4_lookup_entry fs/ext4/namei.c:1774 [inline] ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839 __lookup_slow+0x257/0x480 fs/namei.c:1696 lookup_slow fs/namei.c:1713 [inline] walk_component+0x454/0x5c0 fs/namei.c:2004 link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331 link_path_walk fs/namei.c:3826 [inline] path_openat+0x1b9/0x520 fs/namei.c:3826 do_filp_open+0x1b7/0x400 fs/namei.c:3857 do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x148/0x200 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_6 ---truncated--- CVE-2025-21631 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21631.html CVE-2025-21631 https://bugzilla.suse.com/1236099 SUSE Bug 1236099 https://bugzilla.suse.com/1236100 SUSE Bug 1236100 In the Linux kernel, the following vulnerability has been resolved: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The per-netns structure can be obtained from the table->data using container_of(), then the 'net' one can be retrieved from the listen socket (if available). CVE-2025-21635 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21635.html CVE-2025-21635 https://bugzilla.suse.com/1236111 SUSE Bug 1236111 In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is used. CVE-2025-21636 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21636.html CVE-2025-21636 https://bugzilla.suse.com/1236113 SUSE Bug 1236113 In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: udp_port: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21637 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21637.html CVE-2025-21637 https://bugzilla.suse.com/1236114 SUSE Bug 1236114 In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure. CVE-2025-21638 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21638.html CVE-2025-21638 https://bugzilla.suse.com/1236115 SUSE Bug 1236115 In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. CVE-2025-21639 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21639.html CVE-2025-21639 https://bugzilla.suse.com/1236122 SUSE Bug 1236122 In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2). The 'net' structure can be obtained from the table->data using container_of(). Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used. CVE-2025-21640 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21640.html CVE-2025-21640 https://bugzilla.suse.com/1236123 SUSE Bug 1236123 In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour. CVE-2025-21647 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21647.html CVE-2025-21647 https://bugzilla.suse.com/1236133 SUSE Bug 1236133 https://bugzilla.suse.com/1236134 SUSE Bug 1236134 In the Linux kernel, the following vulnerability has been resolved: netdev: prevent accessing NAPI instances from another namespace The NAPI IDs were not fully exposed to user space prior to the netlink API, so they were never namespaced. The netlink API must ensure that at the very least NAPI instance belongs to the same netns as the owner of the genl sock. napi_by_id() can become static now, but it needs to move because of dev_get_by_napi_id(). CVE-2025-21659 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21659.html CVE-2025-21659 https://bugzilla.suse.com/1236206 SUSE Bug 1236206 https://bugzilla.suse.com/1236207 SUSE Bug 1236207 In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. CVE-2025-21665 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21665.html CVE-2025-21665 https://bugzilla.suse.com/1236684 SUSE Bug 1236684 In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems. CVE-2025-21666 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21666.html CVE-2025-21666 https://bugzilla.suse.com/1236680 SUSE Bug 1236680 In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. CVE-2025-21667 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21667.html CVE-2025-21667 https://bugzilla.suse.com/1236681 SUSE Bug 1236681 In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x90 sp : ffffffc084f8bbf0 x29: ffffffc084f8bbf0 x28: ffffff80daf32ac0 x27: 0000000000000000 x26: ffffffc081658d78 x25: 0000000000000001 x24: ffffffc08201b028 x23: ffffff80d0db9490 x22: ffffffc082340a78 x21: 00000000000005b0 x20: ffffff80d19bc180 x19: 000000000000000a x18: ffffffffffffffff x17: ffffffc080a39e08 x16: ffffffc080a39c98 x15: 4f435f464f006c72 x14: 0000000000000004 x13: ffffff80d0172110 x12: 0000000000000000 x11: ffffff80d0537740 x10: ffffff80d05376c0 x9 : ffffffc0808ed2d8 x8 : ffffffc084f8bab0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff80d19b9420 x4 : fffffffe03466e60 x3 : 0000000080800077 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: dev_pm_domain_detach+0x8/0x48 platform_shutdown+0x2c/0x48 device_shutdown+0x158/0x268 kernel_restart_prepare+0x40/0x58 kernel_kexec+0x58/0xe8 __do_sys_reboot+0x198/0x258 __arm64_sys_reboot+0x2c/0x40 invoke_syscall+0x5c/0x138 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: 8128c2d0 ffffffc0 aa1e03e9 d503201f CVE-2025-21668 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21668.html CVE-2025-21668 https://bugzilla.suse.com/1236682 SUSE Bug 1236682 In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference. CVE-2025-21669 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21669.html CVE-2025-21669 https://bugzilla.suse.com/1236683 SUSE Bug 1236683 In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereference, address: 00000000000000a0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40 Call Trace: vsock_bpf_recvmsg+0xca/0x5e0 sock_recvmsg+0xb9/0xc0 __sys_recvfrom+0xb3/0x130 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), especially for connected sockets (stream/seqpacket) as we already do in __vsock_connectible_recvmsg(). CVE-2025-21670 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21670.html CVE-2025-21670 https://bugzilla.suse.com/1236685 SUSE Bug 1236685 In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. CVE-2025-21671 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21671.html CVE-2025-21671 https://bugzilla.suse.com/1236692 SUSE Bug 1236692 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> CVE-2025-21673 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21673.html CVE-2025-21673 https://bugzilla.suse.com/1236689 SUSE Bug 1236689 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]--- CVE-2025-21675 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21675.html CVE-2025-21675 https://bugzilla.suse.com/1236694 SUSE Bug 1236694 In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated--- CVE-2025-21678 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21678.html CVE-2025-21678 https://bugzilla.suse.com/1236698 SUSE Bug 1236698 In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. [ fp: allow to fill the array completely; minor changelog cleanup ] CVE-2025-21680 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21680.html CVE-2025-21680 https://bugzilla.suse.com/1236700 SUSE Bug 1236700 https://bugzilla.suse.com/1236701 SUSE Bug 1236701 In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real_num_tx_queues' goes to zero and the 'while (unlikely(hash >= qcount))' loop inside the 'skb_tx_hash' becomes infinite, locking up the core forever. But unfortunately, checking just the carrier status is not enough to fix the issue, because some devices may still be in unregistering state while reporting carrier status OK. One example of such device is a net/dummy. It sets carrier ON on start, but it doesn't implement .ndo_stop to set the carrier off. And it makes sense, because dummy doesn't really have a carrier. Therefore, while this device is unregistering, it's still easy to hit the infinite loop in the skb_tx_hash() from the OVS datapath. There might be other drivers that do the same, but dummy by itself is important for the OVS ecosystem, because it is frequently used as a packet sink for tcpdump while debugging OVS deployments. And when the issue is hit, the only way to recover is to reboot. Fix that by also checking if the device is running. The running state is handled by the net core during unregistering, so it covers unregistering case better, and we don't really need to send packets to devices that are not running anyway. While only checking the running state might be enough, the carrier check is preserved. The running and the carrier states seem disjoined throughout the code and different drivers. And other core functions like __dev_direct_xmit() check both before attempting to transmit a packet. So, it seems safer to check both flags in OVS as well. CVE-2025-21681 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21681.html CVE-2025-21681 https://bugzilla.suse.com/1236702 SUSE Bug 1236702 In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context ] [ 5.357361] 6.13.0-rc5+ #69 Tainted: G W [ 5.363031] ----------------------------- [ 5.367045] kworker/u17:1/44 is trying to lock: [ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.380079] other info that might help us debug this: [ 5.385138] context-{5:5} [ 5.387762] 5 locks held by kworker/u17:1/44: [ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) [ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) [ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) [ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) [ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) [ 5.436472] stack backtrace: [ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 [ 5.448690] Tainted: [W]=WARN [ 5.451656] Hardware name: xlnx,zynqmp (DT) [ 5.455845] Workqueue: events_unbound deferred_probe_work_func [ 5.461699] Call trace: [ 5.464147] show_stack+0x18/0x24 C [ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) [ 5.471501] dump_stack (lib/dump_stack.c:130) [ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) [ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) [ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) [ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) [ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) [ 5.497645] irq_startup (kernel/irq/chip.c:270) [ 5.501143] __setup_irq (kernel/irq/manage.c:1807) [ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) CVE-2025-21684 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21684.html CVE-2025-21684 https://bugzilla.suse.com/1236952 SUSE Bug 1236952 In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device. CVE-2025-21687 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21687.html CVE-2025-21687 https://bugzilla.suse.com/1237045 SUSE Bug 1237045 https://bugzilla.suse.com/1237046 SUSE Bug 1237046 In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated--- CVE-2025-21688 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21688.html CVE-2025-21688 https://bugzilla.suse.com/1237007 SUSE Bug 1237007 In the Linux kernel, the following vulnerability has been resolved: USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() This patch addresses a null-ptr-deref in qt2_process_read_urb() due to an incorrect bounds check in the following: if (newport > serial->num_ports) { dev_err(&port->dev, "%s - port change to invalid port: %i\n", __func__, newport); break; } The condition doesn't account for the valid range of the serial->port buffer, which is from 0 to serial->num_ports - 1. When newport is equal to serial->num_ports, the assignment of "port" in the following code is out-of-bounds and NULL: serial_priv->current_port = newport; port = serial->port[serial_priv->current_port]; The fix checks if newport is greater than or equal to serial->num_ports indicating it is out-of-bounds. CVE-2025-21689 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21689.html CVE-2025-21689 https://bugzilla.suse.com/1237017 SUSE Bug 1237017 In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Ratelimit warning logs to prevent VM denial of service If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. CVE-2025-21690 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21690.html CVE-2025-21690 https://bugzilla.suse.com/1237025 SUSE Bug 1237025 In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]--- CVE-2025-21692 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21692.html CVE-2025-21692 https://bugzilla.suse.com/1237028 SUSE Bug 1237028 https://bugzilla.suse.com/1237048 SUSE Bug 1237048 In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment] CVE-2025-21693 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21693.html CVE-2025-21693 https://bugzilla.suse.com/1237029 SUSE Bug 1237029 https://bugzilla.suse.com/1237047 SUSE Bug 1237047 In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ensure job pointer is set to NULL after job completion After a job completes, the corresponding pointer in the device must be set to NULL. Failing to do so triggers a warning when unloading the driver, as it appears the job is still active. To prevent this, assign the job pointer to NULL after completing the job, indicating the job has finished. CVE-2025-21697 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21697.html CVE-2025-21697 https://bugzilla.suse.com/1237132 SUSE Bug 1237132 In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. CVE-2025-21699 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21699.html CVE-2025-21699 https://bugzilla.suse.com/1237139 SUSE Bug 1237139 In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com> CVE-2025-21700 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21700.html CVE-2025-21700 https://bugzilla.suse.com/1237159 SUSE Bug 1237159 In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CPU: 3 UID: 0 PID: 3754 Comm: ethtool Not tainted 6.13.0-rc6+ #771 RIP: 0010:__mutex_lock+0xc8a/0x1120 Call Trace: <TASK> ethtool_check_max_channel+0x1ea/0x880 ethnl_set_channels+0x3c3/0xb10 ethnl_default_set_doit+0x306/0x650 genl_family_rcv_msg_doit+0x1e3/0x2c0 genl_rcv_msg+0x432/0x6f0 netlink_rcv_skb+0x13d/0x3b0 genl_rcv+0x28/0x40 netlink_unicast+0x42e/0x720 netlink_sendmsg+0x765/0xc20 __sys_sendto+0x3ac/0x420 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because unregister_netdevice_many_notify might run before the rtnl lock section of ethnl operations, eg. set_channels in the above example. In this example the rss lock would be destroyed by the device unregistration path before being used again, but in general running ethnl operations while dismantle has started is not a good idea. Fix this by denying any operation on devices being unregistered. A check was already there in ethnl_ops_begin, but not wide enough. Note that the same issue cannot be seen on the ioctl version (__dev_ethtool) because the device reference is retrieved from within the rtnl lock section there. Once dismantle started, the net device is unlisted and no reference will be found. CVE-2025-21701 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21701.html CVE-2025-21701 https://bugzilla.suse.com/1237164 SUSE Bug 1237164 In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list. CVE-2025-21703 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21703.html CVE-2025-21703 https://bugzilla.suse.com/1237313 SUSE Bug 1237313 In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces. CVE-2025-21704 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21704.html CVE-2025-21704 https://bugzilla.suse.com/1237571 SUSE Bug 1237571 In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out. CVE-2025-21705 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21705.html CVE-2025-21705 https://bugzilla.suse.com/1238525 SUSE Bug 1238525 In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before. That's what syzbot found, triggering the following warning: WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48 RSP: 0018:ffffc9000d307240 EFLAGS: 00010293 RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0 R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5fe8785d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29 RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007 RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000 ---truncated--- CVE-2025-21706 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21706.html CVE-2025-21706 https://bugzilla.suse.com/1238528 SUSE Bug 1238528 In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkaller report: usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 2586 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 driv> Modules linked in: CPU: 1 UID: 0 PID: 2586 Comm: dhcpcd Not tainted 6.11.0-rc4-syzkaller-00069-gfc88bb11617> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Code: 84 3c 02 00 00 e8 05 e4 fc fc 4c 89 ef e8 fd 25 d7 fe 45 89 e0 89 e9 4c 89 f2 48 8> RSP: 0018:ffffc9000441f740 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888112487a00 RCX: ffffffff811a99a9 RDX: ffff88810df6ba80 RSI: ffffffff811a99b6 RDI: 0000000000000001 RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: ffff8881023bf0a8 R14: ffff888112452a20 R15: ffff888112487a7c FS: 00007fc04eea5740(0000) GS:ffff8881f6300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0a1de9f870 CR3: 000000010dbd0000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> rtl8150_open+0x300/0xe30 drivers/net/usb/rtl8150.c:733 __dev_open+0x2d4/0x4e0 net/core/dev.c:1474 __dev_change_flags+0x561/0x720 net/core/dev.c:8838 dev_change_flags+0x8f/0x160 net/core/dev.c:8910 devinet_ioctl+0x127a/0x1f10 net/ipv4/devinet.c:1177 inet_ioctl+0x3aa/0x3f0 net/ipv4/af_inet.c:1003 sock_do_ioctl+0x116/0x280 net/socket.c:1222 sock_ioctl+0x22e/0x6c0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc04ef73d49 ... This change has not been tested on real hardware. CVE-2025-21708 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21708.html CVE-2025-21708 https://bugzilla.suse.com/1239087 SUSE Bug 1239087 In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case. CVE-2025-21711 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21711.html CVE-2025-21711 https://bugzilla.suse.com/1239114 SUSE Bug 1239114 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 </TASK> CVE-2025-21714 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21714.html CVE-2025-21714 https://bugzilla.suse.com/1237890 SUSE Bug 1237890 In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool. CVE-2025-21715 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21715.html CVE-2025-21715 https://bugzilla.suse.com/1237889 SUSE Bug 1237889 In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access. Fix this by returning an error in such situations. [1] BUG: KMSAN: uninit-value in vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 vxlan_vnifilter_dump+0x328/0x920 drivers/net/vxlan/vxlan_vnifilter.c:422 rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6786 netlink_dump+0x93e/0x15f0 net/netlink/af_netlink.c:2317 __netlink_dump_start+0x716/0xd60 net/netlink/af_netlink.c:2432 netlink_dump_start include/linux/netlink.h:340 [inline] rtnetlink_dump_start net/core/rtnetlink.c:6815 [inline] rtnetlink_rcv_msg+0x1256/0x14a0 net/core/rtnetlink.c:6882 netlink_rcv_skb+0x467/0x660 net/netlink/af_netlink.c:2542 rtnetlink_rcv+0x35/0x40 net/core/rtnetlink.c:6944 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0xed6/0x1290 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x1092/0x1230 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4110 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x800/0xe80 mm/slub.c:4205 kmalloc_reserve+0x13b/0x4b0 net/core/skbuff.c:587 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1323 [inline] netlink_alloc_large_skb+0xa5/0x280 net/netlink/af_netlink.c:1196 netlink_sendmsg+0xac9/0x1230 net/netlink/af_netlink.c:1866 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:726 ____sys_sendmsg+0x7f4/0xb50 net/socket.c:2583 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2637 __sys_sendmsg net/socket.c:2669 [inline] __do_sys_sendmsg net/socket.c:2674 [inline] __se_sys_sendmsg net/socket.c:2672 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2672 x64_sys_call+0x3878/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 30991 Comm: syz.4.10630 Not tainted 6.12.0-10694-gc44daa7e3c73 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 CVE-2025-21716 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21716.html CVE-2025-21716 https://bugzilla.suse.com/1237891 SUSE Bug 1237891 In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ> CVE-2025-21718 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21718.html CVE-2025-21718 https://bugzilla.suse.com/1239073 SUSE Bug 1239073 https://bugzilla.suse.com/1239074 SUSE Bug 1239074 In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708 CVE-2025-21719 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21719.html CVE-2025-21719 https://bugzilla.suse.com/1238860 SUSE Bug 1238860 In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace: <TASK> mpi3mr_bsg_exit+0x1f/0x50 [mpi3mr] mpi3mr_remove+0x6f/0x340 [mpi3mr] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x19d/0x220 unbind_store+0xa4/0xb0 kernfs_fop_write_iter+0x11f/0x200 vfs_write+0x1fc/0x3e0 ksys_write+0x67/0xe0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2 CVE-2025-21723 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21723.html CVE-2025-21723 https://bugzilla.suse.com/1238864 SUSE Bug 1238864 In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type. CVE-2025-21724 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21724.html CVE-2025-21724 https://bugzilla.suse.com/1238863 SUSE Bug 1238863 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_data_proc_show+0xa45/0x1460 [cifs] Code: 00 00 48 89 df e8 3b cd 1b c1 41 f6 44 24 2c 04 0f 84 50 01 00 00 48 89 ef e8 e7 d0 1b c1 49 8b 44 24 18 31 d2 49 8d 7c 24 28 <48> f7 74 24 18 48 89 c3 e8 6e cf 1b c1 41 8b 6c 24 28 49 8d 7c 24 RSP: 0018:ffffc90001817be0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811230022c RCX: ffffffffc041bd99 RDX: 0000000000000000 RSI: 0000000000000567 RDI: ffff888112300228 RBP: ffff888112300218 R08: fffff52000302f5f R09: ffffed1022fa58ac R10: ffff888117d2c566 R11: 00000000fffffffe R12: ffff888112300200 R13: 000000012a15343f R14: 0000000000000001 R15: ffff888113f2db58 FS: 00007fe27119e740(0000) GS:ffff888148600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe2633c5000 CR3: 0000000124da0000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0x159/0x1b0 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? do_error_trap+0x90/0x130 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? exc_divide_error+0x39/0x50 ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? asm_exc_divide_error+0x1a/0x20 ? cifs_debug_data_proc_show+0xa39/0x1460 [cifs] ? cifs_debug_data_proc_show+0xa45/0x1460 [cifs] ? seq_read_iter+0x42e/0x790 seq_read_iter+0x19a/0x790 proc_reg_read_iter+0xbe/0x110 ? __pfx_proc_reg_read_iter+0x10/0x10 vfs_read+0x469/0x570 ? do_user_addr_fault+0x398/0x760 ? __pfx_vfs_read+0x10/0x10 ? find_held_lock+0x8a/0xa0 ? __pfx_lock_release+0x10/0x10 ksys_read+0xd3/0x170 ? __pfx_ksys_read+0x10/0x10 ? __rcu_read_unlock+0x50/0x270 ? mark_held_locks+0x1a/0x90 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe271288911 Code: 00 48 8b 15 01 25 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d b5 a7 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007ffe87c079d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007fe271288911 RDX: 0000000000040000 RSI: 00007fe2633c6000 RDI: 0000000000000003 RBP: 00007ffe87c07a00 R08: 0000000000000000 R09: 00007fe2713e6380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007fe2633c6000 R14: 0000000000000003 R15: 0000000000000000 </TASK> Fix this by setting cifs_server_iface::speed to a sane value (1Gbps) by default when link speed is unset. CVE-2025-21725 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21725.html CVE-2025-21725 https://bugzilla.suse.com/1238877 SUSE Bug 1238877 In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. CVE-2025-21726 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21726.html CVE-2025-21726 https://bugzilla.suse.com/1238865 SUSE Bug 1238865 https://bugzilla.suse.com/1240837 SUSE Bug 1240837 In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/ CVE-2025-21727 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21727.html CVE-2025-21727 https://bugzilla.suse.com/1237876 SUSE Bug 1237876 In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. CVE-2025-21728 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21728.html CVE-2025-21728 https://bugzilla.suse.com/1237879 SUSE Bug 1237879 In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail. CVE-2025-21731 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21731.html CVE-2025-21731 https://bugzilla.suse.com/1237881 SUSE Bug 1237881 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error This patch addresses a race condition for an ODP MR that can result in a CQE with an error on the UMR QP. During the __mlx5_ib_dereg_mr() flow, the following sequence of calls occurs: mlx5_revoke_mr() mlx5r_umr_revoke_mr() mlx5r_umr_post_send_wait() At this point, the lkey is freed from the hardware's perspective. However, concurrently, mlx5_ib_invalidate_range() might be triggered by another task attempting to invalidate a range for the same freed lkey. This task will: - Acquire the umem_odp->umem_mutex lock. - Call mlx5r_umr_update_xlt() on the UMR QP. - Since the lkey has already been freed, this can lead to a CQE error, causing the UMR QP to enter an error state [1]. To resolve this race condition, the umem_odp->umem_mutex lock is now also acquired as part of the mlx5_revoke_mr() scope. Upon successful revoke, we set umem_odp->private which points to that MR to NULL, preventing any further invalidation attempts on its lkey. [1] From dmesg: infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2 WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib] [..] Call Trace: <TASK> mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib] mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib] __mmu_notifier_invalidate_range_start+0x1e1/0x240 zap_page_range_single+0xf1/0x1a0 madvise_vma_behavior+0x677/0x6e0 do_madvise+0x1a2/0x4b0 __x64_sys_madvise+0x25/0x30 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21732 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21732.html CVE-2025-21732 https://bugzilla.suse.com/1237877 SUSE Bug 1237877 In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix resetting of tracepoints If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD disabled, but then that option is enabled and timerlat is removed, the tracepoints that were enabled on timerlat registration do not get disabled. If the option is disabled again and timelat is started, then it triggers a warning in the tracepoint code due to registering the tracepoint again without ever disabling it. Do not use the same user space defined options to know to disable the tracepoints when timerlat is removed. Instead, set a global flag when it is enabled and use that flag to know to disable the events. ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo nop > /sys/kernel/tracing/current_tracer ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer Triggers: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 Modules linked in: CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __warn.cold+0xb7/0x14d ? tracepoint_add_func+0x3b6/0x3f0 ? report_bug+0xea/0x170 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? tracepoint_add_func+0x3b6/0x3f0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? __pfx_trace_sched_migrate_callback+0x10/0x10 tracepoint_probe_register+0x78/0xb0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 osnoise_workload_start+0x2b5/0x370 timerlat_tracer_init+0x76/0x1b0 tracing_set_tracer+0x244/0x400 tracing_set_trace_write+0xa0/0xe0 vfs_write+0xfc/0x570 ? do_sys_openat2+0x9c/0xe0 ksys_write+0x72/0xf0 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21733 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21733.html CVE-2025-21733 https://bugzilla.suse.com/1238494 SUSE Bug 1238494 In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improper and out-of-bounds page size which could result in memory issue. Calculate page start and page end using the offset adjusted address instead of absolute address. CVE-2025-21734 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21734.html CVE-2025-21734 https://bugzilla.suse.com/1238734 SUSE Bug 1238734 In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate(). CVE-2025-21735 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21735.html CVE-2025-21735 https://bugzilla.suse.com/1238497 SUSE Bug 1238497 In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix possible int overflows in nilfs_fiemap() Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unlikely to occur, play it safe and cast right hand expression to wider type to mitigate the issue. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. CVE-2025-21736 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21736.html CVE-2025-21736 https://bugzilla.suse.com/1238715 SUSE Bug 1238715 In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. CVE-2025-21738 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21738.html CVE-2025-21738 https://bugzilla.suse.com/1238917 SUSE Bug 1238917 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup CVE-2025-21739 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21739.html CVE-2025-21739 https://bugzilla.suse.com/1238506 SUSE Bug 1238506 In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. CVE-2025-21741 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21741.html CVE-2025-21741 https://bugzilla.suse.com/1238767 SUSE Bug 1238767 In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately. CVE-2025-21742 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21742.html CVE-2025-21742 https://bugzilla.suse.com/1238771 SUSE Bug 1238771 In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length. CVE-2025-21743 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21743.html CVE-2025-21743 https://bugzilla.suse.com/1238781 SUSE Bug 1238781 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_proto_detach() function is called providing the following sequence: brcmf_detach() brcmf_proto_detach() brcmf_proto_msgbuf_detach() brcmf_flowring_detach() brcmf_msgbuf_delete_flowring() brcmf_msgbuf_remove_flowring() brcmf_flowring_delete() brcmf_get_ifp() brcmf_txfinalize() Since brcmf_get_ip() can and actually will return NULL in this case the call to brcmf_txfinalize() will result in a NULL pointer dereference inside brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. This will only happen if a flowring still has an skb. Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL. CVE-2025-21744 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21744.html CVE-2025-21744 https://bugzilla.suse.com/1238903 SUSE Bug 1238903 In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit(). CVE-2025-21745 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21745.html CVE-2025-21745 https://bugzilla.suse.com/1238785 SUSE Bug 1238785 In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue. CVE-2025-21749 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21749.html CVE-2025-21749 https://bugzilla.suse.com/1238904 SUSE Bug 1238904 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this: BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions violation PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025 Oops: Oops: 0001 [#1] SMP PTI CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1 Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024 RIP: 0010:strlen+0x4/0x30 Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202 RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001 RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379 RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8 R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30 FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x149/0x4c0 ? raw_spin_rq_lock_nested+0xe/0x20 ? sched_balance_newidle+0x22b/0x3c0 ? update_load_avg+0x78/0x770 ? exc_page_fault+0x6f/0x150 ? asm_exc_page_fault+0x26/0x30 ? __pfx_pci_conf1_write+0x10/0x10 ? strlen+0x4/0x30 devm_kstrdup+0x25/0x70 brcmf_of_probe+0x273/0x350 [brcmfmac] CVE-2025-21750 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21750.html CVE-2025-21750 https://bugzilla.suse.com/1238905 SUSE Bug 1238905 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated--- CVE-2025-21753 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21753.html CVE-2025-21753 https://bugzilla.suse.com/1237875 SUSE Bug 1237875 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details at btrfs_extract_ordered_extent()), we will fail on the following assertion at btrfs_split_ordered_extent(): ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS)); because the BTRFS_ORDERED_IOERR flag is set and the definition of BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the type of write (regular, nocow, prealloc, compressed, direct IO, encoded). Fix this by returning an error from btrfs_extract_ordered_extent() if we find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will be the error that resulted in the transaction abort or -EIO if no transaction abort happened. This was recently reported by syzbot with the following trace: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 fail_dump lib/fault-inject.c:53 [inline] should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154 should_failslab+0xac/0x100 mm/failslab.c:46 slab_pre_alloc_hook mm/slub.c:4072 [inline] slab_alloc_node mm/slub.c:4148 [inline] __do_kmalloc_node mm/slub.c:4297 [inline] __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742 reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292 check_system_chunk fs/btrfs/block-group.c:4319 [inline] do_chunk_alloc fs/btrfs/block-group.c:3891 [inline] btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187 find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline] find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579 btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672 btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline] btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525 iomap_iter+0x697/0xf60 fs/iomap/iter.c:90 __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702 btrfs_dio_write fs/btrfs/direct-io.c:775 [inline] btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880 btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_pwritev fs/read_write.c:1146 [inline] __do_sys_pwritev2 fs/read_write.c:1204 [inline] __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328 </TASK> BTRFS error (device loop0 state A): Transaction aborted (error -12) BTRFS: error (device loop0 state A ---truncated--- CVE-2025-21754 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21754.html CVE-2025-21754 https://bugzilla.suse.com/1238496 SUSE Bug 1238496 In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-21756 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21756.html CVE-2025-21756 https://bugzilla.suse.com/1238876 SUSE Bug 1238876 In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. CVE-2025-21759 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21759.html CVE-2025-21759 https://bugzilla.suse.com/1238738 SUSE Bug 1238738 In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. CVE-2025-21760 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21760.html CVE-2025-21760 https://bugzilla.suse.com/1238763 SUSE Bug 1238763 In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF. CVE-2025-21761 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21761.html CVE-2025-21761 https://bugzilla.suse.com/1238775 SUSE Bug 1238775 In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21762 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21762.html CVE-2025-21762 https://bugzilla.suse.com/1238780 SUSE Bug 1238780 In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. CVE-2025-21763 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21763.html CVE-2025-21763 https://bugzilla.suse.com/1237897 SUSE Bug 1237897 In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. CVE-2025-21764 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21764.html CVE-2025-21764 https://bugzilla.suse.com/1237885 SUSE Bug 1237885 In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear. CVE-2025-21765 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21765.html CVE-2025-21765 https://bugzilla.suse.com/1237906 SUSE Bug 1237906 In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. CVE-2025-21766 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21766.html CVE-2025-21766 https://bugzilla.suse.com/1238754 SUSE Bug 1238754 In the Linux kernel, the following vulnerability has been resolved: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context The following bug report happened with a PREEMPT_RT kernel: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 get_random_u32+0x4f/0x110 clocksource_verify_choose_cpus+0xab/0x1a0 clocksource_verify_percpu.part.0+0x6b/0x330 clocksource_watchdog_kthread+0x193/0x1a0 It is due to the fact that clocksource_verify_choose_cpus() is invoked with preemption disabled. This function invokes get_random_u32() to obtain random numbers for choosing CPUs. The batched_entropy_32 local lock and/or the base_crng.lock spinlock in driver/char/random.c will be acquired during the call. In PREEMPT_RT kernel, they are both sleeping locks and so cannot be acquired in atomic context. Fix this problem by using migrate_disable() to allow smp_processor_id() to be reliably used without introducing atomic context. preempt_disable() is then called after clocksource_verify_choose_cpus() but before the clocksource measurement is being run to avoid introducing unexpected latency. CVE-2025-21767 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21767.html CVE-2025-21767 https://bugzilla.suse.com/1238509 SUSE Bug 1238509 In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp(). CVE-2025-21772 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21772.html CVE-2025-21772 https://bugzilla.suse.com/1238911 SUSE Bug 1238911 https://bugzilla.suse.com/1238912 SUSE Bug 1238912 In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: fix potential NULL pointer dereference on udev->serial The driver assumed that es58x_dev->udev->serial could never be NULL. While this is true on commercially available devices, an attacker could spoof the device identity providing a NULL USB serial number. That would trigger a NULL pointer dereference. Add a check on es58x_dev->udev->serial before accessing it. CVE-2025-21773 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21773.html CVE-2025-21773 https://bugzilla.suse.com/1238762 SUSE Bug 1238762 In the Linux kernel, the following vulnerability has been resolved: can: ctucanfd: handle skb allocation failure If skb allocation fails, the pointer to struct can_frame is NULL. This is actually handled everywhere inside ctucan_err_interrupt() except for the only place. Add the missed NULL check. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. CVE-2025-21775 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21775.html CVE-2025-21775 https://bugzilla.suse.com/1238501 SUSE Bug 1238501 In the Linux kernel, the following vulnerability has been resolved: USB: hub: Ignore non-compliant devices with too many configs or interfaces Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer: Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 ... Call Trace: <TASK> ? die_addr+0x31/0x80 ? exc_general_protection+0x1b4/0x3c0 ? asm_exc_general_protection+0x26/0x30 ? usb_hub_adjust_deviceremovable+0x78/0x110 hub_probe+0x7c7/0xab0 usb_probe_interface+0x14b/0x350 really_probe+0xd0/0x2d0 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x6e/0x110 driver_probe_device+0x1a/0x90 __device_attach_driver+0x7e/0xc0 bus_for_each_drv+0x7f/0xd0 __device_attach+0xaa/0x1a0 bus_probe_device+0x8b/0xa0 device_add+0x62e/0x810 usb_set_configuration+0x65d/0x990 usb_generic_driver_probe+0x4b/0x70 usb_probe_device+0x36/0xd0 The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usb_hub_to_struct_hub() looks. We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface. CVE-2025-21776 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21776.html CVE-2025-21776 https://bugzilla.suse.com/1238909 SUSE Bug 1238909 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC. CVE-2025-21779 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21779.html CVE-2025-21779 https://bugzilla.suse.com/1238768 SUSE Bug 1238768 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table(). CVE-2025-21780 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21780.html CVE-2025-21780 https://bugzilla.suse.com/1239115 SUSE Bug 1239115 https://bugzilla.suse.com/1239116 SUSE Bug 1239116 In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix panic during interface removal Reference counting is used to ensure that batadv_hardif_neigh_node and batadv_hard_iface are not freed before/during batadv_v_elp_throughput_metric_update work is finished. But there isn't a guarantee that the hard if will remain associated with a soft interface up until the work is finished. This fixes a crash triggered by reboot that looks like this: Call trace: batadv_v_mesh_free+0xd0/0x4dc [batman_adv] batadv_v_elp_throughput_metric_update+0x1c/0xa4 process_one_work+0x178/0x398 worker_thread+0x2e8/0x4d0 kthread+0xd8/0xdc ret_from_fork+0x10/0x20 (the batadv_v_mesh_free call is misleading, and does not actually happen) I was able to make the issue happen more reliably by changing hardif_neigh->bat_v.metric_work work to be delayed work. This allowed me to track down and confirm the fix. [sven@narfation.org: prevent entering batadv_v_elp_get_throughput without soft_iface] CVE-2025-21781 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21781.html CVE-2025-21781 https://bugzilla.suse.com/1238735 SUSE Bug 1238735 In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. CVE-2025-21782 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21782.html CVE-2025-21782 https://bugzilla.suse.com/1239117 SUSE Bug 1239117 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() In function psp_init_cap_microcode(), it should bail out when failed to load firmware, otherwise it may cause invalid memory access. CVE-2025-21784 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21784.html CVE-2025-21784 https://bugzilla.suse.com/1238510 SUSE Bug 1238510 In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). CVE-2025-21785 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21785.html CVE-2025-21785 https://bugzilla.suse.com/1238747 SUSE Bug 1238747 https://bugzilla.suse.com/1240745 SUSE Bug 1240745 In the Linux kernel, the following vulnerability has been resolved: vxlan: check vxlan_vnigroup_init() return value vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot. Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912 Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00 RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18 RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000 R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000 FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942 unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824 unregister_netdevice_many net/core/dev.c:11866 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736 register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901 __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981 vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407 rtnl_newlink_create net/core/rtnetlink.c:3795 [inline] __rtnl_newlink net/core/rtnetlink.c:3906 [inline] CVE-2025-21790 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21790.html CVE-2025-21790 https://bugzilla.suse.com/1238753 SUSE Bug 1238753 In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. CVE-2025-21791 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21791.html CVE-2025-21791 https://bugzilla.suse.com/1238512 SUSE Bug 1238512 https://bugzilla.suse.com/1240744 SUSE Bug 1240744 In the Linux kernel, the following vulnerability has been resolved: spi: sn-f-ospi: Fix division by zero When there is no dummy cycle in the spi-nor commands, both dummy bus cycle bytes and width are zero. Because of the cpu's warning when divided by zero, the warning should be avoided. Return just zero to avoid such calculations. CVE-2025-21793 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21793.html CVE-2025-21793 https://bugzilla.suse.com/1238500 SUSE Bug 1238500 In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad CVE-2025-21794 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21794.html CVE-2025-21794 https://bugzilla.suse.com/1238502 SUSE Bug 1238502 In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state. CVE-2025-21795 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21795.html CVE-2025-21795 https://bugzilla.suse.com/1238759 SUSE Bug 1238759 In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered. CVE-2025-21796 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21796.html CVE-2025-21796 https://bugzilla.suse.com/1238716 SUSE Bug 1238716 In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is valid. There is no issue at probe time but at runtime user can invoke .set_channels which results in the following call chain. am65_cpsw_set_channels() am65_cpsw_nuss_update_tx_rx_chns() am65_cpsw_nuss_remove_tx_chns() am65_cpsw_nuss_init_tx_chns() At this point if am65_cpsw_nuss_init_tx_chns() fails due to k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a negative value. Then, at subsequent .set_channels with higher channel count we will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() leading to a kernel warning. The issue is present in the original commit that introduced this driver, although there, am65_cpsw_nuss_update_tx_rx_chns() existed as am65_cpsw_nuss_update_tx_chns(). CVE-2025-21799 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21799.html CVE-2025-21799 https://bugzilla.suse.com/1238739 SUSE Bug 1238739 In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process. CVE-2025-21802 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21802.html CVE-2025-21802 https://bugzilla.suse.com/1238751 SUSE Bug 1238751 In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is then passed on as one of the macro arguments. This can lead to undefined behavior. Depending on the current contents of the memory, the manifestations of errors may vary. One possible output may be as follows: $ cat /proc/iomem 30000000-37ffffff : 38000000-3fffffff : Sometimes, garbage may appear after the colon. In very rare cases, if no NULL-terminator is found in memory, the system might crash because the string iterator will overrun which can lead to access of unmapped memory above the stack. Thus, fix this by replacing outbound_name with the name of the previously requested resource. With the changes applied, the output will be as follows: $ cat /proc/iomem 30000000-37ffffff : memory2 38000000-3fffffff : memory3 [kwilczynski: commit log] CVE-2025-21804 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21804.html CVE-2025-21804 https://bugzilla.suse.com/1238736 SUSE Bug 1238736 In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_dev_iter_init(@iter, @class, ...) checks parameter @class for // potential class_to_subsys() error, and it returns void type and does // not initialize its output parameter @iter, so caller can not detect // the error and continues to invoke class_dev_iter_next(@iter) even if // @iter still contains wild pointers. class_dev_iter_init(&iter, ...); // Dereference these wild pointers in @iter here once suffer the error. while (dev = class_dev_iter_next(&iter)) { ... }; // Also dereference these wild pointers here. class_dev_iter_exit(&iter); Actually, all callers of these APIs have such usage pattern in kernel tree. Fix by: - Initialize output parameter @iter by memset() in class_dev_iter_init() and give callers prompt by pr_crit() for the error. - Check if @iter is valid in class_dev_iter_next(). CVE-2025-21810 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21810.html CVE-2025-21810 https://bugzilla.suse.com/1238757 SUSE Bug 1238757 In the Linux kernel, the following vulnerability has been resolved: mm/compaction: fix UBSAN shift-out-of-bounds warning syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning. CVE-2025-21815 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21815.html CVE-2025-21815 https://bugzilla.suse.com/1238474 SUSE Bug 1238474 In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd/display: Use HW lock mgr for PSR1" This reverts commit a2b5a9956269 ("drm/amd/display: Use HW lock mgr for PSR1") Because it may cause system hang while connect with two edp panel. CVE-2025-21819 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21819.html CVE-2025-21819 https://bugzilla.suse.com/1238994 SUSE Bug 1238994 In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock. CVE-2025-21820 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21820.html CVE-2025-21820 https://bugzilla.suse.com/1238479 SUSE Bug 1238479 In the Linux kernel, the following vulnerability has been resolved: fbdev: omap: use threaded IRQ for LCD DMA When using touchscreen and framebuffer, Nokia 770 crashes easily with: BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000 Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2 Hardware name: Nokia 770 Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x54/0x5c dump_stack_lvl from __schedule_bug+0x50/0x70 __schedule_bug from __schedule+0x4d4/0x5bc __schedule from schedule+0x34/0xa0 schedule from schedule_preempt_disabled+0xc/0x10 schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4 __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4 clk_prepare_lock from clk_set_rate+0x18/0x154 clk_set_rate from sossi_read_data+0x4c/0x168 sossi_read_data from hwa742_read_reg+0x5c/0x8c hwa742_read_reg from send_frame_handler+0xfc/0x300 send_frame_handler from process_pending_requests+0x74/0xd0 process_pending_requests from lcd_dma_irq_handler+0x50/0x74 lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130 __handle_irq_event_percpu from handle_irq_event+0x28/0x68 handle_irq_event from handle_level_irq+0x9c/0x170 handle_level_irq from generic_handle_domain_irq+0x2c/0x3c generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c generic_handle_arch_irq from call_with_stack+0x1c/0x24 call_with_stack from __irq_svc+0x94/0xa8 Exception stack(0xc5255da0 to 0xc5255de8) 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94 5de0: 60000013 ffffffff __irq_svc from clk_prepare_lock+0x4c/0xe4 clk_prepare_lock from clk_get_rate+0x10/0x74 clk_get_rate from uwire_setup_transfer+0x40/0x180 uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664 spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498 __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8 __spi_sync from spi_sync+0x24/0x40 spi_sync from ads7846_halfd_read_state+0x5c/0x1c0 ads7846_halfd_read_state from ads7846_irq+0x58/0x348 ads7846_irq from irq_thread_fn+0x1c/0x78 irq_thread_fn from irq_thread+0x120/0x228 irq_thread from kthread+0xc8/0xe8 kthread from ret_from_fork+0x14/0x28 As a quick fix, switch to a threaded IRQ which provides a stable system. CVE-2025-21821 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21821.html CVE-2025-21821 https://bugzilla.suse.com/1239174 SUSE Bug 1239174 In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held) CVE-2025-21823 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21823.html CVE-2025-21823 https://bugzilla.suse.com/1238475 SUSE Bug 1238475 In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: <TASK> dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... </TASK> It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled CVE-2025-21825 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21825.html CVE-2025-21825 https://bugzilla.suse.com/1238971 SUSE Bug 1238971 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't flush non-uploaded STAs If STA state is pre-moved to AUTHORIZED (such as in IBSS scenarios) and insertion fails, the station is freed. In this case, the driver never knew about the station, so trying to flush it is unexpected and may crash. Check if the sta was uploaded to the driver before and fix this. CVE-2025-21828 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21828.html CVE-2025-21828 https://bugzilla.suse.com/1238958 SUSE Bug 1238958 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" The Call Trace is as below: " <TASK> ? show_regs.cold+0x1a/0x1f ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __warn+0x84/0xd0 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? report_bug+0x105/0x180 ? handle_bug+0x46/0x80 ? exc_invalid_op+0x19/0x70 ? asm_exc_invalid_op+0x1b/0x20 ? __rxe_cleanup+0x12c/0x170 [rdma_rxe] ? __rxe_cleanup+0x124/0x170 [rdma_rxe] rxe_destroy_qp.cold+0x24/0x29 [rdma_rxe] ib_destroy_qp_user+0x118/0x190 [ib_core] rdma_destroy_qp.cold+0x43/0x5e [rdma_cm] rtrs_cq_qp_destroy.cold+0x1d/0x2b [rtrs_core] rtrs_srv_close_work.cold+0x1b/0x31 [rtrs_server] process_one_work+0x21d/0x3f0 worker_thread+0x4a/0x3c0 ? process_one_work+0x3f0/0x3f0 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> " When too many rdma resources are allocated, rxe needs more time to handle these rdma resources. Sometimes with the current timeout, rxe can not release the rdma resources correctly. Compared with other rdma drivers, a bigger timeout is used. CVE-2025-21829 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21829.html CVE-2025-21829 https://bugzilla.suse.com/1239030 SUSE Bug 1239030 In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files. CVE-2025-21830 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21830.html CVE-2025-21830 https://bugzilla.suse.com/1239033 SUSE Bug 1239033 In the Linux kernel, the following vulnerability has been resolved: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the policy that all PCIe ports are allowed to use D3. When the system is suspended if the port is not power manageable by the platform and won't be used for wakeup via a PME this sets up the policy for these ports to go into D3hot. This policy generally makes sense from an OSPM perspective but it leads to problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a specific old BIOS. This manifests as a system hang. On the affected Device + BIOS combination, add a quirk for the root port of the problematic controller to ensure that these root ports are not put into D3hot at suspend. This patch is based on https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com but with the added condition both in the documentation and in the code to apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only the affected root ports. CVE-2025-21831 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21831.html CVE-2025-21831 https://bugzilla.suse.com/1239039 SUSE Bug 1239039 In the Linux kernel, the following vulnerability has been resolved: block: don't revert iter for -EIOCBQUEUED blkdev_read_iter() has a few odd checks, like gating the position and count adjustment on whether or not the result is bigger-than-or-equal to zero (where bigger than makes more sense), and not checking the return value of blkdev_direct_IO() before doing an iov_iter_revert(). The latter can lead to attempting to revert with a negative value, which when passed to iov_iter_revert() as an unsigned value will lead to throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT. Be sane and don't revert for -EIOCBQUEUED, like what is done in other spots. CVE-2025-21832 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21832.html CVE-2025-21832 https://bugzilla.suse.com/1239105 SUSE Bug 1239105 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. This does not matter when the numbers of in and out ports are equal, but when they differ the host will receive broken descriptors with uninitialized stack memory leaking into the descriptor for whichever value is smaller. The precise meaning of "in" and "out" in the port counts is not clearly defined and can be confusing. But elsewhere the driver consistently uses this to match the USB meaning of IN and OUT viewed from the host, so that "in" ports send data to the host and "out" ports receive data from it. CVE-2025-21835 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21835.html CVE-2025-21835 https://bugzilla.suse.com/1239068 SUSE Bug 1239068 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: device_del() gadget_unbind_driver() usb_gadget_disconnect_locked() dwc3_gadget_pullup() dwc3_gadget_soft_disconnect() usb_gadget_set_state() schedule_work(&gadget->work) Move flush_work() after device_del() to ensure the workqueue is cleaned up. CVE-2025-21838 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21838.html CVE-2025-21838 https://bugzilla.suse.com/1239065 SUSE Bug 1239065 In the Linux kernel, the following vulnerability has been resolved: smb: client: Add check for next_buffer in receive_encrypted_standard() Add check for the return value of cifs_buf_get() and cifs_small_buf_get() in receive_encrypted_standard() to prevent null pointer dereference. CVE-2025-21844 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21844.html CVE-2025-21844 https://bugzilla.suse.com/1239512 SUSE Bug 1239512 In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though. CVE-2025-21846 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21846.html CVE-2025-21846 https://bugzilla.suse.com/1239508 SUSE Bug 1239508 In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() The nullity of sps->cstream should be checked similarly as it is done in sof_set_stream_data_offset() function. Assuming that it is not NULL if sps->stream is NULL is incorrect and can lead to NULL pointer dereference. CVE-2025-21847 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21847.html CVE-2025-21847 https://bugzilla.suse.com/1239471 SUSE Bug 1239471 In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. CVE-2025-21848 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21848.html CVE-2025-21848 https://bugzilla.suse.com/1239479 SUSE Bug 1239479 In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix crash when a namespace is disabled The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport): [ 2352.930426] [ T53909] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI [ 2352.930431] [ T53909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 2352.930434] [ T53909] CPU: 3 UID: 0 PID: 53909 Comm: kworker/u16:5 Tainted: G W 6.13.0-rc6 #232 [ 2352.930438] [ T53909] Tainted: [W]=WARN [ 2352.930440] [ T53909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 2352.930443] [ T53909] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] [ 2352.930449] [ T53909] RIP: 0010:blkcg_set_ioprio+0x44/0x180 as the queue is already torn down when calling submit_bio(); So we need to init the percpu counter in nvmet_ns_enable(), and wait for it to drop to zero in nvmet_ns_disable() to avoid having I/O pending after the namespace has been disabled. CVE-2025-21850 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21850.html CVE-2025-21850 https://bugzilla.suse.com/1239477 SUSE Bug 1239477 In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ================================================================== CVE-2025-21855 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21855.html CVE-2025-21855 https://bugzilla.suse.com/1239484 SUSE Bug 1239484 In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must be fixed. The current code directly frees the device after calling device_add() without waiting for other kernel parts to release their references. Thus, a reference could still be held to a struct device, e.g., by sysfs, leading to potential use-after-free issues if a proper release function is not set. CVE-2025-21856 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21856.html CVE-2025-21856 https://bugzilla.suse.com/1239486 SUSE Bug 1239486 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which can return 1 if the allocation succeeded after wrapping. This was treated as an error, with value 1 returned to caller tcf_exts_init_ex() which sets exts->actions to NULL and returns 1 to caller fl_change(). fl_change() treats err == 1 as success, calling tcf_exts_validate_ex() which calls tcf_action_init() with exts->actions as argument, where it is dereferenced. Example trace: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 114 PID: 16151 Comm: handler114 Kdump: loaded Not tainted 5.14.0-503.16.1.el9_5.x86_64 #1 RIP: 0010:tcf_action_init+0x1f8/0x2c0 Call Trace: tcf_action_init+0x1f8/0x2c0 tcf_exts_validate_ex+0x175/0x190 fl_change+0x537/0x1120 [cls_flower] CVE-2025-21857 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21857.html CVE-2025-21857 https://bugzilla.suse.com/1239478 SUSE Bug 1239478 In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each dev in the netns, and later the dev is freed. However, its geneve_dev.next is still linked to the backend UDP socket netns. Then, use-after-free will occur when another geneve dev is created in the netns. Let's call geneve_dellink() instead in geneve_destroy_tunnels(). [0]: BUG: KASAN: slab-use-after-free in geneve_find_dev drivers/net/geneve.c:1295 [inline] BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441 CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xbc/0x108 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asan_report_load2_noabort+0x20/0x30 mm/kasan/report_generic.c:379 geneve_find_dev drivers/net/geneve.c:1295 [inline] geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 geneve_newlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnl_newlink_create+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x618/0x838 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x5fc/0x8b0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __do_sys_sendmsg net/socket.c:2659 [inline] __se_sys_sendmsg net/socket.c:2657 [inline] __arm64_sys_sendmsg+0x12c/0x1c8 net/socket.c:2657 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x13c/0x250 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0_svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600 Allocated by task 13247: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x68 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x58 mm/kasan/generic.c:568 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x84/0xa0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4298 [inline] __kmalloc_node_noprof+0x2a0/0x560 mm/slub.c:4304 __kvmalloc_node_noprof+0x9c/0x230 mm/util.c:645 alloc_netdev_mqs+0xb8/0x11a0 net/core/dev.c:11470 rtnl_create_link+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnl_newlink_create+0x19c/0x868 net/core/rtnetlink.c:3780 __rtnl_newlink net/core/rtnetlink.c:3906 [inline] rtnl_newlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcv_msg+0x61c/0x918 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1dc/0x398 net/netlink/af_netlink.c:2543 rtnetlink_rcv+0x34/0x50 net/core/rtnetlink.c:6938 netlink_unicast_kernel net/netlink/af_n ---truncated--- CVE-2025-21858 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21858.html CVE-2025-21858 https://bugzilla.suse.com/1239468 SUSE Bug 1239468 In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler. CVE-2025-21859 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21859.html CVE-2025-21859 https://bugzilla.suse.com/1239467 SUSE Bug 1239467 In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated--- CVE-2025-21861 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21861.html CVE-2025-21861 https://bugzilla.suse.com/1239483 SUSE Bug 1239483 In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21862 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21862.html CVE-2025-21862 https://bugzilla.suse.com/1239474 SUSE Bug 1239474 In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions. CVE-2025-21864 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21864.html CVE-2025-21864 https://bugzilla.suse.com/1239482 SUSE Bug 1239482 In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->exit_batch_rtnl(). Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A. 1. cleanup_net() processes netns A and then B. 2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink(). [ device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called. ] 3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink(). gtp_dellink() cleans up the device's hash table, unlinks the dev from gn->gtp_dev_list, and calls unregister_netdevice_queue(). Basically, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled. Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as done in bareudp. [0]: list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04) kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:[<ffffffff84947381>] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71 RBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] list_del include/linux/list.h:262 [inl ---truncated--- CVE-2025-21865 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21865.html CVE-2025-21865 https://bugzilla.suse.com/1239481 SUSE Bug 1239481 In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately. CVE-2025-21866 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21866.html CVE-2025-21866 https://bugzilla.suse.com/1239473 SUSE Bug 1239473 In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Disable KASAN report during patching via temporary mm Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13: [ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1 [ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ================================================================== Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because __patch_mem() is not instrumented. Commit 465cabc97b42 ("powerpc/code-patching: introduce patch_instructions()") use copy_to_kernel_nofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated--- CVE-2025-21869 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21869.html CVE-2025-21869 https://bugzilla.suse.com/1240182 SUSE Bug 1240182 In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier CVE-2025-21870 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21870.html CVE-2025-21870 https://bugzilla.suse.com/1240191 SUSE Bug 1240191 In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client application which can eventually lead to system hang-up waiting for the closure of the client application. Allow the client process waiting in kernel for supplicant response to be killed rather than indefinitely waiting in an unkillable state. Also, a normal uninterruptible wait should not have resulted in the hung-task watchdog getting triggered, but the endless loop would. This fixes issues observed during system reboot/shutdown when supplicant got hung for some reason or gets crashed/killed which lead to client getting hung in an unkillable state. It in turn lead to system being in hung up state requiring hard power off/on to recover. CVE-2025-21871 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21871.html CVE-2025-21871 https://bugzilla.suse.com/1240183 SUSE Bug 1240183 In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix suspicious RCU usage Commit <d74169ceb0d2> ("iommu/vt-d: Allocate DMAR fault interrupts locally") moved the call to enable_drhd_fault_handling() to a code path that does not hold any lock while traversing the drhd list. Fix it by ensuring the dmar_global_lock lock is held when traversing the drhd list. Without this fix, the following warning is triggered: ============================= WARNING: suspicious RCU usage 6.14.0-rc3 #55 Not tainted ----------------------------- drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 1 2 locks held by cpuhp/1/23: #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0 stack backtrace: CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55 Call Trace: <TASK> dump_stack_lvl+0xb7/0xd0 lockdep_rcu_suspicious+0x159/0x1f0 ? __pfx_enable_drhd_fault_handling+0x10/0x10 enable_drhd_fault_handling+0x151/0x180 cpuhp_invoke_callback+0x1df/0x990 cpuhp_thread_fun+0x1ea/0x2c0 smpboot_thread_fn+0x1f5/0x2e0 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x12a/0x2d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4a/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Holding the lock in enable_drhd_fault_handling() triggers a lockdep splat about a possible deadlock between dmar_global_lock and cpu_hotplug_lock. This is avoided by not holding dmar_global_lock when calling iommu_device_register(), which initiates the device probe process. CVE-2025-21876 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21876.html CVE-2025-21876 https://bugzilla.suse.com/1240179 SUSE Bug 1240179 In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2025-21877 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21877.html CVE-2025-21877 https://bugzilla.suse.com/1240172 SUSE Bug 1240172 In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status without being reset. Due to such an i2c module status, the i2c irq handler keeps getting triggered since the i2c irq handler is registered in the kernel booting process after the bmc machine is doing a warm rebooting. The continuous triggering is stopped by the soft lockup watchdog timer. Disable the interrupt enable bit in the i2c module before calling devm_request_irq to fix this issue since the i2c relative status bit is read-only. Here is the soft lockup log. [ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1] [ 28.183351] Modules linked in: [ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1 [ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 28.208128] pc : __do_softirq+0xb0/0x368 [ 28.212055] lr : __do_softirq+0x70/0x368 [ 28.215972] sp : ffffff8035ebca00 [ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780 [ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0 [ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b [ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff [ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000 [ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2 [ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250 [ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434 [ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198 [ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40 [ 28.290611] Call trace: [ 28.293052] __do_softirq+0xb0/0x368 [ 28.296625] __irq_exit_rcu+0xe0/0x100 [ 28.300374] irq_exit+0x14/0x20 [ 28.303513] handle_domain_irq+0x68/0x90 [ 28.307440] gic_handle_irq+0x78/0xb0 [ 28.311098] call_on_irq_stack+0x20/0x38 [ 28.315019] do_interrupt_handler+0x54/0x5c [ 28.319199] el1_interrupt+0x2c/0x4c [ 28.322777] el1h_64_irq_handler+0x14/0x20 [ 28.326872] el1h_64_irq+0x74/0x78 [ 28.330269] __setup_irq+0x454/0x780 [ 28.333841] request_threaded_irq+0xd0/0x1b4 [ 28.338107] devm_request_threaded_irq+0x84/0x100 [ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0 [ 28.346990] platform_probe+0x6c/0xc4 [ 28.350653] really_probe+0xcc/0x45c [ 28.354227] __driver_probe_device+0x8c/0x160 [ 28.358578] driver_probe_device+0x44/0xe0 [ 28.362670] __driver_attach+0x124/0x1d0 [ 28.366589] bus_for_each_dev+0x7c/0xe0 [ 28.370426] driver_attach+0x28/0x30 [ 28.373997] bus_add_driver+0x124/0x240 [ 28.377830] driver_register+0x7c/0x124 [ 28.381662] __platform_driver_register+0x2c/0x34 [ 28.386362] npcm_i2c_init+0x3c/0x5c [ 28.389937] do_one_initcall+0x74/0x230 [ 28.393768] kernel_init_freeable+0x24c/0x2b4 [ 28.398126] kernel_init+0x28/0x130 [ 28.401614] ret_from_fork+0x10/0x20 [ 28.405189] Kernel panic - not syncing: softlockup: hung tasks [ 28.411011] SMP: stopping secondary CPUs [ 28.414933] Kernel Offset: disabled [ 28.418412] CPU features: 0x00000000,00000802 [ 28.427644] Rebooting in 20 seconds.. CVE-2025-21878 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21878.html CVE-2025-21878 https://bugzilla.suse.com/1240192 SUSE Bug 1240192 In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330). kernel BUG at lib/list_debug.c:29! RIP: 0010:__list_add_valid_or_report+0xa6/0x100 ice_mbx_init_vf_info+0xa7/0x180 [ice] ice_initialize_vf_entry+0x1fa/0x250 [ice] ice_sriov_configure+0x8d7/0x1520 [ice] ? __percpu_ref_switch_mode+0x1b1/0x5d0 ? __pfx_ice_sriov_configure+0x10/0x10 [ice] Sometimes a KASAN report can be seen instead with a similar stack trace: BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100 VFs are added to this list in ice_mbx_init_vf_info(), but only removed in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is also being called in other places where VFs are being removed (including ice_free_vfs() itself). CVE-2025-21883 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21883.html CVE-2025-21883 https://bugzilla.suse.com/1240189 SUSE Bug 1240189 In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799] <TASK> [ 566.393807] ? __die_body+0x1a/0x60 [ 566.393823] ? die+0x38/0x60 [ 566.393835] ? do_trap+0xe4/0x110 [ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393881] ? do_error_trap+0x7c/0x120 [ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393911] ? exc_divide_error+0x34/0x50 [ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393939] ? asm_exc_divide_error+0x16/0x20 [ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re] [ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re] [ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re] [ 566.394057] ? srso_return_thunk+0x5/0x5f [ 566.394068] ? __init_swait_queue_head+0x4a/0x60 [ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core] [ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma] [ 566.394174] ? lock_release+0x22c/0x3f0 [ 566.394187] ? srso_return_thunk+0x5/0x5f Page size and shift info is set only for the user space SRQs. Set page size and page shift for kernel space SRQs also. CVE-2025-21885 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21885.html CVE-2025-21885 https://bugzilla.suse.com/1240169 SUSE Bug 1240169 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP hang on parent deregistration Fix the destroy_unused_implicit_child_mr() to prevent hanging during parent deregistration as of below [1]. Upon entering destroy_unused_implicit_child_mr(), the reference count for the implicit MR parent is incremented using: refcount_inc_not_zero(). A corresponding decrement must be performed if free_implicit_child_mr_work() is not called. The code has been updated to properly manage the reference count that was incremented. [1] INFO: task python3:2157 blocked for more than 120 seconds. Not tainted 6.12.0-rc7+ #1633 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 __mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib] ? __pfx_autoremove_wake_function+0x10/0x10 ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 ? kmem_cache_free+0x221/0x400 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f20f21f017b RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60 R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890 R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0 </TASK> CVE-2025-21886 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21886.html CVE-2025-21886 https://bugzilla.suse.com/1240188 SUSE Bug 1240188 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 </TASK> CVE-2025-21888 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21888.html CVE-2025-21888 https://bugzilla.suse.com/1240177 SUSE Bug 1240177 In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth [ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697 [ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN [ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748) [ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261687] ? report_bug (lib/bug.c:?) [ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285) [ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309) [ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf [ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf [ 69.261712] __napi_poll (net/core/dev.c:7194) [ 69.261716] net_rx_action (net/core/dev.c:7265) [ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293) [ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288) [ 69.261726] handle_softirqs (kernel/softirq.c:561) CVE-2025-21890 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21890.html CVE-2025-21890 https://bugzilla.suse.com/1240173 SUSE Bug 1240173 In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline] ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651 ip6_route_output include/net/ip6_route.h:93 [inline] ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476 ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671 ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223 __netdev_start_xmit include/linux/netdevice.h:5150 [inline] netdev_start_xmit include/linux/netdevice.h:5159 [inline] xmit_one net/core/dev.c:3735 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751 sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343 qdisc_restart net/sched/sch_generic.c:408 [inline] __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416 qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127 net_tx_action+0x78b/0x940 net/core/dev.c:5484 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611 dev_queue_xmit include/linux/netdevice.h:3311 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3132 [inline] packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164 sock_sendmsg_nosec net/socket.c:718 [inline] CVE-2025-21891 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21891.html CVE-2025-21891 https://bugzilla.suse.com/1240186 SUSE Bug 1240186 In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per the IB specification. This race condition can result in lost CQEs and tasks becoming stuck. To resolve this, the patch sends a final WR which serves only as a barrier before moving the QP state to RESET. Once a CQE is received for that final WR, it guarantees that no outstanding WRs remain, making it safe to transition the QP to RESET and subsequently back to RTS, restoring proper functionality. Note: For the barrier WR, we simply reuse the failed and ready WR. Since the QP is in an error state, it will only receive IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't care about its status. [1] INFO: task rdma_resource_l:1922 blocked for more than 120 seconds. Tainted: G W 6.12.0-rc7+ #1626 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369 flags:0x00004004 Call Trace: <TASK> __schedule+0x420/0xd30 schedule+0x47/0x130 schedule_timeout+0x280/0x300 ? mark_held_locks+0x48/0x80 ? lockdep_hardirqs_on_prepare+0xe5/0x1a0 wait_for_completion+0x75/0x130 mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib] ? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib] mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib] __mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? __lock_acquire+0x64e/0x2080 ? mark_held_locks+0x48/0x80 ? find_held_lock+0x2d/0xa0 ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? __fget_files+0xc3/0x1b0 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f99c918b17b RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX: 00007f99c918b17b RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09: 000000000000bd7e R10: 00007f99c94c1c70 R11: 0000000000000246 R12: 00007ffc766d0530 R13: 000000000000001c R14: 0000000040246a80 R15: 0000000000000000 </TASK> CVE-2025-21892 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-28-rt-1-3.1 SUSE Linux Micro 6.1:kernel-rt-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-28.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-28.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520260-1/ https://www.suse.com/security/cve/CVE-2025-21892.html CVE-2025-21892 https://bugzilla.suse.com/1240175 SUSE Bug 1240175