Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20475-1 Final 1 1 2025-07-11T15:14:18Z current 2025-07-11T15:14:18Z 2025-07-11T15:14:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise Micro 6.0 and 6.1 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913). - CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982). - CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859). - CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610). - CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577). - CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686). - CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814). - CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544). - CVE-2025-22111: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572). - CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515). - CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521). - CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725). - CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907). - CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051). - CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060). - CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467). - CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480). - CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551). - CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620). - CVE-2025-37938: tracing: Verify event formats that have "%*p.." (bsc#1243544). - CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538). - CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523). - CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698). - CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827). - CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832). - CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277). - CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234). - CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729). - CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999). - CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746). - CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862). - CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155). - CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743). The following non-security bugs were fixed: - ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes). - ACPI: battery: negate current when discharging (stable-fixes). - ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes). - ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes). - ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes). - ACPICA: fix acpi parse and parseext cache leaks (stable-fixes). - ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes). - ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes). - ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes). - ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes). - ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes). - ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes). - ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes). - ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes). - ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes). - ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes). - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes). - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes). - ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes). - ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes). - ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes). - ALSA: usb-audio: Support multiple control interfaces (stable-fixes). - ALSA: usb-audio: Support read-only clock selector control (stable-fixes). - ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes). - ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes). - ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes). - ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes). - ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes). - Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes). - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes). - Bluetooth: MGMT: Fix sparse errors (git-fixes). - Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes). - Bluetooth: Remove pending ACL connection attempts (stable-fixes). - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes). - Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes). - Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes). - Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes). - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes). - Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes). - HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes). - HID: wacom: fix kobject reference count leak (git-fixes). - HID: wacom: fix memory leak on kobject creation failure (git-fixes). - HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes). - Input: sparcspkr - avoid unannotated fall-through (stable-fixes). - KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225). - NFC: nci: uart: Set tty->disc_data only in success path (git-fixes). - PCI/DPC: Log Error Source ID only when valid (git-fixes). - PCI/DPC: Use defines with DPC reason fields (git-fixes). - PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes). - PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes). - PCI: apple: Set only available ports up (git-fixes). - PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes). - PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes). - PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes). - RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes) - RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes) - Revert "ALSA: usb-audio: Skip setting clock selector for single connections" (stable-fixes). - Revert "arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes) - Revert "ipv6: save dontfrag in cork (git-fixes)." - Revert "kABI: ipv6: save dontfrag in cork (git-fixes)." - USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes). - add bug reference to existing hv_storvsc change (bsc#1245455). - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes) - ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes). - ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes). - ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes). - bnxt: properly flush XDP redirect lists (git-fixes). - bpf: Force uprobe bpf program to always return 0 (git-fixes). - btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes). - btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes). - btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes). - btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes). - btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes). - btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes). - bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes). - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes). - can: tcan4x5x: fix power regulator retrieval during probe (git-fixes). - ceph: Fix incorrect flush end position calculation (git-fixes). - ceph: allocate sparse_ext map only for sparse reads (git-fixes). - ceph: fix memory leaks in __ceph_sync_read() (git-fixes). - cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166). - clocksource: Fix brown-bag boolean thinko in (git-fixes) - clocksource: Make watchdog and suspend-timing multiplication (git-fixes) - devlink: Fix referring to hw_addr attribute during state validation (git-fixes). - devlink: fix port dump cmd type (git-fixes). - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes). - drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes). - drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes). - drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes). - drm/i915: fix build error some more (git-fixes). - drm/msm/disp: Correct porch timing for SDM845 (git-fixes). - drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes). - drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes). - drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes). - e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes). - fbcon: Make sure modelist not set on unregistered console (stable-fixes). - fgraph: Still initialize idle shadow stacks when starting (git-fixes). - firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes). - gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes). - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes). - gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes). - hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes). - hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes). - hwmon: (occ) Rework attribute registration for stack usage (git-fixes). - hwmon: (occ) fix unaligned accesses (git-fixes). - hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes). - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes). - i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes). - i2c: npcm: Add clock toggle recovery (stable-fixes). - i2c: robotfuzz-osif: disable zero-length read messages (git-fixes). - i2c: tiny-usb: disable zero-length read messages (git-fixes). - i40e: retry VFLR handling if there is ongoing VF reset (git-fixes). - i40e: return false from i40e_reset_vf if reset is in progress (git-fixes). - ice: Fix LACP bonds without SRIOV environment (git-fixes). - ice: create new Tx scheduler nodes for new queues only (git-fixes). - ice: fix Tx scheduler error handling in XDP callback (git-fixes). - ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes). - ice: fix vf->num_mac count with port representors (git-fixes). - ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650). - iommu: Skip PASID validation for devices without PASID capability (bsc#1244100) - iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100) - isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774). - kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes). - kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - kabi: restore layout of struct cgroup_subsys (bsc#1241166). - kabi: restore layout of struct mem_control (jsc#PED-12551). - kabi: restore layout of struct page_counter (jsc#PED-12551). - loop: add file_start_write() and file_end_write() (git-fixes). - md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes). - mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337). - mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551). - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431). - mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431). - mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551). - mmc: Add quirk to disable DDR50 tuning (stable-fixes). - net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes). - net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes). - net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes). - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes). - net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes). - net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes). - net/mlx5: Fix return value when searching for existing flow group (git-fixes). - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes). - net/mlx5e: Fix leak of Geneve TLV option object (git-fixes). - net/sched: fix use-after-free in taprio_dev_notifier (git-fixes). - net: Fix TOCTOU issue in sk_is_readable() (git-fixes). - net: ice: Perform accurate aRFS flow match (git-fixes). - net: mana: Add support for Multi Vports on Bare metal (bsc#1244229). - net: mana: Record doorbell physical address in PF mode (bsc#1244229). - net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538) - net_sched: ets: fix a race in ets_qdisc_change() (git-fixes). - net_sched: prio: fix a race in prio_tune() (git-fixes). - net_sched: red: fix a race in __red_change() (git-fixes). - net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312) - net_sched: sch_sfq: reject invalid perturb period (git-fixes). - net_sched: tbf: fix a race in tbf_change() (git-fixes). - netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes). - netlink: specs: dpll: replace underscores with dashes in names (git-fixes). - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes). - ntp: Clamp maxerror and esterror to operating range (git-fixes) - ntp: Remove invalid cast in time offset math (git-fixes) - ntp: Safeguard against time_constant overflow (git-fixes) - nvme-fc: do not reference lsrsp after failure (bsc#1245193). - nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes). - nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes). - nvme-pci: add quirks for device 126f:1001 (git-fixes). - nvme: always punt polled uring_cmd end_io work to task_work (git-fixes). - nvme: fix command limits status code (git-fixes). - nvme: fix implicit bool to flags conversion (git-fixes). - nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193). - nvmet-fc: take tgtport refs for portentry (bsc#1245193). - nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193). - nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193). - nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193). - nvmet-fcloop: do not wait for lport cleanup (bsc#1245193). - nvmet-fcloop: drop response if targetport is gone (bsc#1245193). - nvmet-fcloop: prevent double port deletion (bsc#1245193). - nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193). - nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193). - nvmet-fcloop: remove nport from list on last user (bsc#1245193). - nvmet-fcloop: track ref counts for nports (bsc#1245193). - nvmet-fcloop: update refs on tfcp_req (bsc#1245193). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes). - pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes). - pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes). - pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes). - pinctrl: st: Drop unused st_gpio_bank() function (git-fixes). - platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes). - platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes). - platform/x86: dell_rbu: Fix list usage (git-fixes). - platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes). - platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes). - power: supply: bq27xxx: Retrieve again when busy (stable-fixes). - power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes). - powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199). - powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790). - powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790). - ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes). - r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes). - regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes). - rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725) - rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes). - rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes). - s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226). - s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228). - scsi: dc395x: Remove DEBUG conditional compilation (git-fixes). - scsi: dc395x: Remove leftover if statement in reselect() (git-fixes). - scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes). - scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes). - scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes). - scsi: mpi3mr: Add level check to control event logging (git-fixes). - scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes). - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes). - scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes). - scsi: st: ERASE does not change tape location (git-fixes). - scsi: st: Restore some drive settings after reset (git-fixes). - scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes). - scsi: storvsc: Do not report the host packet status as the hv status (git-fixes). - scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes). - serial: imx: Restore original RXTL for console to fix data loss (git-fixes). - serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes). - serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes). - software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes). - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes). - struct usci: hide additional member (git-fixes). - sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes). - thunderbolt: Do not double dequeue a configuration request (stable-fixes). - timekeeping: Fix bogus clock_was_set() invocation in (git-fixes) - timekeeping: Fix cross-timestamp interpolation corner case (git-fixes) - timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes) - timekeeping: Fix cross-timestamp interpolation on counter (git-fixes) - trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes). - tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes). - tracing: Add __print_dynamic_array() helper (bsc#1243544). - tracing: Add __string_len() example (bsc#1243544). - tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes). - tracing: Fix compilation warning on arm32 (bsc#1243551). - tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes). - truct dwc3 hide new member wakeup_pending_funcs (git-fixes). - ucsi_debugfs_entry: hide signedness change (git-fixes). - uprobes: Use kzalloc to allocate xol area (git-fixes). - usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes). - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes). - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes). - usb: typec: ucsi: Only enable supported notifications (git-fixes). - usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes). - usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes). - usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes). - usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes). - usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes). - vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626). - vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626). - vmxnet3: update MTU after device quiesce (bsc#1244626). - watchdog: da9052_wdt: respect TWDMIN (stable-fixes). - watchdog: fix watchdog may detect false positive of softlockup (stable-fixes). - watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes). - watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes). - wifi: ath11k: Fix QMI memory reuse logic (stable-fixes). - wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes). - wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes). - wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes). - wifi: ath11k: do not wait when there is no vdev started (git-fixes). - wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes). - wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes). - wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847). - wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes). - wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes). - wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes). - wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes). - wifi: ath12k: fix incorrect CE addresses (stable-fixes). - wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes). - wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes). - wifi: carl9170: do not ping device which has failed to load firmware (git-fixes). - wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes). - wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes). - wifi: mac80211: VLAN traffic in multicast path (stable-fixes). - wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes). - wifi: mac80211: fix beacon interval calculation overflow (git-fixes). - wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes). - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes). - wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes). - wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes). - wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes). - x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes). - x86/microcode/AMD: Add get_patch_level() (git-fixes). - x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes). - x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes). - x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes). - x86/microcode: Consolidate the loader enablement checking (git-fixes). - x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes). - x86/xen: fix balloon target initialization for PVH dom0 (git-fixes). - xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes) - xen/x86: fix initial memory balloon target (git-fixes). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-50 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ Link for SUSE-SU-2025:20475-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040855.html E-Mail link for SUSE-SU-2025:20475-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1210025 SUSE Bug 1210025 https://bugzilla.suse.com/1211226 SUSE Bug 1211226 https://bugzilla.suse.com/1215199 SUSE Bug 1215199 https://bugzilla.suse.com/1218184 SUSE Bug 1218184 https://bugzilla.suse.com/1223008 SUSE Bug 1223008 https://bugzilla.suse.com/1235490 SUSE Bug 1235490 https://bugzilla.suse.com/1236208 SUSE Bug 1236208 https://bugzilla.suse.com/1237312 SUSE Bug 1237312 https://bugzilla.suse.com/1237913 SUSE Bug 1237913 https://bugzilla.suse.com/1238859 SUSE Bug 1238859 https://bugzilla.suse.com/1238982 SUSE Bug 1238982 https://bugzilla.suse.com/1240577 SUSE Bug 1240577 https://bugzilla.suse.com/1240610 SUSE Bug 1240610 https://bugzilla.suse.com/1240686 SUSE Bug 1240686 https://bugzilla.suse.com/1240814 SUSE Bug 1240814 https://bugzilla.suse.com/1241166 SUSE Bug 1241166 https://bugzilla.suse.com/1241278 SUSE Bug 1241278 https://bugzilla.suse.com/1241414 SUSE Bug 1241414 https://bugzilla.suse.com/1241544 SUSE Bug 1241544 https://bugzilla.suse.com/1241572 SUSE Bug 1241572 https://bugzilla.suse.com/1241592 SUSE Bug 1241592 https://bugzilla.suse.com/1242504 SUSE Bug 1242504 https://bugzilla.suse.com/1242515 SUSE Bug 1242515 https://bugzilla.suse.com/1242521 SUSE Bug 1242521 https://bugzilla.suse.com/1242556 SUSE Bug 1242556 https://bugzilla.suse.com/1242725 SUSE Bug 1242725 https://bugzilla.suse.com/1242907 SUSE Bug 1242907 https://bugzilla.suse.com/1243051 SUSE Bug 1243051 https://bugzilla.suse.com/1243060 SUSE Bug 1243060 https://bugzilla.suse.com/1243342 SUSE Bug 1243342 https://bugzilla.suse.com/1243467 SUSE Bug 1243467 https://bugzilla.suse.com/1243480 SUSE Bug 1243480 https://bugzilla.suse.com/1243506 SUSE Bug 1243506 https://bugzilla.suse.com/1243523 SUSE Bug 1243523 https://bugzilla.suse.com/1243538 SUSE Bug 1243538 https://bugzilla.suse.com/1243544 SUSE Bug 1243544 https://bugzilla.suse.com/1243551 SUSE Bug 1243551 https://bugzilla.suse.com/1243620 SUSE Bug 1243620 https://bugzilla.suse.com/1243698 SUSE Bug 1243698 https://bugzilla.suse.com/1243774 SUSE Bug 1243774 https://bugzilla.suse.com/1243823 SUSE Bug 1243823 https://bugzilla.suse.com/1243827 SUSE Bug 1243827 https://bugzilla.suse.com/1243832 SUSE Bug 1243832 https://bugzilla.suse.com/1243847 SUSE Bug 1243847 https://bugzilla.suse.com/1244100 SUSE Bug 1244100 https://bugzilla.suse.com/1244145 SUSE Bug 1244145 https://bugzilla.suse.com/1244172 SUSE Bug 1244172 https://bugzilla.suse.com/1244176 SUSE Bug 1244176 https://bugzilla.suse.com/1244229 SUSE Bug 1244229 https://bugzilla.suse.com/1244234 SUSE Bug 1244234 https://bugzilla.suse.com/1244241 SUSE Bug 1244241 https://bugzilla.suse.com/1244274 SUSE Bug 1244274 https://bugzilla.suse.com/1244275 SUSE Bug 1244275 https://bugzilla.suse.com/1244277 SUSE Bug 1244277 https://bugzilla.suse.com/1244309 SUSE Bug 1244309 https://bugzilla.suse.com/1244313 SUSE Bug 1244313 https://bugzilla.suse.com/1244337 SUSE Bug 1244337 https://bugzilla.suse.com/1244626 SUSE Bug 1244626 https://bugzilla.suse.com/1244725 SUSE Bug 1244725 https://bugzilla.suse.com/1244727 SUSE Bug 1244727 https://bugzilla.suse.com/1244729 SUSE Bug 1244729 https://bugzilla.suse.com/1244731 SUSE Bug 1244731 https://bugzilla.suse.com/1244732 SUSE Bug 1244732 https://bugzilla.suse.com/1244736 SUSE Bug 1244736 https://bugzilla.suse.com/1244737 SUSE Bug 1244737 https://bugzilla.suse.com/1244738 SUSE Bug 1244738 https://bugzilla.suse.com/1244739 SUSE Bug 1244739 https://bugzilla.suse.com/1244743 SUSE Bug 1244743 https://bugzilla.suse.com/1244746 SUSE Bug 1244746 https://bugzilla.suse.com/1244759 SUSE Bug 1244759 https://bugzilla.suse.com/1244789 SUSE Bug 1244789 https://bugzilla.suse.com/1244862 SUSE Bug 1244862 https://bugzilla.suse.com/1244906 SUSE Bug 1244906 https://bugzilla.suse.com/1244938 SUSE Bug 1244938 https://bugzilla.suse.com/1244995 SUSE Bug 1244995 https://bugzilla.suse.com/1244996 SUSE Bug 1244996 https://bugzilla.suse.com/1244999 SUSE Bug 1244999 https://bugzilla.suse.com/1245001 SUSE Bug 1245001 https://bugzilla.suse.com/1245003 SUSE Bug 1245003 https://bugzilla.suse.com/1245004 SUSE Bug 1245004 https://bugzilla.suse.com/1245025 SUSE Bug 1245025 https://bugzilla.suse.com/1245042 SUSE Bug 1245042 https://bugzilla.suse.com/1245046 SUSE Bug 1245046 https://bugzilla.suse.com/1245078 SUSE Bug 1245078 https://bugzilla.suse.com/1245081 SUSE Bug 1245081 https://bugzilla.suse.com/1245082 SUSE Bug 1245082 https://bugzilla.suse.com/1245083 SUSE Bug 1245083 https://bugzilla.suse.com/1245155 SUSE Bug 1245155 https://bugzilla.suse.com/1245183 SUSE Bug 1245183 https://bugzilla.suse.com/1245193 SUSE Bug 1245193 https://bugzilla.suse.com/1245210 SUSE Bug 1245210 https://bugzilla.suse.com/1245217 SUSE Bug 1245217 https://bugzilla.suse.com/1245225 SUSE Bug 1245225 https://bugzilla.suse.com/1245226 SUSE Bug 1245226 https://bugzilla.suse.com/1245228 SUSE Bug 1245228 https://bugzilla.suse.com/1245431 SUSE Bug 1245431 https://bugzilla.suse.com/1245455 SUSE Bug 1245455 https://www.suse.com/security/cve/CVE-2024-26831/ SUSE CVE CVE-2024-26831 page https://www.suse.com/security/cve/CVE-2024-56613/ SUSE CVE CVE-2024-56613 page https://www.suse.com/security/cve/CVE-2024-56699/ SUSE CVE CVE-2024-56699 page https://www.suse.com/security/cve/CVE-2024-57982/ SUSE CVE CVE-2024-57982 page https://www.suse.com/security/cve/CVE-2024-58053/ SUSE CVE CVE-2024-58053 page https://www.suse.com/security/cve/CVE-2025-21658/ SUSE CVE CVE-2025-21658 page https://www.suse.com/security/cve/CVE-2025-21720/ SUSE CVE CVE-2025-21720 page https://www.suse.com/security/cve/CVE-2025-21898/ SUSE CVE CVE-2025-21898 page https://www.suse.com/security/cve/CVE-2025-21899/ SUSE CVE CVE-2025-21899 page https://www.suse.com/security/cve/CVE-2025-21920/ SUSE CVE CVE-2025-21920 page https://www.suse.com/security/cve/CVE-2025-21959/ SUSE CVE CVE-2025-21959 page https://www.suse.com/security/cve/CVE-2025-22035/ SUSE CVE CVE-2025-22035 page https://www.suse.com/security/cve/CVE-2025-22083/ SUSE CVE CVE-2025-22083 page https://www.suse.com/security/cve/CVE-2025-22111/ SUSE CVE CVE-2025-22111 page https://www.suse.com/security/cve/CVE-2025-22120/ SUSE CVE CVE-2025-22120 page https://www.suse.com/security/cve/CVE-2025-37756/ SUSE CVE CVE-2025-37756 page https://www.suse.com/security/cve/CVE-2025-37757/ SUSE CVE CVE-2025-37757 page https://www.suse.com/security/cve/CVE-2025-37786/ SUSE CVE CVE-2025-37786 page https://www.suse.com/security/cve/CVE-2025-37811/ SUSE CVE CVE-2025-37811 page https://www.suse.com/security/cve/CVE-2025-37859/ SUSE CVE CVE-2025-37859 page https://www.suse.com/security/cve/CVE-2025-37884/ SUSE CVE CVE-2025-37884 page https://www.suse.com/security/cve/CVE-2025-37909/ SUSE CVE CVE-2025-37909 page https://www.suse.com/security/cve/CVE-2025-37921/ SUSE CVE CVE-2025-37921 page https://www.suse.com/security/cve/CVE-2025-37923/ SUSE CVE CVE-2025-37923 page https://www.suse.com/security/cve/CVE-2025-37927/ SUSE CVE CVE-2025-37927 page https://www.suse.com/security/cve/CVE-2025-37938/ SUSE CVE CVE-2025-37938 page https://www.suse.com/security/cve/CVE-2025-37945/ SUSE CVE CVE-2025-37945 page https://www.suse.com/security/cve/CVE-2025-37946/ SUSE CVE CVE-2025-37946 page https://www.suse.com/security/cve/CVE-2025-37961/ SUSE CVE CVE-2025-37961 page https://www.suse.com/security/cve/CVE-2025-37973/ SUSE CVE CVE-2025-37973 page https://www.suse.com/security/cve/CVE-2025-37992/ SUSE CVE CVE-2025-37992 page https://www.suse.com/security/cve/CVE-2025-37994/ SUSE CVE CVE-2025-37994 page https://www.suse.com/security/cve/CVE-2025-37995/ SUSE CVE CVE-2025-37995 page https://www.suse.com/security/cve/CVE-2025-37997/ SUSE CVE CVE-2025-37997 page https://www.suse.com/security/cve/CVE-2025-38000/ SUSE CVE CVE-2025-38000 page https://www.suse.com/security/cve/CVE-2025-38001/ SUSE CVE CVE-2025-38001 page https://www.suse.com/security/cve/CVE-2025-38003/ SUSE CVE CVE-2025-38003 page https://www.suse.com/security/cve/CVE-2025-38004/ SUSE CVE CVE-2025-38004 page https://www.suse.com/security/cve/CVE-2025-38005/ SUSE CVE CVE-2025-38005 page https://www.suse.com/security/cve/CVE-2025-38007/ SUSE CVE CVE-2025-38007 page https://www.suse.com/security/cve/CVE-2025-38009/ SUSE CVE CVE-2025-38009 page https://www.suse.com/security/cve/CVE-2025-38010/ SUSE CVE CVE-2025-38010 page https://www.suse.com/security/cve/CVE-2025-38011/ SUSE CVE CVE-2025-38011 page https://www.suse.com/security/cve/CVE-2025-38013/ SUSE CVE CVE-2025-38013 page https://www.suse.com/security/cve/CVE-2025-38014/ SUSE CVE CVE-2025-38014 page https://www.suse.com/security/cve/CVE-2025-38015/ SUSE CVE CVE-2025-38015 page https://www.suse.com/security/cve/CVE-2025-38018/ SUSE CVE CVE-2025-38018 page https://www.suse.com/security/cve/CVE-2025-38020/ SUSE CVE CVE-2025-38020 page https://www.suse.com/security/cve/CVE-2025-38022/ SUSE CVE CVE-2025-38022 page https://www.suse.com/security/cve/CVE-2025-38023/ SUSE CVE CVE-2025-38023 page https://www.suse.com/security/cve/CVE-2025-38024/ SUSE CVE CVE-2025-38024 page https://www.suse.com/security/cve/CVE-2025-38027/ SUSE CVE CVE-2025-38027 page https://www.suse.com/security/cve/CVE-2025-38031/ SUSE CVE CVE-2025-38031 page https://www.suse.com/security/cve/CVE-2025-38040/ SUSE CVE CVE-2025-38040 page https://www.suse.com/security/cve/CVE-2025-38043/ SUSE CVE CVE-2025-38043 page https://www.suse.com/security/cve/CVE-2025-38044/ SUSE CVE CVE-2025-38044 page https://www.suse.com/security/cve/CVE-2025-38045/ SUSE CVE CVE-2025-38045 page https://www.suse.com/security/cve/CVE-2025-38053/ SUSE CVE CVE-2025-38053 page https://www.suse.com/security/cve/CVE-2025-38057/ SUSE CVE CVE-2025-38057 page https://www.suse.com/security/cve/CVE-2025-38059/ SUSE CVE CVE-2025-38059 page https://www.suse.com/security/cve/CVE-2025-38060/ SUSE CVE CVE-2025-38060 page https://www.suse.com/security/cve/CVE-2025-38065/ SUSE CVE CVE-2025-38065 page https://www.suse.com/security/cve/CVE-2025-38068/ SUSE CVE CVE-2025-38068 page https://www.suse.com/security/cve/CVE-2025-38072/ SUSE CVE CVE-2025-38072 page https://www.suse.com/security/cve/CVE-2025-38077/ SUSE CVE CVE-2025-38077 page https://www.suse.com/security/cve/CVE-2025-38078/ SUSE CVE CVE-2025-38078 page https://www.suse.com/security/cve/CVE-2025-38079/ SUSE CVE CVE-2025-38079 page https://www.suse.com/security/cve/CVE-2025-38080/ SUSE CVE CVE-2025-38080 page https://www.suse.com/security/cve/CVE-2025-38081/ SUSE CVE CVE-2025-38081 page https://www.suse.com/security/cve/CVE-2025-38083/ SUSE CVE CVE-2025-38083 page SUSE Linux Micro 6.1 kernel-default-6.4.0-31.1 kernel-default-base-6.4.0-31.1.21.9 kernel-default-devel-6.4.0-31.1 kernel-default-livepatch-6.4.0-31.1 kernel-devel-6.4.0-31.1 kernel-kvmsmall-6.4.0-31.1 kernel-macros-6.4.0-31.1 kernel-source-6.4.0-31.1 kernel-default-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-default-base-6.4.0-31.1.21.9 as a component of SUSE Linux Micro 6.1 kernel-default-devel-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-default-livepatch-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-devel-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-kvmsmall-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-macros-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 kernel-source-6.4.0-31.1 as a component of SUSE Linux Micro 6.1 In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshake_req_destroy_test1 Recently, handshake_req_destroy_test1 started failing: Expected handshake_req_destroy_test == req, but handshake_req_destroy_test == 0000000000000000 req == 0000000060f99b40 not ok 11 req_destroy works This is because "sock_release(sock)" was replaced with "fput(filp)" to address a memory leak. Note that sock_release() is synchronous but fput() usually delays the final close and clean-up. The delay is not consequential in the other cases that were changed but handshake_req_destroy_test1 is testing that handshake_req_cancel() followed by closing the file actually does call the ->hp_destroy method. Thus the PTR_EQ test at the end has to be sure that the final close is complete before it checks the pointer. We cannot use a completion here because if ->hp_destroy is never called (ie, there is an API bug) then the test will hang. Reported by: Guenter Roeck <linux@roeck-us.net> CVE-2024-26831 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2024-26831.html CVE-2024-26831 https://bugzilla.suse.com/1223008 SUSE Bug 1223008 In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/ CVE-2024-56613 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2024-56613.html CVE-2024-56613 https://bugzilla.suse.com/1244176 SUSE Bug 1244176 In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases. CVE-2024-56699 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2024-56699.html CVE-2024-56699 https://bugzilla.suse.com/1235490 SUSE Bug 1235490 In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch. CVE-2024-57982 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2024-57982.html CVE-2024-57982 https://bugzilla.suse.com/1237913 SUSE Bug 1237913 In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts. CVE-2024-58053 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2024-58053.html CVE-2024-58053 https://bugzilla.suse.com/1238982 SUSE Bug 1238982 In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport. CVE-2025-21658 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21658.html CVE-2025-21658 https://bugzilla.suse.com/1236208 SUSE Bug 1236208 In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: <IRQ> ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 </TASK> Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated--- CVE-2025-21720 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21720.html CVE-2025-21720 https://bugzilla.suse.com/1238859 SUSE Bug 1238859 In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier. CVE-2025-21898 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21898.html CVE-2025-21898 https://bugzilla.suse.com/1240610 SUSE Bug 1240610 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated. CVE-2025-21899 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21899.html CVE-2025-21899 https://bugzilla.suse.com/1240577 SUSE Bug 1240577 In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization. CVE-2025-21920 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21920.html CVE-2025-21920 https://bugzilla.suse.com/1240686 SUSE Bug 1240686 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated--- CVE-2025-21959 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-21959.html CVE-2025-21959 https://bugzilla.suse.com/1240814 SUSE Bug 1240814 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/ CVE-2025-22035 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-22035.html CVE-2025-22035 https://bugzilla.suse.com/1241544 SUSE Bug 1241544 In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first. CVE-2025-22083 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-22083.html CVE-2025-22083 https://bugzilla.suse.com/1241414 SUSE Bug 1241414 In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CVE-2025-22111 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-22111.html CVE-2025-22111 https://bugzilla.suse.com/1241572 SUSE Bug 1241572 In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-22120 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-22120.html CVE-2025-22120 https://bugzilla.suse.com/1241592 SUSE Bug 1241592 In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: <TASK> tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237 CVE-2025-37756 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37756.html CVE-2025-37756 https://bugzilla.suse.com/1242515 SUSE Bug 1242515 In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns. CVE-2025-37757 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37757.html CVE-2025-37757 https://bugzilla.suse.com/1242521 SUSE Bug 1242521 In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory. CVE-2025-37786 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37786.html CVE-2025-37786 https://bugzilla.suse.com/1242725 SUSE Bug 1242725 In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: fix usbmisc handling usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value. Check that before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. CVE-2025-37811 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37811.html CVE-2025-37811 https://bugzilla.suse.com/1242907 SUSE Bug 1242907 In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker. CVE-2025-37859 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37859.html CVE-2025-37859 https://bugzilla.suse.com/1243051 SUSE Bug 1243051 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency. CVE-2025-37884 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37884.html CVE-2025-37884 https://bugzilla.suse.com/1243060 SUSE Bug 1243060 In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak CVE-2025-37909 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37909.html CVE-2025-37909 https://bugzilla.suse.com/1243467 SUSE Bug 1243467 In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-37921 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37921.html CVE-2025-37921 https://bugzilla.suse.com/1243480 SUSE Bug 1243480 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument. CVE-2025-37923 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37923.html CVE-2025-37923 https://bugzilla.suse.com/1243551 SUSE Bug 1243551 In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-37927 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37927.html CVE-2025-37927 https://bugzilla.suse.com/1243620 SUSE Bug 1243620 In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered and that same data is freed before the event is read, then the kernel can crash by reading freed memory. The verifier runs at boot up (or module load) and scans the print formats of the events and checks their arguments to make sure that dereferenced pointers are safe. If the format uses "%*p.." the verifier will ignore it, and that could be dangerous. Cover this case as well. Also add to the sample code a use case of "%*pbl". CVE-2025-37938 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37938.html CVE-2025-37938 https://bugzilla.suse.com/1243544 SUSE Bug 1243544 In the Linux kernel, the following vulnerability has been resolved: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd91016d16 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed b ---truncated--- CVE-2025-37945 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37945.html CVE-2025-37945 https://bugzilla.suse.com/1243538 SUSE Bug 1243538 In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put(). CVE-2025-37946 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37946.html CVE-2025-37946 https://bugzilla.suse.com/1243506 SUSE Bug 1243506 In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated--- CVE-2025-37961 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37961.html CVE-2025-37961 https://bugzilla.suse.com/1243523 SUSE Bug 1243523 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset. CVE-2025-37973 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37973.html CVE-2025-37973 https://bugzilla.suse.com/1244172 SUSE Bug 1244172 In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines. CVE-2025-37992 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37992.html CVE-2025-37992 https://bugzilla.suse.com/1243698 SUSE Bug 1243698 In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. CVE-2025-37994 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37994.html CVE-2025-37994 https://bugzilla.suse.com/1243823 SUSE Bug 1243823 In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. CVE-2025-37995 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37995.html CVE-2025-37995 https://bugzilla.suse.com/1243827 SUSE Bug 1243827 In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts. CVE-2025-37997 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-37997.html CVE-2025-37997 https://bugzilla.suse.com/1243832 SUSE Bug 1243832 https://bugzilla.suse.com/1245774 SUSE Bug 1245774 In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek. CVE-2025-38000 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38000.html CVE-2025-38000 https://bugzilla.suse.com/1244277 SUSE Bug 1244277 https://bugzilla.suse.com/1245775 SUSE Bug 1245775 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u CVE-2025-38001 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38001.html CVE-2025-38001 https://bugzilla.suse.com/1244234 SUSE Bug 1244234 https://bugzilla.suse.com/1244235 SUSE Bug 1244235 In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection. CVE-2025-38003 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38003.html CVE-2025-38003 https://bugzilla.suse.com/1244275 SUSE Bug 1244275 In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too. CVE-2025-38004 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38004.html CVE-2025-38004 https://bugzilla.suse.com/1244274 SUSE Bug 1244274 In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking. CVE-2025-38005 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38005.html CVE-2025-38005 https://bugzilla.suse.com/1244727 SUSE Bug 1244727 In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. CVE-2025-38007 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38007.html CVE-2025-38007 https://bugzilla.suse.com/1244938 SUSE Bug 1244938 In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org). CVE-2025-38009 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38009.html CVE-2025-38009 https://bugzilla.suse.com/1244995 SUSE Bug 1244995 In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask. CVE-2025-38010 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38010.html CVE-2025-38010 https://bugzilla.suse.com/1244996 SUSE Bug 1244996 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab) CVE-2025-38011 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38011.html CVE-2025-38011 https://bugzilla.suse.com/1244729 SUSE Bug 1244729 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type. CVE-2025-38013 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38013.html CVE-2025-38013 https://bugzilla.suse.com/1244731 SUSE Bug 1244731 In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs. CVE-2025-38014 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38014.html CVE-2025-38014 https://bugzilla.suse.com/1244732 SUSE Bug 1244732 https://bugzilla.suse.com/1244733 SUSE Bug 1244733 In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error. CVE-2025-38015 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38015.html CVE-2025-38015 https://bugzilla.suse.com/1244789 SUSE Bug 1244789 In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798 CVE-2025-38018 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38018.html CVE-2025-38018 https://bugzilla.suse.com/1244999 SUSE Bug 1244999 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated--- CVE-2025-38020 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38020.html CVE-2025-38020 https://bugzilla.suse.com/1245001 SUSE Bug 1245001 In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent(). CVE-2025-38022 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38022.html CVE-2025-38022 https://bugzilla.suse.com/1245003 SUSE Bug 1245003 In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference. CVE-2025-38023 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38023.html CVE-2025-38023 https://bugzilla.suse.com/1245004 SUSE Bug 1245004 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work. CVE-2025-38024 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38024.html CVE-2025-38024 https://bugzilla.suse.com/1245025 SUSE Bug 1245025 In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match. CVE-2025-38027 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38027.html CVE-2025-38027 https://bugzilla.suse.com/1245042 SUSE Bug 1245042 In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30 CVE-2025-38031 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38031.html CVE-2025-38031 https://bugzilla.suse.com/1245046 SUSE Bug 1245046 In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock. CVE-2025-38040 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38040.html CVE-2025-38040 https://bugzilla.suse.com/1245078 SUSE Bug 1245078 In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124 CVE-2025-38043 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38043.html CVE-2025-38043 https://bugzilla.suse.com/1245081 SUSE Bug 1245081 In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it. CVE-2025-38044 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38044.html CVE-2025-38044 https://bugzilla.suse.com/1245082 SUSE Bug 1245082 In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order. CVE-2025-38045 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38045.html CVE-2025-38045 https://bugzilla.suse.com/1245083 SUSE Bug 1245083 In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ... CVE-2025-38053 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38053.html CVE-2025-38053 https://bugzilla.suse.com/1244746 SUSE Bug 1244746 In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. CVE-2025-38057 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38057.html CVE-2025-38057 https://bugzilla.suse.com/1244862 SUSE Bug 1244862 In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option "rescue=idatacsums" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search. CVE-2025-38059 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38059.html CVE-2025-38059 https://bugzilla.suse.com/1244759 SUSE Bug 1244759 In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated--- CVE-2025-38060 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38060.html CVE-2025-38060 https://bugzilla.suse.com/1245155 SUSE Bug 1245155 https://bugzilla.suse.com/1245156 SUSE Bug 1245156 In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. CVE-2025-38065 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38065.html CVE-2025-38065 https://bugzilla.suse.com/1244906 SUSE Bug 1244906 https://bugzilla.suse.com/1244907 SUSE Bug 1244907 In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo. CVE-2025-38068 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38068.html CVE-2025-38068 https://bugzilla.suse.com/1245210 SUSE Bug 1245210 In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check. CVE-2025-38072 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38072.html CVE-2025-38072 https://bugzilla.suse.com/1244743 SUSE Bug 1244743 In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-38077 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38077.html CVE-2025-38077 https://bugzilla.suse.com/1244736 SUSE Bug 1244736 In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation. CVE-2025-38078 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38078.html CVE-2025-38078 https://bugzilla.suse.com/1244737 SUSE Bug 1244737 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. CVE-2025-38079 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38079.html CVE-2025-38079 https://bugzilla.suse.com/1245217 SUSE Bug 1245217 https://bugzilla.suse.com/1245218 SUSE Bug 1245218 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient. CVE-2025-38080 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38080.html CVE-2025-38080 https://bugzilla.suse.com/1244738 SUSE Bug 1244738 In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. CVE-2025-38081 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38081.html CVE-2025-38081 https://bugzilla.suse.com/1244739 SUSE Bug 1244739 In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. CVE-2025-38083 SUSE Linux Micro 6.1:kernel-default-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-31.1.21.9 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-31.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-31.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520475-1/ https://www.suse.com/security/cve/CVE-2025-38083.html CVE-2025-38083 https://bugzilla.suse.com/1245183 SUSE Bug 1245183 https://bugzilla.suse.com/1245350 SUSE Bug 1245350