Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20283-1 Final 1 1 2025-04-25T09:37:28Z current 2025-04-25T09:37:28Z 2025-04-25T09:37:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise Micro 6.0 and 6.1 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-27415: netfilter: br_netfilter: skip conntrack input hook for promisc packets (bsc#1224757). - CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910). - CVE-2024-53124: net: fix data-races around sk->sk_forward_alloc (bsc#1234074). - CVE-2024-53139: sctp: fix possible UAF in sctp_v6_available() (bsc#1234157). - CVE-2024-58018: nvkm: correctly calculate the available space of the GSP cmdq buffer (bsc#1238990). - CVE-2024-58071: team: prevent adding a device which is already a team device lower (bsc#1238970). - CVE-2025-21729: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (bsc#1237874). - CVE-2025-21755: vsock: Orphan socket after transport release (bsc#1237882). - CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746). - CVE-2025-21836: io_uring/kbuf: reallocate buf lists on upgrade (bsc#1239066). - CVE-2025-21863: io_uring: prevent opcode speculation (bsc#1239475). - CVE-2025-21873: scsi: ufs: core: bsg: Fix crash when arpmb command fails (bsc#1240184). - CVE-2025-21875: mptcp: always handle address removal under msk socket lock (bsc#1240168). - CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185). - CVE-2025-21884: net: better track kernel sockets lifetime (bsc#1240171). - CVE-2025-21887: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (bsc#1240176). - CVE-2025-21889: perf/core: Add RCU read lock protection to perf_iterate_ctx() (bsc#1240167). - CVE-2025-21894: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC (bsc#1240581). - CVE-2025-21895: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list (bsc#1240585). - CVE-2025-21906: wifi: iwlwifi: mvm: clean up ROC on failure (bsc#1240587). - CVE-2025-21908: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback (bsc#1240600). - CVE-2025-21913: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (bsc#1240591). - CVE-2025-21922: ppp: Fix KMSAN uninit-value warning with bpf (bsc#1240639). - CVE-2025-21924: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error (bsc#1240720). - CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742). - CVE-2025-21960: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() (bsc#1240815). - CVE-2025-21961: eth: bnxt: fix truesize for mb-xdp-pass case (bsc#1240816). - CVE-2025-21969: kABI workaround for l2cap_conn changes (bsc#1240784). - CVE-2025-21970: net/mlx5: Bridge, fix the crash caused by LAG state check (bsc#1240819). - CVE-2025-21972: net: mctp: unshare packets when reassembling (bsc#1240813). - CVE-2025-21975: net/mlx5: handle errors in mlx5_chains_create_table() (bsc#1240812). - CVE-2025-21981: ice: fix memory leak in aRFS after reset (bsc#1240612). - CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (bsc#1240795). - CVE-2025-21993: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() (bsc#1240797). - CVE-2025-2312: CIFS: New mount option for cifs.upcall namespace resolution (bsc#1239684). The following non-security bugs were fixed: - ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP (stable-fixes). - ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers (git-fixes). - ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA (git-fixes). - ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model (git-fixes). - ASoC: imx-card: Add NULL check in imx_card_probe() (git-fixes). - ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns (git-fixes). - ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment (git-fixes). - ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (git-fixes). - HID: hid-plantronics: Add mic mute mapping and generalize quirks (stable-fixes). - HID: i2c-hid: improve i2c_hid_get_report error message (stable-fixes). - Input: pm8941-pwrkey - fix dev_dbg() output in pm8941_pwrkey_irq() (git-fixes). - Input: synaptics - hide unused smbus_pnp_ids[] array (git-fixes). - PCI: Fix BAR resizing when VF BARs are assigned (git-fixes). - PCI: Fix reference leak in pci_register_host_bridge() (git-fixes). - PCI: histb: Fix an error handling path in histb_pcie_probe() (git-fixes). - acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (git-fixes). - affs: do not write overlarge OFS data block size fields (git-fixes). - affs: generate OFS sequence numbers starting at 1 (git-fixes). - arch_topology: Make register_cpu_capacity_sysctl() tolerant to late (bsc#1238052) - arch_topology: init capacity_freq_ref to 0 (bsc#1238052) - arm64/amu: Use capacity_ref_freq() to set AMU ratio (bsc#1238052) - arm64: Do not call NULL in do_compat_alignment_fixup() (git-fixes) - arm64: Provide an AMU-based version of arch_freq_get_on_cpu (bsc#1238052) - arm64: Update AMU-based freq scale factor on entering idle (bsc#1238052) - arm64: Utilize for_each_cpu_wrap for reference lookup (bsc#1238052) - arm64: amu: Delay allocating cpumask for AMU FIE support (bsc#1238052) - arm64: mm: Correct the update of max_pfn (git-fixes) - bpf: Check size for BTF-based ctx access of pointer members (git-fixes). - bpf: Fix theoretical prog_array UAF in __uprobe_perf_func() (git-fixes). - bpf: avoid holding freeze_mutex during mmap operation (git-fixes). - bpf: fix potential error return (git-fixes). - bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic (git-fixes). - counter: fix privdata alignment (git-fixes). - counter: microchip-tcb-capture: Fix undefined counter channel state on probe (git-fixes). - counter: stm32-lptimer-cnt: fix error handling when enabling (git-fixes). - cpufreq/cppc: Set the frequency used for computing the capacity (bsc#1238052) - cpufreq: Allow arch_freq_get_on_cpu to return an error (bsc#1238052) - cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry (bsc#1238052) Keep the feature disabled by default on x86_64 - drm/amd/pm/smu11: Prevent division by zero (git-fixes). - drm/amd/pm: Prevent division by zero (git-fixes). - drm/amd: Keep display off while going into S4 (stable-fixes). - drm/amdgpu/dma_buf: fix page_link check (git-fixes). - drm/amdgpu/gfx11: fix num_mec (git-fixes). - drm/dp_mst: Add a helper to queue a topology probe (stable-fixes). - drm/dp_mst: Factor out function to queue a topology probe work (stable-fixes). - drm/i915/huc: Fix fence not released on early probe errors (git-fixes). - drm/nouveau: prime: fix ttm_bo_delayed_delete oops (git-fixes). - drm/sti: remove duplicate object names (git-fixes). - exfat: fix the infinite loop in exfat_find_last_cluster() (git-fixes). - firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success (git-fixes). - gpio: tegra186: fix resource handling in ACPI probe path (git-fixes). - hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} (stable-fixes). - lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (git-fixes). - libperf cpumap: Be tolerant of newline at the end of a cpumask (bsc#1234698 jsc#PED-12309). - libperf cpumap: Ensure empty cpumap is NULL from alloc (bsc#1234698 jsc#PED-12309). - libperf cpumap: Grow array of read CPUs in smaller increments (bsc#1234698 jsc#PED-12309). - libperf cpumap: Hide/reduce scope of MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - libperf cpumap: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__default_new() to perf_cpu_map__new_online_cpus() and prefer sysfs (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__dummy_new() to perf_cpu_map__new_any_cpu() (bsc#1234698 jsc#PED-12309). - libperf cpumap: Rename perf_cpu_map__empty() to perf_cpu_map__has_any_cpu_or_is_empty() (bsc#1234698 jsc#PED-12309). - mmc: sdhci-pxav3: set NEED_RSP_BUSY capability (stable-fixes). - mtd: inftlcore: Add error check for inftl_read_oob() (git-fixes). - mtd: rawnand: Add status chack in r852_ready() (git-fixes). - net: usb: qmi_wwan: add Telit Cinterion FE990B composition (stable-fixes). - net: usb: qmi_wwan: add Telit Cinterion FN990B composition (stable-fixes). - nfs: clear SB_RDONLY before getting superblock (bsc#1238565). - nfs: ignore SB_RDONLY when remounting nfs (bsc#1238565). - nfsd: put dl_stid if fail to queue dl_recall (git-fixes). - ntb: Force physically contiguous allocation of rx ring buffers (git-fixes). - ntb: intel: Fix using link status DB's (git-fixes). - ntb: use 64-bit arithmetic for the MSI doorbell mask (git-fixes). - ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans (git-fixes). - ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk() (git-fixes). - ntb_perf: Fix printk format (git-fixes). - objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() (git-fixes). - objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() (git-fixes). - objtool: Fix segfault in ignore_unreachable_insn() (git-fixes). - perf cpumap: Reduce transitive dependencies on libperf MAX_NR_CPUS (bsc#1234698 jsc#PED-12309). - perf pmu: Remove use of perf_cpu_map__read() (bsc#1234698 jsc#PED-12309). - perf tools: annotate asm_pure_loop.S (bsc#1239906). - perf: Increase MAX_NR_CPUS to 4096 (bsc#1234698 jsc#PED-12309). - platform/x86/intel/vsec: Add Diamond Rapids support (stable-fixes). - platform/x86: ISST: Correct command storage data length (git-fixes). - platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet (stable-fixes). - powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() (git-fixes). - powercap: intel_rapl_tpmi: Fix System Domain probing (git-fixes). - powercap: intel_rapl_tpmi: Fix bogus register reading (git-fixes). - powercap: intel_rapl_tpmi: Ignore minor version change (git-fixes). - rtnetlink: Allocate vfinfo size for VF GUIDs when supported (bsc#1224013). - s390/cio: Fix CHPID "configure" attribute caching (git-fixes bsc#1240979). - s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs (git-fixes bsc#1240978). - sched/topology: Add a new arch_scale_freq_ref() method (bsc#1238052) - security, lsm: Introduce security_mptcp_add_subflow() (bsc#1240375). - selftests/bpf: Add test for narrow ctx load for pointer args (git-fixes). - selinux: Implement mptcp_add_subflow hook (bsc#1240375). - serial: 8250_dma: terminate correct DMA in tx_dma_flush() (git-fixes). - smb: client: fix open_cached_dir retries with 'hard' mount option (bsc#1240616). - staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES (git-fixes). - topology: Set capacity_freq_ref in all cases (bsc#1238052) - tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870). - tpm: tis: Double the timeout B to 4s (bsc#1235870). - tpm_tis: Move CRC check to generic send routine (bsc#1235870). - tpm_tis: Use responseRetry to recover from data transfer errors (bsc#1235870). - tty: serial: 8250: Add Brainboxes XC devices (stable-fixes). - tty: serial: 8250: Add some more device IDs (stable-fixes). - tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers (git-fixes). - tty: serial: lpuart: only disable CTS instead of overwriting the whole UARTMODIR register (git-fixes). - ucsi_ccg: Do not show failed to get FW build information error (git-fixes). - usb: dwc3: Set SUSPENDENABLE soon after phy init (git-fixes). - usb: xhci: correct debug message page size calculation (git-fixes). - usbnet:fix NPE during rx_complete (git-fixes). - wifi: ath11k: fix memory leak in ath11k_xxx_remove() (git-fixes). - wifi: brcmfmac: keep power during suspend if board requires it (stable-fixes). - wifi: iwlwifi: fw: allocate chained SG tables for dump (stable-fixes). - wifi: iwlwifi: mvm: use the right version of the rate API (stable-fixes). - wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state (stable-fixes). - xhci: Fix null pointer dereference during S4 resume when resetting ep0 (bsc#1235550). - xhci: Reconfigure endpoint 0 max packet size only during endpoint reset (bsc#1235550). - xhci: fix possible null pointer deref during xhci urb enqueue (bsc#1235550). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-15 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ Link for SUSE-SU-2025:20283-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021049.html E-Mail link for SUSE-SU-2025:20283-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224013 SUSE Bug 1224013 https://bugzilla.suse.com/1224757 SUSE Bug 1224757 https://bugzilla.suse.com/1228659 SUSE Bug 1228659 https://bugzilla.suse.com/1231910 SUSE Bug 1231910 https://bugzilla.suse.com/1234074 SUSE Bug 1234074 https://bugzilla.suse.com/1234157 SUSE Bug 1234157 https://bugzilla.suse.com/1234698 SUSE Bug 1234698 https://bugzilla.suse.com/1235550 SUSE Bug 1235550 https://bugzilla.suse.com/1235870 SUSE Bug 1235870 https://bugzilla.suse.com/1237874 SUSE Bug 1237874 https://bugzilla.suse.com/1237882 SUSE Bug 1237882 https://bugzilla.suse.com/1238052 SUSE Bug 1238052 https://bugzilla.suse.com/1238565 SUSE Bug 1238565 https://bugzilla.suse.com/1238746 SUSE Bug 1238746 https://bugzilla.suse.com/1238970 SUSE Bug 1238970 https://bugzilla.suse.com/1238990 SUSE Bug 1238990 https://bugzilla.suse.com/1239066 SUSE Bug 1239066 https://bugzilla.suse.com/1239475 SUSE Bug 1239475 https://bugzilla.suse.com/1239684 SUSE Bug 1239684 https://bugzilla.suse.com/1239906 SUSE Bug 1239906 https://bugzilla.suse.com/1239925 SUSE Bug 1239925 https://bugzilla.suse.com/1240167 SUSE Bug 1240167 https://bugzilla.suse.com/1240168 SUSE Bug 1240168 https://bugzilla.suse.com/1240171 SUSE Bug 1240171 https://bugzilla.suse.com/1240176 SUSE Bug 1240176 https://bugzilla.suse.com/1240184 SUSE Bug 1240184 https://bugzilla.suse.com/1240185 SUSE Bug 1240185 https://bugzilla.suse.com/1240375 SUSE Bug 1240375 https://bugzilla.suse.com/1240575 SUSE Bug 1240575 https://bugzilla.suse.com/1240581 SUSE Bug 1240581 https://bugzilla.suse.com/1240582 SUSE Bug 1240582 https://bugzilla.suse.com/1240583 SUSE Bug 1240583 https://bugzilla.suse.com/1240584 SUSE Bug 1240584 https://bugzilla.suse.com/1240585 SUSE Bug 1240585 https://bugzilla.suse.com/1240587 SUSE Bug 1240587 https://bugzilla.suse.com/1240590 SUSE Bug 1240590 https://bugzilla.suse.com/1240591 SUSE Bug 1240591 https://bugzilla.suse.com/1240592 SUSE Bug 1240592 https://bugzilla.suse.com/1240594 SUSE Bug 1240594 https://bugzilla.suse.com/1240595 SUSE Bug 1240595 https://bugzilla.suse.com/1240596 SUSE Bug 1240596 https://bugzilla.suse.com/1240600 SUSE Bug 1240600 https://bugzilla.suse.com/1240612 SUSE Bug 1240612 https://bugzilla.suse.com/1240616 SUSE Bug 1240616 https://bugzilla.suse.com/1240639 SUSE Bug 1240639 https://bugzilla.suse.com/1240643 SUSE Bug 1240643 https://bugzilla.suse.com/1240647 SUSE Bug 1240647 https://bugzilla.suse.com/1240691 SUSE Bug 1240691 https://bugzilla.suse.com/1240700 SUSE Bug 1240700 https://bugzilla.suse.com/1240701 SUSE Bug 1240701 https://bugzilla.suse.com/1240703 SUSE Bug 1240703 https://bugzilla.suse.com/1240708 SUSE Bug 1240708 https://bugzilla.suse.com/1240714 SUSE Bug 1240714 https://bugzilla.suse.com/1240715 SUSE Bug 1240715 https://bugzilla.suse.com/1240716 SUSE Bug 1240716 https://bugzilla.suse.com/1240718 SUSE Bug 1240718 https://bugzilla.suse.com/1240719 SUSE Bug 1240719 https://bugzilla.suse.com/1240720 SUSE Bug 1240720 https://bugzilla.suse.com/1240722 SUSE Bug 1240722 https://bugzilla.suse.com/1240727 SUSE Bug 1240727 https://bugzilla.suse.com/1240739 SUSE Bug 1240739 https://bugzilla.suse.com/1240742 SUSE Bug 1240742 https://bugzilla.suse.com/1240779 SUSE Bug 1240779 https://bugzilla.suse.com/1240783 SUSE Bug 1240783 https://bugzilla.suse.com/1240784 SUSE Bug 1240784 https://bugzilla.suse.com/1240795 SUSE Bug 1240795 https://bugzilla.suse.com/1240796 SUSE Bug 1240796 https://bugzilla.suse.com/1240797 SUSE Bug 1240797 https://bugzilla.suse.com/1240799 SUSE Bug 1240799 https://bugzilla.suse.com/1240801 SUSE Bug 1240801 https://bugzilla.suse.com/1240806 SUSE Bug 1240806 https://bugzilla.suse.com/1240808 SUSE Bug 1240808 https://bugzilla.suse.com/1240812 SUSE Bug 1240812 https://bugzilla.suse.com/1240813 SUSE Bug 1240813 https://bugzilla.suse.com/1240815 SUSE Bug 1240815 https://bugzilla.suse.com/1240816 SUSE Bug 1240816 https://bugzilla.suse.com/1240819 SUSE Bug 1240819 https://bugzilla.suse.com/1240821 SUSE Bug 1240821 https://bugzilla.suse.com/1240825 SUSE Bug 1240825 https://bugzilla.suse.com/1240829 SUSE Bug 1240829 https://bugzilla.suse.com/1240873 SUSE Bug 1240873 https://bugzilla.suse.com/1240937 SUSE Bug 1240937 https://bugzilla.suse.com/1240938 SUSE Bug 1240938 https://bugzilla.suse.com/1240940 SUSE Bug 1240940 https://bugzilla.suse.com/1240942 SUSE Bug 1240942 https://bugzilla.suse.com/1240943 SUSE Bug 1240943 https://bugzilla.suse.com/1240978 SUSE Bug 1240978 https://bugzilla.suse.com/1240979 SUSE Bug 1240979 https://bugzilla.suse.com/1241038 SUSE Bug 1241038 https://www.suse.com/security/cve/CVE-2024-27415/ SUSE CVE CVE-2024-27415 page https://www.suse.com/security/cve/CVE-2024-50038/ SUSE CVE CVE-2024-50038 page https://www.suse.com/security/cve/CVE-2024-53124/ SUSE CVE CVE-2024-53124 page https://www.suse.com/security/cve/CVE-2024-53139/ SUSE CVE CVE-2024-53139 page https://www.suse.com/security/cve/CVE-2024-58018/ SUSE CVE CVE-2024-58018 page https://www.suse.com/security/cve/CVE-2024-58071/ SUSE CVE CVE-2024-58071 page https://www.suse.com/security/cve/CVE-2025-21729/ SUSE CVE CVE-2025-21729 page https://www.suse.com/security/cve/CVE-2025-21755/ SUSE CVE CVE-2025-21755 page https://www.suse.com/security/cve/CVE-2025-21806/ SUSE CVE CVE-2025-21806 page https://www.suse.com/security/cve/CVE-2025-21836/ SUSE CVE CVE-2025-21836 page https://www.suse.com/security/cve/CVE-2025-21863/ SUSE CVE CVE-2025-21863 page https://www.suse.com/security/cve/CVE-2025-21873/ SUSE CVE CVE-2025-21873 page https://www.suse.com/security/cve/CVE-2025-21875/ SUSE CVE CVE-2025-21875 page https://www.suse.com/security/cve/CVE-2025-21881/ SUSE CVE CVE-2025-21881 page https://www.suse.com/security/cve/CVE-2025-21884/ SUSE CVE CVE-2025-21884 page https://www.suse.com/security/cve/CVE-2025-21887/ SUSE CVE CVE-2025-21887 page https://www.suse.com/security/cve/CVE-2025-21889/ SUSE CVE CVE-2025-21889 page https://www.suse.com/security/cve/CVE-2025-21894/ SUSE CVE CVE-2025-21894 page https://www.suse.com/security/cve/CVE-2025-21895/ SUSE CVE CVE-2025-21895 page https://www.suse.com/security/cve/CVE-2025-21905/ SUSE CVE CVE-2025-21905 page https://www.suse.com/security/cve/CVE-2025-21906/ SUSE CVE CVE-2025-21906 page https://www.suse.com/security/cve/CVE-2025-21908/ SUSE CVE CVE-2025-21908 page https://www.suse.com/security/cve/CVE-2025-21909/ SUSE CVE CVE-2025-21909 page https://www.suse.com/security/cve/CVE-2025-21910/ SUSE CVE CVE-2025-21910 page https://www.suse.com/security/cve/CVE-2025-21912/ SUSE CVE CVE-2025-21912 page https://www.suse.com/security/cve/CVE-2025-21913/ SUSE CVE CVE-2025-21913 page https://www.suse.com/security/cve/CVE-2025-21914/ SUSE CVE CVE-2025-21914 page https://www.suse.com/security/cve/CVE-2025-21915/ SUSE CVE CVE-2025-21915 page https://www.suse.com/security/cve/CVE-2025-21916/ SUSE CVE CVE-2025-21916 page https://www.suse.com/security/cve/CVE-2025-21917/ SUSE CVE CVE-2025-21917 page https://www.suse.com/security/cve/CVE-2025-21918/ SUSE CVE CVE-2025-21918 page https://www.suse.com/security/cve/CVE-2025-21922/ SUSE CVE CVE-2025-21922 page https://www.suse.com/security/cve/CVE-2025-21923/ SUSE CVE CVE-2025-21923 page https://www.suse.com/security/cve/CVE-2025-21924/ SUSE CVE CVE-2025-21924 page https://www.suse.com/security/cve/CVE-2025-21927/ SUSE CVE CVE-2025-21927 page https://www.suse.com/security/cve/CVE-2025-21928/ SUSE CVE CVE-2025-21928 page https://www.suse.com/security/cve/CVE-2025-21930/ SUSE CVE CVE-2025-21930 page https://www.suse.com/security/cve/CVE-2025-21934/ SUSE CVE CVE-2025-21934 page https://www.suse.com/security/cve/CVE-2025-21935/ SUSE CVE CVE-2025-21935 page https://www.suse.com/security/cve/CVE-2025-21936/ SUSE CVE CVE-2025-21936 page https://www.suse.com/security/cve/CVE-2025-21937/ SUSE CVE CVE-2025-21937 page https://www.suse.com/security/cve/CVE-2025-21941/ SUSE CVE CVE-2025-21941 page https://www.suse.com/security/cve/CVE-2025-21943/ SUSE CVE CVE-2025-21943 page https://www.suse.com/security/cve/CVE-2025-21948/ SUSE CVE CVE-2025-21948 page https://www.suse.com/security/cve/CVE-2025-21950/ SUSE CVE CVE-2025-21950 page https://www.suse.com/security/cve/CVE-2025-21951/ SUSE CVE CVE-2025-21951 page https://www.suse.com/security/cve/CVE-2025-21953/ SUSE CVE CVE-2025-21953 page https://www.suse.com/security/cve/CVE-2025-21956/ SUSE CVE CVE-2025-21956 page https://www.suse.com/security/cve/CVE-2025-21957/ SUSE CVE CVE-2025-21957 page https://www.suse.com/security/cve/CVE-2025-21960/ SUSE CVE CVE-2025-21960 page https://www.suse.com/security/cve/CVE-2025-21961/ SUSE CVE CVE-2025-21961 page https://www.suse.com/security/cve/CVE-2025-21966/ SUSE CVE CVE-2025-21966 page https://www.suse.com/security/cve/CVE-2025-21968/ SUSE CVE CVE-2025-21968 page https://www.suse.com/security/cve/CVE-2025-21969/ SUSE CVE CVE-2025-21969 page https://www.suse.com/security/cve/CVE-2025-21970/ SUSE CVE CVE-2025-21970 page https://www.suse.com/security/cve/CVE-2025-21971/ SUSE CVE CVE-2025-21971 page https://www.suse.com/security/cve/CVE-2025-21972/ SUSE CVE CVE-2025-21972 page https://www.suse.com/security/cve/CVE-2025-21975/ SUSE CVE CVE-2025-21975 page https://www.suse.com/security/cve/CVE-2025-21978/ SUSE CVE CVE-2025-21978 page https://www.suse.com/security/cve/CVE-2025-21979/ SUSE CVE CVE-2025-21979 page https://www.suse.com/security/cve/CVE-2025-21981/ SUSE CVE CVE-2025-21981 page https://www.suse.com/security/cve/CVE-2025-21991/ SUSE CVE CVE-2025-21991 page https://www.suse.com/security/cve/CVE-2025-21992/ SUSE CVE CVE-2025-21992 page https://www.suse.com/security/cve/CVE-2025-21993/ SUSE CVE CVE-2025-21993 page https://www.suse.com/security/cve/CVE-2025-21995/ SUSE CVE CVE-2025-21995 page https://www.suse.com/security/cve/CVE-2025-21996/ SUSE CVE CVE-2025-21996 page https://www.suse.com/security/cve/CVE-2025-22001/ SUSE CVE CVE-2025-22001 page https://www.suse.com/security/cve/CVE-2025-22003/ SUSE CVE CVE-2025-22003 page https://www.suse.com/security/cve/CVE-2025-22007/ SUSE CVE CVE-2025-22007 page https://www.suse.com/security/cve/CVE-2025-22008/ SUSE CVE CVE-2025-22008 page https://www.suse.com/security/cve/CVE-2025-22009/ SUSE CVE CVE-2025-22009 page https://www.suse.com/security/cve/CVE-2025-22010/ SUSE CVE CVE-2025-22010 page https://www.suse.com/security/cve/CVE-2025-22013/ SUSE CVE CVE-2025-22013 page https://www.suse.com/security/cve/CVE-2025-22014/ SUSE CVE CVE-2025-22014 page https://www.suse.com/security/cve/CVE-2025-2312/ SUSE CVE CVE-2025-2312 page SUSE Linux Micro 6.1 kernel-devel-rt-6.4.0-30.1 kernel-livepatch-6_4_0-30-rt-1-1.3 kernel-rt-6.4.0-30.1 kernel-rt-devel-6.4.0-30.1 kernel-rt-livepatch-6.4.0-30.1 kernel-source-rt-6.4.0-30.1 kernel-devel-rt-6.4.0-30.1 as a component of SUSE Linux Micro 6.1 kernel-livepatch-6_4_0-30-rt-1-1.3 as a component of SUSE Linux Micro 6.1 kernel-rt-6.4.0-30.1 as a component of SUSE Linux Micro 6.1 kernel-rt-devel-6.4.0-30.1 as a component of SUSE Linux Micro 6.1 kernel-rt-livepatch-6.4.0-30.1 as a component of SUSE Linux Micro 6.1 kernel-source-rt-6.4.0-30.1 as a component of SUSE Linux Micro 6.1 In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). This works fine. But such confirmation won't happen when eb/ip/nftables rules dropped the packets before they reached the nf_confirm step in postrouting. Pablo points out that nf_conntrack_bridge doesn't allow use of stateful nat, so we can safely discard the nf_conn entry and let inet call conntrack again. This doesn't work for bridge netfilter: skb could have a nat transformation. Also bridge nf prevents re-invocation of inet prerouting via 'sabotage_in' hook. Work around this problem by explicit confirmation of the entry at LOCAL_IN time, before upper layer has a chance to clone the unconfirmed entry. The downside is that this disables NAT and conntrack helpers. Alternative fix would be to add locking to all code parts that deal with unconfirmed packets, but even if that could be done in a sane way this opens up other problems, for example: -m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4 -m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5 For multicast case, only one of such conflicting mappings will be created, conntrack only handles 1:1 NAT mappings. Users should set create a setup that explicitly marks such traffic NOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass them, ruleset might have accept rules for untracked traffic already, so user-visible behaviour would change. CVE-2024-27415 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-27415.html CVE-2024-27415 https://bugzilla.suse.com/1224757 SUSE Bug 1224757 In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid NFPROTO_UNSPEC where needed syzbot managed to call xt_cluster match via ebtables: WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780 [..] ebt_do_table+0x174b/0x2a40 Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet processing. As this is only useful to restrict locally terminating TCP/UDP traffic, register this for ipv4 and ipv6 family only. Pablo points out that this is a general issue, direct users of the set/getsockopt interface can call into targets/matches that were only intended for use with ip(6)tables. Check all UNSPEC matches and targets for similar issues: - matches and targets are fine except if they assume skb_network_header() is valid -- this is only true when called from inet layer: ip(6) stack pulls the ip/ipv6 header into linear data area. - targets that return XT_CONTINUE or other xtables verdicts must be restricted too, they are incompatbile with the ebtables traverser, e.g. EBT_CONTINUE is a completely different value than XT_CONTINUE. Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as they are provided for use by ip(6)tables. The MARK target is also used by arptables, so register for NFPROTO_ARP too. While at it, bail out if connbytes fails to enable the corresponding conntrack family. This change passes the selftests in iptables.git. CVE-2024-50038 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-50038.html CVE-2024-50038 https://bugzilla.suse.com/1231910 SUSE Bug 1231910 In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv(). CVE-2024-53124 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-53124.html CVE-2024-53124 https://bugzilla.suse.com/1234074 SUSE Bug 1234074 In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340) ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13)) __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1)) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f59b934a1e7 Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48 All code ======== 0: 44 00 00 add %r8b,(%rax) 3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43 a: f7 d8 neg %eax c: 64 89 02 mov %eax,%fs:(%rdx) f: b8 ff ff ff ff mov $0xffffffff,%eax 14: eb bd jmp 0xffffffffffffffd3 16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 1d: 00 00 00 20: 0f 1f 00 nopl (%rax) 23: b8 31 00 00 00 mov $0x31,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 ret 33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 ret 9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7 RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000 R10: 00007f59b9253298 R11: 000000000000 ---truncated--- CVE-2024-53139 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-53139.html CVE-2024-53139 https://bugzilla.suse.com/1234157 SUSE Bug 1234157 In the Linux kernel, the following vulnerability has been resolved: nvkm: correctly calculate the available space of the GSP cmdq buffer r535_gsp_cmdq_push() waits for the available page in the GSP cmdq buffer when handling a large RPC request. When it sees at least one available page in the cmdq, it quits the waiting with the amount of free buffer pages in the queue. Unfortunately, it always takes the [write pointer, buf_size) as available buffer pages before rolling back and wrongly calculates the size of the data should be copied. Thus, it can overwrite the RPC request that GSP is currently reading, which causes GSP hang due to corrupted RPC request: [ 549.209389] ------------[ cut here ]------------ [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E) [ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)] [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1 [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff <0f> 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246 [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28 [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730 [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70 [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020 [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000 [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000 [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0 [ 549.427963] PKRU: 55555554 [ 549.430672] Call Trace: [ 549.433126] <TASK> [ 549.435233] ? __warn+0x7f/0x130 [ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.443426] ? report_bug+0x18a/0x1a0 [ 549.447098] ? handle_bug+0x3c/0x70 [ 549.450589] ? exc_invalid_op+0x14/0x70 [ 549.454430] ? asm_exc_invalid_op+0x16/0x20 [ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm] [ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm] [ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm] [ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm] [ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm] [ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm] [ 549.498338] local_pci_probe+0x46/ ---truncated--- CVE-2024-58018 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-58018.html CVE-2024-58018 https://bugzilla.suse.com/1238990 SUSE Bug 1238990 In the Linux kernel, the following vulnerability has been resolved: team: prevent adding a device which is already a team device lower Prevent adding a device which is already a team device lower, e.g. adding veth0 if vlan1 was already added and veth0 is a lower of vlan1. This is not useful in practice and can lead to recursive locking: $ ip link add veth0 type veth peer name veth1 $ ip link set veth0 up $ ip link set veth1 up $ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 $ ip link add team0 type team $ ip link set veth0.1 down $ ip link set veth0.1 master team0 team0: Port device veth0.1 added $ ip link set veth0 down $ ip link set veth0 master team0 ============================================ WARNING: possible recursive locking detected 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted -------------------------------------------- ip/7684 is trying to acquire lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) but task is already holding lock: ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977) other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(team->team_lock_key); lock(team->team_lock_key); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by ip/7684: stack backtrace: CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_deadlock_bug.cold (kernel/locking/lockdep.c:3040) __lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) ? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548) lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2)) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? lock_acquire (kernel/locking/lockdep.c:5822) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) __mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) ? fib_sync_up (net/ipv4/fib_semantics.c:2167) ? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) __dev_notify_flags (net/core/dev.c:8993) ? __dev_change_flags (net/core/dev.c:8975) dev_change_flags (net/core/dev.c:9027) vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470) ? br_device_event (net/bridge/br.c:143) notifier_call_chain (kernel/notifier.c:85) call_netdevice_notifiers_info (net/core/dev.c:1996) dev_open (net/core/dev.c:1519 net/core/dev.c:1505) team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977) ? __pfx_team_add_slave (drivers/net/team/team_core.c:1972) do_set_master (net/core/rtnetlink.c:2917) do_setlink.isra.0 (net/core/rtnetlink.c:3117) CVE-2024-58071 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2024-58071.html CVE-2024-58071 https://bugzilla.suse.com/1238970 SUSE Bug 1238970 In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: <TASK> ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> CVE-2025-21729 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21729.html CVE-2025-21729 https://bugzilla.suse.com/1237874 SUSE Bug 1237874 ** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-21755 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21755.html CVE-2025-21755 https://bugzilla.suse.com/1237882 SUSE Bug 1237882 In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ next=ffff88905f746e40. WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ __list_add_valid_or_report+0xf3/0x130 CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ RIP: 0010:__list_add_valid_or_report+0xf3/0x130 Call Trace: ? __warn+0xcd/0x250 ? __list_add_valid_or_report+0xf3/0x130 enqueue_to_backlog+0x923/0x1070 netif_rx_internal+0x92/0x2b0 __netif_rx+0x15/0x170 loopback_xmit+0x2ef/0x450 dev_hard_start_xmit+0x103/0x490 __dev_queue_xmit+0xeac/0x1950 ip_finish_output2+0x6cc/0x1620 ip_output+0x161/0x270 ip_push_pending_frames+0x155/0x1a0 raw_sendmsg+0xe13/0x1550 __sys_sendto+0x3bf/0x4e0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x5b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reproduction command is as follows: sysctl -w net.core.dev_weight=0 ping 127.0.0.1 This is because when the napi's weight is set to 0, process_backlog() may return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this napi to be re-polled in net_rx_action() until __do_softirq() times out. Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can be retriggered in enqueue_to_backlog(), causing this issue. Making the napi's weight always non-zero solves this problem. Triggering this issue requires system-wide admin (setting is not namespaced). CVE-2025-21806 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21806.html CVE-2025-21806 https://bugzilla.suse.com/1238746 SUSE Bug 1238746 In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: reallocate buf lists on upgrade IORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it was created for legacy selected buffer and has been emptied. It violates the requirement that most of the field should stay stable after publish. Always reallocate it instead. CVE-2025-21836 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21836.html CVE-2025-21836 https://bugzilla.suse.com/1239066 SUSE Bug 1239066 In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. CVE-2025-21863 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21863.html CVE-2025-21863 https://bugzilla.suse.com/1239475 SUSE Bug 1239475 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22 4,1308,531166555,-;Call Trace: 4,1309,531166559,-; <TASK> 4,1310,531166565,-; ? show_regs+0x6d/0x80 4,1311,531166575,-; ? die+0x37/0xa0 4,1312,531166583,-; ? do_trap+0xd4/0xf0 4,1313,531166593,-; ? do_error_trap+0x71/0xb0 4,1314,531166601,-; ? usercopy_abort+0x6c/0x80 4,1315,531166610,-; ? exc_invalid_op+0x52/0x80 4,1316,531166622,-; ? usercopy_abort+0x6c/0x80 4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20 4,1318,531166643,-; ? usercopy_abort+0x6c/0x80 4,1319,531166652,-; __check_heap_object+0xe3/0x120 4,1320,531166661,-; check_heap_object+0x185/0x1d0 4,1321,531166670,-; __check_object_size.part.0+0x72/0x150 4,1322,531166679,-; __check_object_size+0x23/0x30 4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0 CVE-2025-21873 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21873.html CVE-2025-21873 https://bugzilla.suse.com/1240184 SUSE Bug 1240184 In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated--- CVE-2025-21875 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21875.html CVE-2025-21875 https://bugzilla.suse.com/1240168 SUSE Bug 1240168 In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x32/0x50 bad_page+0x69/0xf0 free_unref_page_prepare+0x401/0x500 free_unref_page+0x6d/0x1b0 uprobe_write_opcode+0x460/0x8e0 install_breakpoint.part.0+0x51/0x80 register_for_each_vma+0x1d9/0x2b0 __uprobe_register+0x245/0x300 bpf_uprobe_multi_link_attach+0x29b/0x4f0 link_create+0x1e2/0x280 __sys_bpf+0x75f/0xac0 __x64_sys_bpf+0x1a/0x30 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1 The following syzkaller test case can be used to reproduce: r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8) write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0) r5 = userfaultfd(0x80801) ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20}) r6 = userfaultfd(0x80801) ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140)) ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2}) ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}}) r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40) The cause is that zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage() and the refcount of zero folio does not increase accordingly. Then, the operation on the same pfn is performed in uprobe_write_opcode()->__replace_page() to unconditional decrease the RSS count and old_folio's refcount. Therefore, two bugs are introduced: 1. The RSS count is incorrect, when process exit, the check_mm() report error "Bad rss-count". 2. The reserved folio (zero folio) is freed when folio->refcount is zero, then free_pages_prepare->free_page_is_bad() report error "Bad page state". There is more, the following warning could also theoretically be triggered: __replace_page() -> ... -> folio_remove_rmap_pte() -> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio) Considering that uprobe hit on the zero folio is a very rare case, just reject zero old folio immediately after get_user_page_vma_remote(). [ mingo: Cleaned up the changelog ] CVE-2025-21881 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21881.html CVE-2025-21881 https://bugzilla.suse.com/1240185 SUSE Bug 1240185 In the Linux kernel, the following vulnerability has been resolved: net: better track kernel sockets lifetime While kernel sockets are dismantled during pernet_operations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skb_set_owner_w() prior calls. This then trigger the following warning from ref_tracker_dir_exit() [1] To fix this, make sure that kernel sockets own a reference on net->passive. Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket is converted to a refcounted one. [1] [ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] sk_alloc+0x2b3/0x370 [ 136.263918][ T35] inet6_create+0x6ce/0x10f0 [ 136.263918][ T35] __sock_create+0x4c0/0xa30 [ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.263918][ T35] igmp6_net_init+0x39/0x390 [ 136.263918][ T35] ops_init+0x31e/0x590 [ 136.263918][ T35] setup_net+0x287/0x9e0 [ 136.263918][ T35] copy_net_ns+0x33f/0x570 [ 136.263918][ T35] create_new_namespaces+0x425/0x7b0 [ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.263918][ T35] ksys_unshare+0x57d/0xa70 [ 136.263918][ T35] __x64_sys_unshare+0x38/0x40 [ 136.263918][ T35] do_syscall_64+0xf3/0x230 [ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] sk_alloc+0x2b3/0x370 [ 136.343488][ T35] inet6_create+0x6ce/0x10f0 [ 136.343488][ T35] __sock_create+0x4c0/0xa30 [ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250 [ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0 [ 136.343488][ T35] ops_init+0x31e/0x590 [ 136.343488][ T35] setup_net+0x287/0x9e0 [ 136.343488][ T35] copy_net_ns+0x33f/0x570 [ 136.343488][ T35] create_new_namespaces+0x425/0x7b0 [ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180 [ 136.343488][ T35] ksys_unshare+0x57d/0xa70 [ 136.343488][ T35] __x64_sys_unshare+0x38/0x40 [ 136.343488][ T35] do_syscall_64+0xf3/0x230 [ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-21884 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21884.html CVE-2025-21884 https://bugzilla.suse.com/1240171 SUSE Bug 1240171 In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> CVE-2025-21887 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21887.html CVE-2025-21887 https://bugzilla.suse.com/1240176 SUSE Bug 1240176 In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: WARNING: suspicious RCU usage kernel/events/core.c:8168 RCU-list traversed in non-reader section!! Call Trace: lockdep_rcu_suspicious ? perf_event_addr_filters_apply perf_iterate_ctx perf_event_exec begin_new_exec ? load_elf_phdrs load_elf_binary ? lock_acquire ? find_held_lock ? bprm_execve bprm_execve do_execveat_common.isra.0 __x64_sys_execve do_syscall_64 entry_SYSCALL_64_after_hwframe This protection was previously present but was removed in commit bd2756811766 ("perf: Rewrite core context handling"). Add back the necessary rcu_read_lock()/rcu_read_unlock() pair around perf_iterate_ctx() call in perf_event_exec(). [ mingo: Use scoped_guard() as suggested by Peter ] CVE-2025-21889 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21889.html CVE-2025-21889 https://bugzilla.suse.com/1240167 SUSE Bug 1240167 In the Linux kernel, the following vulnerability has been resolved: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash if VFs are used to test one-step timestamp, the crash log as follows. [ 129.110909] Unable to handle kernel paging request at virtual address 00000000000080c0 [ 129.287769] Call trace: [ 129.290219] enetc_port_mac_wr+0x30/0xec (P) [ 129.294504] enetc_start_xmit+0xda4/0xe74 [ 129.298525] enetc_xmit+0x70/0xec [ 129.301848] dev_hard_start_xmit+0x98/0x118 CVE-2025-21894 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21894.html CVE-2025-21894 https://bugzilla.suse.com/1240581 SUSE Bug 1240581 In the Linux kernel, the following vulnerability has been resolved: perf/core: Order the PMU list to fix warning about unordered pmu_ctx_list Syskaller triggers a warning due to prev_epc->pmu != next_epc->pmu in perf_event_swap_task_ctx_data(). vmcore shows that two lists have the same perf_event_pmu_context, but not in the same order. The problem is that the order of pmu_ctx_list for the parent is impacted by the time when an event/PMU is added. While the order for a child is impacted by the event order in the pinned_groups and flexible_groups. So the order of pmu_ctx_list in the parent and child may be different. To fix this problem, insert the perf_event_pmu_context to its proper place after iteration of the pmu_ctx_list. The follow testcase can trigger above warning: # perf record -e cycles --call-graph lbr -- taskset -c 3 ./a.out & # perf stat -e cpu-clock,cs -p xxx // xxx is the pid of a.out test.c void main() { int count = 0; pid_t pid; printf("%d running\n", getpid()); sleep(30); printf("running\n"); pid = fork(); if (pid == -1) { printf("fork error\n"); return; } if (pid == 0) { while (1) { count++; } } else { while (1) { count++; } } } The testcase first opens an LBR event, so it will allocate task_ctx_data, and then open tracepoint and software events, so the parent context will have 3 different perf_event_pmu_contexts. On inheritance, child ctx will insert the perf_event_pmu_context in another order and the warning will trigger. [ mingo: Tidied up the changelog. ] CVE-2025-21895 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21895.html CVE-2025-21895 https://bugzilla.suse.com/1240585 SUSE Bug 1240585 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have. CVE-2025-21905 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21905.html CVE-2025-21905 https://bugzilla.suse.com/1240575 SUSE Bug 1240575 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: clean up ROC on failure If the firmware fails to start the session protection, then we do call iwl_mvm_roc_finished() here, but that won't do anything at all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set. Set IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. If it started successfully before, it's already set, so that doesn't matter, and if it didn't start it needs to be set to clean up. Not doing so will lead to a WARN_ON() later on a fresh remain- on-channel, since the link is already active when activated as it was never deactivated. CVE-2025-21906 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21906.html CVE-2025-21906 https://bugzilla.suse.com/1240587 SUSE Bug 1240587 In the Linux kernel, the following vulnerability has been resolved: NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback Add PF_KCOMPACTD flag and current_is_kcompactd() helper to check for it so nfs_release_folio() can skip calling nfs_wb_folio() from kcompactd. Otherwise NFS can deadlock waiting for kcompactd enduced writeback which recurses back to NFS (which triggers writeback to NFSD via NFS loopback mount on the same host, NFSD blocks waiting for XFS's call to __filemap_get_folio): 6070.550357] INFO: task kcompactd0:58 blocked for more than 4435 seconds. {--- [58] "kcompactd0" [<0>] folio_wait_bit+0xe8/0x200 [<0>] folio_wait_writeback+0x2b/0x80 [<0>] nfs_wb_folio+0x80/0x1b0 [nfs] [<0>] nfs_release_folio+0x68/0x130 [nfs] [<0>] split_huge_page_to_list_to_order+0x362/0x840 [<0>] migrate_pages_batch+0x43d/0xb90 [<0>] migrate_pages_sync+0x9a/0x240 [<0>] migrate_pages+0x93c/0x9f0 [<0>] compact_zone+0x8e2/0x1030 [<0>] compact_node+0xdb/0x120 [<0>] kcompactd+0x121/0x2e0 [<0>] kthread+0xcf/0x100 [<0>] ret_from_fork+0x31/0x40 [<0>] ret_from_fork_asm+0x1a/0x30 ---} [akpm@linux-foundation.org: fix build] CVE-2025-21908 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21908.html CVE-2025-21908 https://bugzilla.suse.com/1240600 SUSE Bug 1240600 In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted the kernel calls WARN_ONCE() from check_sdata_in_driver() because of missing that bit. Fix this by rejecting MONITOR_FLAG_COOK_FRAMES if it is set along with other flags. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21909 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21909.html CVE-2025-21909 https://bugzilla.suse.com/1240590 SUSE Bug 1240590 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> CVE-2025-21910 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21910.html CVE-2025-21910 https://bugzilla.suse.com/1240583 SUSE Bug 1240583 In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20 CVE-2025-21912 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21912.html CVE-2025-21912 https://bugzilla.suse.com/1240584 SUSE Bug 1240584 In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe. CVE-2025-21913 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21913.html CVE-2025-21913 https://bugzilla.suse.com/1240591 SUSE Bug 1240591 In the Linux kernel, the following vulnerability has been resolved: slimbus: messaging: Free transaction ID in delayed interrupt scenario In case of interrupt delay for any reason, slim_do_transfer() returns timeout error but the transaction ID (TID) is not freed. This results into invalid memory access inside qcom_slim_ngd_rx_msgq_cb() due to invalid TID. Fix the issue by freeing the TID in slim_do_transfer() before returning timeout error to avoid invalid memory access. Call trace: __memcpy_fromio+0x20/0x190 qcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl] vchan_complete+0x2a0/0x4a0 tasklet_action_common+0x274/0x700 tasklet_action+0x28/0x3c _stext+0x188/0x620 run_ksoftirqd+0x34/0x74 smpboot_thread_fn+0x1d8/0x464 kthread+0x178/0x238 ret_from_fork+0x10/0x20 Code: aa0003e8 91000429 f100044a 3940002b (3800150b) ---[ end trace 0fe00bec2b975c99 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt. CVE-2025-21914 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21914.html CVE-2025-21914 https://bugzilla.suse.com/1240595 SUSE Bug 1240595 In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. CVE-2025-21915 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21915.html CVE-2025-21915 https://bugzilla.suse.com/1240594 SUSE Bug 1240594 In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints() may usually be enough to discard devices with wrong endpoints, in this case one needs more than just finding and identifying the sufficient number of endpoints of correct types - one needs to check the endpoint's address as well. Since cxacru_bind() fills URBs with CXACRU_EP_CMD address in mind, switch the endpoint verification approach to usb_check_XXX_endpoints() instead to fix incomplete ep testing. [1] Syzbot report: usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 1378 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... RIP: 0010:usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> cxacru_cm+0x3c8/0xe50 drivers/usb/atm/cxacru.c:649 cxacru_card_status drivers/usb/atm/cxacru.c:760 [inline] cxacru_bind+0xcf9/0x1150 drivers/usb/atm/cxacru.c:1223 usbatm_usb_probe+0x314/0x1d30 drivers/usb/atm/usbatm.c:1058 cxacru_usb_probe+0x184/0x220 drivers/usb/atm/cxacru.c:1377 usb_probe_interface+0x641/0xbb0 drivers/usb/core/driver.c:396 really_probe+0x2b9/0xad0 drivers/base/dd.c:658 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:800 driver_probe_device+0x50/0x430 drivers/base/dd.c:830 ... CVE-2025-21916 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21916.html CVE-2025-21916 https://bugzilla.suse.com/1240582 SUSE Bug 1240582 In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable. CVE-2025-21917 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21917.html CVE-2025-21917 https://bugzilla.suse.com/1240596 SUSE Bug 1240596 In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix NULL pointer access Resources should be released only after all threads that utilize them have been destroyed. This commit ensures that resources are not released prematurely by waiting for the associated workqueue to complete before deallocating them. CVE-2025-21918 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21918.html CVE-2025-21918 https://bugzilla.suse.com/1240592 SUSE Bug 1240592 In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' Wen can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. As you can see the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet. Then it read the first byte of the first 2 bytes to determine the direction. The issue is that only the first byte indicating direction is initialized in current ppp driver code while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000 CVE-2025-21922 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21922.html CVE-2025-21922 https://bugzilla.suse.com/1240639 SUSE Bug 1240639 In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This can lead to scheduling deferred work to reattach the input device. Though the cleanup cancels the deferred work, this was done before the client_hdev itself is cleaned up, so it gets rescheduled. This patch fixes the ordering to make sure the deferred work is properly canceled. CVE-2025-21923 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21923.html CVE-2025-21923 https://bugzilla.suse.com/1240691 SUSE Bug 1240691 In the Linux kernel, the following vulnerability has been resolved: net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error During the initialization of ptp, hclge_ptp_get_cycle might return an error and returned directly without unregister clock and free it. To avoid that, call hclge_ptp_destroy_clock to unregist and free clock if hclge_ptp_get_cycle failed. CVE-2025-21924 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21924.html CVE-2025-21924 https://bugzilla.suse.com/1240720 SUSE Bug 1240720 In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. CVE-2025-21927 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21927.html CVE-2025-21927 https://bugzilla.suse.com/1240714 SUSE Bug 1240714 In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed. CVE-2025-21928 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21928.html CVE-2025-21928 https://bugzilla.suse.com/1240722 SUSE Bug 1240722 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't try to talk to a dead firmware This fixes: bad state = 0 WARNING: CPU: 10 PID: 702 at drivers/net/wireless/inel/iwlwifi/iwl-trans.c:178 iwl_trans_send_cmd+0xba/0xe0 [iwlwifi] Call Trace: <TASK> ? __warn+0xca/0x1c0 ? iwl_trans_send_cmd+0xba/0xe0 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] iwl_fw_dbg_clear_monitor_buf+0xd7/0x110 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a53ad9a531f8d4] _iwl_dbgfs_fw_dbg_clear_write+0xe2/0x120 [iwlmvm 0e8adb18cea92d2c341766bcc10b18699290068a] Ask whether the firmware is alive before sending a command. CVE-2025-21930 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21930.html CVE-2025-21930 https://bugzilla.suse.com/1240715 SUSE Bug 1240715 In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. CVE-2025-21934 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21934.html CVE-2025-21934 https://bugzilla.suse.com/1240708 SUSE Bug 1240708 In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net(). CVE-2025-21935 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21935.html CVE-2025-21935 https://bugzilla.suse.com/1240700 SUSE Bug 1240700 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() Add check for the return value of mgmt_alloc_skb() in mgmt_device_connected() to prevent null pointer dereference. CVE-2025-21936 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21936.html CVE-2025-21936 https://bugzilla.suse.com/1240716 SUSE Bug 1240716 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference. CVE-2025-21937 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21937.html CVE-2025-21937 https://bugzilla.suse.com/1240643 SUSE Bug 1240643 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params Null pointer dereference issue could occur when pipe_ctx->plane_state is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not null before accessing. This prevents a null pointer dereference. Found by code review. (cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092) CVE-2025-21941 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21941.html CVE-2025-21941 https://bugzilla.suse.com/1240701 SUSE Bug 1240701 In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_device_store, this eliminates what appears to be the most dangerous scenario: if an id is allocated from gpio_aggregator_idr but platform_device_register has not yet been called or completed, a concurrent module unload could fail to unregister/delete the device, leaving behind a dangling platform device/GPIO forwarder. This can result in various issues. The following simple reproducer demonstrates these problems: #!/bin/bash while :; do # note: whether 'gpiochip0 0' exists or not does not matter. echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device done & while :; do modprobe gpio-aggregator modprobe -r gpio-aggregator done & wait Starting with the following warning, several kinds of warnings will appear and the system may become unstable: ------------[ cut here ]------------ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120 [...] RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120 [...] Call Trace: <TASK> ? __list_del_entry_valid_or_report+0xa3/0x120 ? __warn.cold+0x93/0xf2 ? __list_del_entry_valid_or_report+0xa3/0x120 ? report_bug+0xe6/0x170 ? __irq_work_queue_local+0x39/0xe0 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? __list_del_entry_valid_or_report+0xa3/0x120 gpiod_remove_lookup_table+0x22/0x60 new_device_store+0x315/0x350 [gpio_aggregator] kernfs_fop_write_iter+0x137/0x1f0 vfs_write+0x262/0x430 ksys_write+0x60/0xd0 do_syscall_64+0x6c/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> ---[ end trace 0000000000000000 ]--- CVE-2025-21943 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21943.html CVE-2025-21943 https://bugzilla.suse.com/1240647 SUSE Bug 1240647 In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline] BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395 Read of size 8 at addr 0000000000000028 by task syz-executor199/2949 CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 kasan_report+0xd9/0x110 mm/kasan/report.c:602 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:68 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] is_event_supported drivers/input/input.c:67 [inline] input_event+0x42/0xa0 drivers/input/input.c:395 input_report_key include/linux/input.h:439 [inline] key_down drivers/hid/hid-appleir.c:159 [inline] appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111 hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734 dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185 add_timer+0x62/0x90 kernel/time/timer.c:1295 schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98 usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645 usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784 hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This happens due to the malformed report items sent by the emulated device which results in a report, that has no fields, being added to the report list. Due to this appleir_input_configured() is never called, hidinput_connect() fails which results in the HID_CLAIMED_INPUT flag is not being set. However, it does not make appleir_probe() fail and lets the event callback to be called without the associated input device. Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook early if the driver didn't claim any input_dev for some reason. Moreover, some other hid drivers accessing input_dev in their event callbacks do have similar checks, too. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-21948 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21948.html CVE-2025-21948 https://bugzilla.suse.com/1240703 SUSE Bug 1240703 In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes. CVE-2025-21950 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21950.html CVE-2025-21950 https://bugzilla.suse.com/1240719 SUSE Bug 1240719 In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done. CVE-2025-21951 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21951.html CVE-2025-21951 https://bugzilla.suse.com/1240718 SUSE Bug 1240718 In the Linux kernel, the following vulnerability has been resolved: net: mana: cleanup mana struct after debugfs_remove() When on a MANA VM hibernation is triggered, as part of hibernate_snapshot(), mana_gd_suspend() and mana_gd_resume() are called. If during this mana_gd_resume(), a failure occurs with HWC creation, mana_port_debugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of power_down(), mana_gd_shutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up mana_port_debugfs value and hits the following bug: [ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: error_code(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:down_write+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? show_regs+0x64/0x70 [ 191.374040] ? __die+0x24/0x70 [ 191.374468] ? page_fault_oops+0x290/0x5b0 [ 191.374875] ? do_user_addr_fault+0x448/0x800 [ 191.375357] ? exc_page_fault+0x7a/0x160 [ 191.375971] ? asm_exc_page_fault+0x27/0x30 [ 191.376416] ? down_write+0x19/0x50 [ 191.376832] ? down_write+0x12/0x50 [ 191.377232] simple_recursive_removal+0x4a/0x2a0 [ 191.377679] ? __pfx_remove_one+0x10/0x10 [ 191.378088] debugfs_remove+0x44/0x70 [ 191.378530] mana_detach+0x17c/0x4f0 [ 191.378950] ? __flush_work+0x1e2/0x3b0 [ 191.379362] ? __cond_resched+0x1a/0x50 [ 191.379787] mana_remove+0xf2/0x1a0 [ 191.380193] mana_gd_shutdown+0x3b/0x70 [ 191.380642] pci_device_shutdown+0x3a/0x80 [ 191.381063] device_shutdown+0x13e/0x230 [ 191.381480] kernel_power_off+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] state_store+0xcb/0xd0 [ 191.382734] kobj_attr_store+0x12/0x30 [ 191.383211] sysfs_kf_write+0x3e/0x50 [ 191.383640] kernfs_fop_write_iter+0x140/0x1d0 [ 191.384106] vfs_write+0x271/0x440 [ 191.384521] ksys_write+0x72/0xf0 [ 191.384924] __x64_sys_write+0x19/0x20 [ 191.385313] x64_sys_call+0x2b0/0x20b0 [ 191.385736] do_syscall_64+0x79/0x150 [ 191.386146] ? __mod_memcg_lruvec_state+0xe7/0x240 [ 191.386676] ? __lruvec_stat_mod_folio+0x79/0xb0 [ 191.387124] ? __pfx_lru_add+0x10/0x10 [ 191.387515] ? queued_spin_unlock+0x9/0x10 [ 191.387937] ? do_anonymous_page+0x33c/0xa00 [ 191.388374] ? __handle_mm_fault+0xcf3/0x1210 [ 191.388805] ? __count_memcg_events+0xbe/0x180 [ 191.389235] ? handle_mm_fault+0xae/0x300 [ 19 ---truncated--- CVE-2025-21953 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21953.html CVE-2025-21953 https://bugzilla.suse.com/1240727 SUSE Bug 1240727 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775) CVE-2025-21956 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21956.html CVE-2025-21956 https://bugzilla.suse.com/1240739 SUSE Bug 1240739 In the Linux kernel, the following vulnerability has been resolved: scsi: qla1280: Fix kernel oops when debug level > 2 A null dereference or oops exception will eventually occur when qla1280.c driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I think its clear from the code that the intention here is sg_dma_len(s) not length of sg_next(s) when printing the debug info. CVE-2025-21957 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21957.html CVE-2025-21957 https://bugzilla.suse.com/1240742 SUSE Bug 1240742 In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info, but it updates ip_summed value too if checksum offload is enabled. This is actually duplicate work. When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed is CHECKSUM_NONE or not. It means that ip_summed should be CHECKSUM_NONE at this moment. But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the XDP-MB-PASS path. So the by skb_checksum_none_assert() WARNS about it. This is duplicate work and updating ip_summed in the bnxt_xdp_build_skb() is not needed. Splat looks like: WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_] CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27 Tainted: [W]=WARN Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en] Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f RSP: 0018:ffff88881ba09928 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000 RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8 RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070 R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080 R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000 FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0xcd/0x2f0 ? bnxt_rx_pkt+0x479b/0x7610 ? report_bug+0x326/0x3c0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x16/0x20 ? bnxt_rx_pkt+0x479b/0x7610 ? bnxt_rx_pkt+0x3e41/0x7610 ? __pfx_bnxt_rx_pkt+0x10/0x10 ? napi_complete_done+0x2cf/0x7d0 __bnxt_poll_work+0x4e8/0x1220 ? __pfx___bnxt_poll_work+0x10/0x10 ? __pfx_mark_lock.part.0+0x10/0x10 bnxt_poll_p5+0x36a/0xfa0 ? __pfx_bnxt_poll_p5+0x10/0x10 __napi_poll.constprop.0+0xa0/0x440 net_rx_action+0x899/0xd00 ... Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21960 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21960.html CVE-2025-21960 https://bugzilla.suse.com/1240815 SUSE Bug 1240815 In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but the skb_shared_info was wiped by napi_build_skb() before. So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it instead of getting skb_shared_info from xdp_get_shared_info_from_buff(). Splat looks like: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590 Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3 RIP: 0010:skb_try_coalesce+0x504/0x590 Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99 RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287 RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0 RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003 RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900 R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740 R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ? __warn+0x84/0x130 ? skb_try_coalesce+0x504/0x590 ? report_bug+0x18a/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? skb_try_coalesce+0x504/0x590 inet_frag_reasm_finish+0x11f/0x2e0 ip_defrag+0x37a/0x900 ip_local_deliver+0x51/0x120 ip_sublist_rcv_finish+0x64/0x70 ip_sublist_rcv+0x179/0x210 ip_list_rcv+0xf9/0x130 How to reproduce: <Node A> ip link set $interface1 xdp obj xdp_pass.o ip link set $interface1 mtu 9000 up ip a a 10.0.0.1/24 dev $interface1 <Node B> ip link set $interfac2 mtu 9000 up ip a a 10.0.0.2/24 dev $interface2 ping 10.0.0.1 -s 65000 Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be able to reproduce this issue. CVE-2025-21961 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21961.html CVE-2025-21961 https://bugzilla.suse.com/1240816 SUSE Bug 1240816 In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init CVE-2025-21966 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21966.html CVE-2025-21966 https://bugzilla.suse.com/1240779 SUSE Bug 1240779 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) CVE-2025-21968 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21968.html CVE-2025-21968 https://bugzilla.suse.com/1240783 SUSE Bug 1240783 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- CVE-2025-21969 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21969.html CVE-2025-21969 https://bugzilla.suse.com/1240784 SUSE Bug 1240784 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK> CVE-2025-21970 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21970.html CVE-2025-21970 https://bugzilla.suse.com/1240819 SUSE Bug 1240819 In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal. CVE-2025-21971 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21971.html CVE-2025-21971 https://bugzilla.suse.com/1240799 SUSE Bug 1240799 In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue. CVE-2025-21972 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21972.html CVE-2025-21972 https://bugzilla.suse.com/1240813 SUSE Bug 1240813 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and return error pointer. CVE-2025-21975 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21975.html CVE-2025-21975 https://bugzilla.suse.com/1240812 SUSE Bug 1240812 In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequently the kernel address space for the mapping is leaked. Fix this by adding iounmap() calls in the device removal path, and in the error path during device probing. CVE-2025-21978 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21978.html CVE-2025-21978 https://bugzilla.suse.com/1240806 SUSE Bug 1240806 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy. CVE-2025-21979 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21979.html CVE-2025-21979 https://bugzilla.suse.com/1240808 SUSE Bug 1240808 In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allocated resources. This led to the memory leak with the following signature: [root@os-delivery ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xff3c1ca7252e6000 (size 8192): comm "kworker/0:0", pid 8, jiffies 4296833052 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340 [<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice] [<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice] [<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice] [<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice] [<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice] [<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0 [<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20 [<ffffffff98f0b6d9>] process_one_work+0x179/0x390 [<ffffffff98f0c1e9>] worker_thread+0x239/0x340 [<ffffffff98f14abc>] kthread+0xcc/0x100 [<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50 [<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30 ... CVE-2025-21981 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21981.html CVE-2025-21981 https://bugzilla.suse.com/1240612 SUSE Bug 1240612 In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ] CVE-2025-21991 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21991.html CVE-2025-21991 https://bugzilla.suse.com/1240795 SUSE Bug 1240795 In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:1, 3:1 ffffffff:ffffffff Add this device to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. CVE-2025-21992 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21992.html CVE-2025-21992 https://bugzilla.suse.com/1240796 SUSE Bug 1240796 In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. CVE-2025-21993 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21993.html CVE-2025-21993 https://bugzilla.suse.com/1240797 SUSE Bug 1240797 In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] CVE-2025-21995 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21995.html CVE-2025-21995 https://bugzilla.suse.com/1240821 SUSE Bug 1240821 In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) CVE-2025-21996 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-21996.html CVE-2025-21996 https://bugzilla.suse.com/1240801 SUSE Bug 1240801 In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. CVE-2025-22001 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22001.html CVE-2025-22001 https://bugzilla.suse.com/1240873 SUSE Bug 1240873 In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(dest, src, len); dest[len] = '\0'; strncpy() will read up to len bytes from src. On the other hand: strscpy(dest, src, len + 1); will read up to len + 1 bytes from src, that is to say, an out of bound read of one byte will occur on src if it is not NUL terminated. Note that the src[len] byte is never copied, but strscpy() still needs to read it to check whether a truncation occurred or not. This exact pattern happened in ucan. The root cause is that the source is not NUL terminated. Instead of doing a copy in a local buffer, directly NUL terminate it as soon as usb_control_msg() returns. With this, the local firmware_str[] variable can be removed. On top of this do a couple refactors: - ucan_ctl_payload->raw is only used for the firmware string, so rename it to ucan_ctl_payload->fw_str and change its type from u8 to char. - ucan_device_request_in() is only used to retrieve the firmware string, so rename it to ucan_get_fw_str() and refactor it to make it directly handle all the string termination logic. CVE-2025-22003 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22003.html CVE-2025-22003 https://bugzilla.suse.com/1240825 SUSE Bug 1240825 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. CVE-2025-22007 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22007.html CVE-2025-22007 https://bugzilla.suse.com/1240829 SUSE Bug 1240829 In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. CVE-2025-22008 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22008.html CVE-2025-22008 https://bugzilla.suse.com/1240942 SUSE Bug 1240942 In the Linux kernel, the following vulnerability has been resolved: regulator: dummy: force synchronous probing Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). In the JTAG debugger I can see that dummy_regulator_probe() and anatop_regulator_probe() can be run by different kernel threads (kworker/u4:*). I haven't further investigated whether this can be changed or if there are other possibilities to force synchronization between these two probe routines. On the other hand I don't expect much boot time penalty by probing the 'dummy' regulator synchronously. CVE-2025-22009 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22009.html CVE-2025-22009 https://bugzilla.suse.com/1240940 SUSE Bug 1240940 In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup during bt pages loop Driver runs a for-loop when allocating bt pages and mapping them with buffer pages. When a large buffer (e.g. MR over 100GB) is being allocated, it may require a considerable loop count. This will lead to soft lockup: watchdog: BUG: soft lockup - CPU#27 stuck for 22s! ... Call trace: hem_list_alloc_mid_bt+0x124/0x394 [hns_roce_hw_v2] hns_roce_hem_list_request+0xf8/0x160 [hns_roce_hw_v2] hns_roce_mtr_create+0x2e4/0x360 [hns_roce_hw_v2] alloc_mr_pbl+0xd4/0x17c [hns_roce_hw_v2] hns_roce_reg_user_mr+0xf8/0x190 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x118/0x290 watchdog: BUG: soft lockup - CPU#35 stuck for 23s! ... Call trace: hns_roce_hem_list_find_mtt+0x7c/0xb0 [hns_roce_hw_v2] mtr_map_bufs+0xc4/0x204 [hns_roce_hw_v2] hns_roce_mtr_create+0x31c/0x3c4 [hns_roce_hw_v2] alloc_mr_pbl+0xb0/0x160 [hns_roce_hw_v2] hns_roce_reg_user_mr+0x108/0x1c0 [hns_roce_hw_v2] ib_uverbs_reg_mr+0x120/0x2bc Add a cond_resched() to fix soft lockup during these loops. In order not to affect the allocation performance of normal-size buffer, set the loop count of a 100GB MR as the threshold to call cond_resched(). CVE-2025-22010 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22010.html CVE-2025-22010 https://bugzilla.suse.com/1240943 SUSE Bug 1240943 In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees. CVE-2025-22013 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22013.html CVE-2025-22013 https://bugzilla.suse.com/1240938 SUSE Bug 1240938 In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pdr: Fix the potential deadlock When some client process A call pdr_add_lookup() to add the look up for the service and does schedule locator work, later a process B got a new server packet indicating locator is up and call pdr_locator_new_server() which eventually sets pdr->locator_init_complete to true which process A sees and takes list lock and queries domain list but it will timeout due to deadlock as the response will queued to the same qmi->wq and it is ordered workqueue and process B is not able to complete new server request work due to deadlock on list lock. Fix it by removing the unnecessary list iteration as the list iteration is already being done inside locator work, so avoid it here and just call schedule_work() here. Process A Process B process_scheduled_works() pdr_add_lookup() qmi_data_ready_work() process_scheduled_works() pdr_locator_new_server() pdr->locator_init_complete=true; pdr_locator_work() mutex_lock(&pdr->list_lock); pdr_locate_service() mutex_lock(&pdr->list_lock); pdr_get_domain_list() pr_err("PDR: %s get domain list txn wait failed: %d\n", req->service_name, ret); Timeout error log due to deadlock: " PDR: tms/servreg get domain list txn wait failed: -110 PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 " Thanks to Bjorn and Johan for letting me know that this commit also fixes an audio regression when using the in-kernel pd-mapper as that makes it easier to hit this race. [1] CVE-2025-22014 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-22014.html CVE-2025-22014 https://bugzilla.suse.com/1240937 SUSE Bug 1240937 A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache. CVE-2025-2312 SUSE Linux Micro 6.1:kernel-devel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-30-rt-1-1.3 SUSE Linux Micro 6.1:kernel-rt-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-devel-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-rt-livepatch-6.4.0-30.1 SUSE Linux Micro 6.1:kernel-source-rt-6.4.0-30.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520283-1/ https://www.suse.com/security/cve/CVE-2025-2312.html CVE-2025-2312 https://bugzilla.suse.com/1239680 SUSE Bug 1239680