SUSE-SU-2025:02307-1

Опубликовано: 14 июл. 2025

Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP7 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

CVE-2023-52888: media: mediatek: vcodec: Only free buffer VA that is not NULL (bsc#1228557).
CVE-2024-49568: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg (bsc#1235728).
CVE-2024-57982: xfrm: state: fix out-of-bounds read during lookup (bsc#1237913).
CVE-2024-57995: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() (bsc#1237895).
CVE-2024-58053: rxrpc: Fix handling of received connection abort (bsc#1238982).
CVE-2025-21720: xfrm: delete intermediate secpath entry in packet offload mode (bsc#1238859).
CVE-2025-21868: kABI workaround for adding an header (bsc#1240180).
CVE-2025-21898: ftrace: Avoid potential division by zero in function_stat_show() (bsc#1240610).
CVE-2025-21899: tracing: Fix bad hist from corrupting named_triggers list (bsc#1240577).
CVE-2025-21920: vlan: enforce underlying device type (bsc#1240686).
CVE-2025-21938: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (bsc#1240723).
CVE-2025-21959: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() (bsc#1240814).
CVE-2025-21997: xsk: fix an integer overflow in xp_create_and_assign_umem() (bsc#1240823).
CVE-2025-22035: tracing: Fix use-after-free in print_graph_function_flags during tracer switching (bsc#1241544).
CVE-2025-22111: kABI fix for net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF (bsc#1241572).
CVE-2025-22113: ext4: define ext4_journal_destroy wrapper (bsc#1241617).
CVE-2025-23155: net: stmmac: Fix accessing freed irq affinity_hint (bsc#1242573).
CVE-2025-37738: ext4: ignore xattrs past end (bsc#1242846).
CVE-2025-37743: wifi: ath12k: Avoid memory leak while enabling statistics (bsc#1242163).
CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504).
CVE-2025-37756: net: tls: explicitly disallow disconnect (bsc#1242515).
CVE-2025-37757: tipc: fix memory leak in tipc_link_xmit (bsc#1242521).
CVE-2025-37786: net: dsa: free routing table on probe failure (bsc#1242725).
CVE-2025-37800: driver core: fix potential NULL pointer dereference in dev_uevent() (bsc#1242849).
CVE-2025-37801: spi: spi-imx: Add check for spi_imx_setupxfer() (bsc#1242850).
CVE-2025-37811: usb: chipidea: ci_hdrc_imx: fix usbmisc handling (bsc#1242907).
CVE-2025-37837: iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() (bsc#1242952).
CVE-2025-37844: cifs: avoid NULL pointer dereference in dbg call (bsc#1242946).
CVE-2025-37859: page_pool: avoid infinite loop to schedule delayed worker (bsc#1243051).
CVE-2025-37862: HID: pidff: Fix null pointer dereference in pidff_find_fields (bsc#1242982).
CVE-2025-37865: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported (bsc#1242954).
CVE-2025-37874: net: ngbe: fix memory leak in ngbe_probe() error path (bsc#1242940).
CVE-2025-37884: bpf: Fix deadlock between rcu_tasks_trace and event_mutex (bsc#1243060).
CVE-2025-37909: net: lan743x: Fix memleak issue when GSO enabled (bsc#1243467).
CVE-2025-37917: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (bsc#1243475).
CVE-2025-37921: vxlan: vnifilter: Fix unlocked deletion of default FDB entry (bsc#1243480).
CVE-2025-37923: tracing: Fix oob write in trace_seq_to_buffer() (bsc#1243551).
CVE-2025-37927: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (bsc#1243620).
CVE-2025-37933: octeon_ep: Fix host hang issue during device reboot (bsc#1243628).
CVE-2025-37936: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value (bsc#1243537).
CVE-2025-37938: tracing: Verify event formats that have '%*p..' (bsc#1243544).
CVE-2025-37945: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY (bsc#1243538).
CVE-2025-37954: smb: client: Avoid race in open_cached_dir with lease breaks (bsc#1243664).
CVE-2025-37961: ipvs: fix uninit-value for saddr in do_output_route4 (bsc#1243523).
CVE-2025-37967: usb: typec: ucsi: displayport: Fix deadlock (bsc#1243572).
CVE-2025-37968: iio: light: opt3001: fix deadlock due to concurrent flag access (bsc#1243571).
CVE-2025-37987: pds_core: Prevent possible adminq overflow/stuck condition (bsc#1243542).
CVE-2025-37992: net_sched: Flush gso_skb list too during ->change() (bsc#1243698).
CVE-2025-37995: module: ensure that kobject_put() is safe for module type kobjects (bsc#1243827).
CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832).
CVE-2025-37998: openvswitch: Fix unsafe attribute parsing in output_userspace() (bsc#1243836).
CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277).
CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234).
CVE-2025-38011: drm/amdgpu: csa unmap use uninterruptible lock (bsc#1244729).
CVE-2025-38018: net/tls: fix kernel panic when alloc_page failed (bsc#1244999).
CVE-2025-38053: idpf: fix null-ptr-deref in idpf_features_check (bsc#1244746).
CVE-2025-38055: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq (bsc#1244747).
CVE-2025-38057: espintcp: fix skb leaks (bsc#1244862).
CVE-2025-38060: bpf: abort verification if env->cur_state->loop_entry != NULL (bsc#1245155).
CVE-2025-38072: libnvdimm/labels: Fix divide error in nd_label_data_init() (bsc#1244743).

The following non-security bugs were fixed:

ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case (stable-fixes).
ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (git-fixes).
ACPI: HED: Always initialize before evged (stable-fixes).
ACPI: OSI: Stop advertising support for '3.0 _SCP Extensions' (git-fixes).
ACPI: PNP: Add Intel OC Watchdog IDs to non-PNP device list (stable-fixes).
ACPI: battery: negate current when discharging (stable-fixes).
ACPI: bus: Bail out if acpi_kobj registration fails (stable-fixes).
ACPICA: Avoid sequence overread in call to strncmp() (stable-fixes).
ACPICA: Utilities: Fix spelling mistake 'Incremement' -> 'Increment' (git-fixes).
ACPICA: exserial: do not forget to handle FFixedHW opregions for reading (git-fixes).
ACPICA: fix acpi operand cache leak in dswstate.c (stable-fixes).
ACPICA: fix acpi parse and parseext cache leaks (stable-fixes).
ACPICA: utilities: Fix overflow check in vsnprintf() (stable-fixes).
ALSA: hda/intel: Add Thinkpad E15 to PM deny list (stable-fixes).
ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx (stable-fixes).
ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14ASP10 (stable-fixes).
ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 (stable-fixes).
ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR (git-fixes).
ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA (git-fixes).
ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged (stable-fixes).
ALSA: pcm: Fix race of buffer access at PCM OSS layer (stable-fixes).
ALSA: seq: Improve data consistency at polling (stable-fixes).
ALSA: usb-audio: Accept multiple protocols in GTBs (stable-fixes).
ALSA: usb-audio: Add Pioneer DJ DJM-V10 support (stable-fixes).
ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock (stable-fixes).
ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 (stable-fixes).
ALSA: usb-audio: Add name for HP Engage Go dock (stable-fixes).
ALSA: usb-audio: Check shutdown at endpoint_set_interface() (stable-fixes).
ALSA: usb-audio: Fix NULL pointer deref in snd_usb_power_domain_set() (git-fixes).
ALSA: usb-audio: Fix duplicated name in MIDI substream names (stable-fixes).
ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (git-fixes).
ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card (stable-fixes).
ALSA: usb-audio: Rename Pioneer mixer channel controls (git-fixes).
ALSA: usb-audio: Set MIDI1 flag appropriately for GTB MIDI 1.0 entry (stable-fixes).
ALSA: usb-audio: Skip setting clock selector for single connections (stable-fixes).
ALSA: usb-audio: Support multiple control interfaces (stable-fixes).
ALSA: usb-audio: Support read-only clock selector control (stable-fixes).
ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file (stable-fixes).
ALSA: usb-audio: mixer: Remove temporary string use in parse_clock_source_unit (stable-fixes).
ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX (git-fixes).
ASoC: Intel: avs: Verify content returned by parse_int_array() (git-fixes).
ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 (stable-fixes).
ASoC: SOF: Intel: hda-bus: Use PIO mode on ACE2+ platforms (git-fixes).
ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type (git-fixes).
ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 (stable-fixes).
ASoC: apple: mca: Constrain channels according to TDM mask (git-fixes).
ASoC: codecs: hda: Fix RPM usage count underflow (git-fixes).
ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode (stable-fixes).
ASoC: cs42l43: Disable headphone clamps during type detection (stable-fixes).
ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() (stable-fixes).
ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect (stable-fixes).
ASoC: mediatek: mt8188: Add reference for dmic clocks (stable-fixes).
ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile (stable-fixes).
ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() (git-fixes).
ASoC: meson: meson-card-utils: use of_property_present() for DT parsing (git-fixes).
ASoC: ops: Enforce platform maximum on initial value (stable-fixes).
ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params() (git-fixes).
ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() (stable-fixes).
ASoC: rt722-sdca: Add some missing readable registers (stable-fixes).
ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() (stable-fixes).
ASoC: sun4i-codec: support hp-det-gpios property (stable-fixes).
ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG (stable-fixes).
ASoC: tas2764: Enable main IRQs (git-fixes).
ASoC: tas2764: Mark SW_RESET as volatile (stable-fixes).
ASoC: tas2764: Power up/down amp on mute ops (stable-fixes).
ASoC: tas2764: Reinit cache on part reset (git-fixes).
ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change (stable-fixes).
ASoC: tegra210_ahub: Add check to of_device_get_match_data() (stable-fixes).
ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init (git-fixes).
Bluetooth: Fix NULL pointer deference on eir_get_service_data (git-fixes).
Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION (git-fixes).
Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (git-fixes).
Bluetooth: MGMT: Fix sparse errors (git-fixes).
Bluetooth: MGMT: Remove unused mgmt_pending_find_data (stable-fixes).
Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() (git-fixes).
Bluetooth: Remove pending ACL connection attempts (stable-fixes).
Bluetooth: btintel: Check dsbr size from EFI variable (git-fixes).
Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers (git-fixes).
Bluetooth: btintel_pcie: Increase the tx and rx descriptor count (git-fixes).
Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition (git-fixes).
Bluetooth: eir: Fix possible crashes on eir_create_adv_data (git-fixes).
Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync (git-fixes).
Bluetooth: hci_conn: Only do ACL connections sequentially (stable-fixes).
Bluetooth: hci_core: fix list_for_each_entry_rcu usage (git-fixes).
Bluetooth: hci_event: Fix not using key encryption size when its known (git-fixes).
Bluetooth: hci_qca: move the SoC type check to the right place (git-fixes).
Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync (git-fixes).
Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync (git-fixes).
Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (git-fixes).
Documentation/rtla: Fix duplicate text about timerlat tracer (git-fixes).
Documentation/rtla: Fix typo in common_timerlat_description.rst (git-fixes).
Documentation/rtla: Fix typo in rtla-timerlat.rst (git-fixes).
Documentation: ACPI: Use all-string data node references (git-fixes).
Documentation: fix typo in root= kernel parameter description (git-fixes).
HID: lenovo: Restrict F7/9/11 mode to compact keyboards only (git-fixes).
HID: quirks: Add ADATA XPG alpha wireless mouse support (stable-fixes).
HID: usbkbd: Fix the bit shift number for LED_KANA (stable-fixes).
HID: wacom: fix kobject reference count leak (git-fixes).
HID: wacom: fix memory leak on kobject creation failure (git-fixes).
HID: wacom: fix memory leak on sysfs attribute creation failure (git-fixes).
IB/cm: Drop lockdep assert and WARN when freeing old msg (git-fixes)
Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() (git-fixes).
Input: ims-pcu - check record size in ims_pcu_flash_firmware() (git-fixes).
Input: sparcspkr - avoid unannotated fall-through (stable-fixes).
Input: xpad - add more controllers (stable-fixes).
KVM: powerpc: Enable commented out BUILD_BUG_ON() assertion (bsc#1215199).
KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY (git-fixes bsc#1245225).
MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build')
MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild')
MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed.
NFC: nci: uart: Set tty->disc_data only in success path (git-fixes).
NFS: Do not allow waiting for exiting tasks (git-fixes).
NFSD: Insulate nfsd4_encode_read_plus() from page boundaries in the encode buffer (git-fixes).
NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (git-fixes).
NFSv4: Treat ENETUNREACH errors as fatal for state recovery (git-fixes).
PCI/DPC: Initialize aer_err_info before using it (git-fixes).
PCI/DPC: Log Error Source ID only when valid (git-fixes).
PCI/DPC: Use defines with DPC reason fields (git-fixes).
PCI/MSI: Size device MSI domain with the maximum number of vectors (git-fixes).
PCI/PM: Set up runtime PM even for devices without PCI PM (git-fixes).
PCI: Add ACS quirk for Loongson PCIe (stable-fixes).
PCI: Explicitly put devices into D0 when initializing (git-fixes).
PCI: Fix lock symmetry in pci_slot_unlock() (git-fixes).
PCI: Fix old_size lower bound in calculate_iosize() too (stable-fixes).
PCI: apple: Set only available ports up (git-fixes).
PCI: apple: Use gpiod_set_value_cansleep in probe flow (git-fixes).
PCI: brcmstb: Add a softdep to MIP MSI-X driver (stable-fixes).
PCI: brcmstb: Expand inbound window size up to 64GB (stable-fixes).
PCI: cadence-ep: Correct PBA offset in .set_msix() callback (git-fixes).
PCI: cadence: Fix runtime atomic count underflow (git-fixes).
PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit() (git-fixes).
PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up() (git-fixes).
PCI: dwc: ep: Correct PBA offset in .set_msix() callback (git-fixes).
PCI: dwc: ep: Ensure proper iteration over outbound map windows (stable-fixes).
PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes).
PCI: vmd: Disable MSI remapping bypass under Xen (stable-fixes).
PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() (stable-fixes).
PM: sleep: Fix power.is_suspended cleanup for direct-complete devices (git-fixes).
PM: sleep: Print PM debug messages during hibernation (git-fixes).
PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() (git-fixes).
RDMA/core: Fix best page size finding when it can cross SG entries (git-fixes)
RDMA/uverbs: Propagate errors from rdma_lookup_get_uobject() (git-fixes)
Remove compress-vmlinux.sh /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux was added in pesign-obs-integration during SLE12 RC. This workaround can be removed.
Remove host-memcpy-hack.h This might have been usefult at some point but we have more things that depend on specific library versions today.
Remove try-disable-staging-driver The config for linux-next is autogenerated from master config, and defaults filled for missing options. This is unlikely to enable any staging driver in the first place.
Revert 'ALSA: usb-audio: Skip setting clock selector for single connections' (stable-fixes).
Revert 'arm64: dts: allwinner: h6: Use RSB for AXP805 PMIC (git-fixes)
Revert 'bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first' (stable-fixes).
Revert 'drm/amdgpu: do not allow userspace to create a doorbell BO' (stable-fixes).
Revert 'ipv6: save dontfrag in cork (git-fixes).'
Revert 'kABI: ipv6: save dontfrag in cork (git-fixes).'
Revert 'wifi: mt76: mt7996: fill txd by host driver' (stable-fixes).
Revert 'wifi: mwifiex: Fix HT40 bandwidth issue.' (git-fixes).
SUNRPC: Do not allow waiting for exiting tasks (git-fixes).
SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls (git-fixes).
SUNRPC: rpc_clnt_set_transport() must not change the autobind setting (git-fixes).
SUNRPC: rpcbind should never reset the port to the value '0' (git-fixes).
USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB (stable-fixes).
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (git-fixes).
accel/ivpu: Improve buffer object logging (git-fixes).
accel/ivpu: Use dma_resv_lock() instead of a custom mutex (git-fixes).
accel/qaic: Mask out SR-IOV PCI resources (stable-fixes).
acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() (git-fixes).
add bug reference to existing hv_storvsc change (bsc#1245455).
arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs (git-fixes)
ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (stable-fixes).
ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (stable-fixes).
ath10k: snoc: fix unbalanced IRQ enable in crash recovery (git-fixes).
backlight: pm8941: Add NULL check in wled_configure() (git-fixes).
bnxt: properly flush XDP redirect lists (git-fixes).
bpf: Force uprobe bpf program to always return 0 (git-fixes).
bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)')
btrfs: fix fsync of files with no hard links not persisting deletion (git-fixes).
btrfs: fix invalid data space release when truncating block in NOCOW mode (git-fixes).
btrfs: fix qgroup reservation leak on failure to allocate ordered extent (git-fixes).
btrfs: fix wrong start offset for delalloc space release during mmap write (git-fixes).
btrfs: remove end_no_trans label from btrfs_log_inode_parent() (git-fixes).
btrfs: simplify condition for logging new dentries at btrfs_log_inode_parent() (git-fixes).
bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device (git-fixes).
bus: fsl-mc: fix GET/SET_TAILDROP command ids (git-fixes).
bus: fsl-mc: fix double-free on mc_dev (git-fixes).
bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value (stable-fixes).
bus: mhi: host: Fix conflict between power_up and SYSERR (git-fixes).
calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (git-fixes).
can: c_can: Use of_property_present() to test existence of DT property (stable-fixes).
can: tcan4x5x: fix power regulator retrieval during probe (git-fixes).
ceph: Fix incorrect flush end position calculation (git-fixes).
ceph: allocate sparse_ext map only for sparse reads (git-fixes).
ceph: fix memory leaks in __ceph_sync_read() (git-fixes).
cgroup/cpuset: Do not allow creation of local partition over a remote one (bsc#1241166).
cgroup/cpuset: Fix race between newly created partition and dying one (bsc#1241166).
cifs: change tcon status when need_reconnect is set on it (git-fixes).
clocksource: Fix brown-bag boolean thinko in (git-fixes)
clocksource: Make watchdog and suspend-timing multiplication (git-fixes)
crypto: lrw - Only add ecb if it is not already there (git-fixes).
crypto: lzo - Fix compression buffer overrun (stable-fixes).
crypto: marvell/cesa - Avoid empty transfer descriptor (git-fixes).
crypto: marvell/cesa - Do not chain submitted requests (git-fixes).
crypto: marvell/cesa - Handle zero-length skcipher requests (git-fixes).
crypto: octeontx2 - suppress auth failure screaming due to negative tests (stable-fixes).
crypto: qat - add shutdown handler to qat_420xx (git-fixes).
crypto: qat - add shutdown handler to qat_4xxx (git-fixes).
crypto: skcipher - Zap type in crypto_alloc_sync_skcipher (stable-fixes).
crypto: sun8i-ce - move fallback ahash_request to the end of the struct (git-fixes).
crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() (git-fixes).
crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions (git-fixes).
crypto: xts - Only add ecb if it is not already there (git-fixes).
devlink: Fix referring to hw_addr attribute during state validation (git-fixes).
devlink: fix port dump cmd type (git-fixes).
dlm: mask sk_shutdown value (bsc#1228854).
dlm: use SHUT_RDWR for SCTP shutdown (bsc#1228854).
dmaengine: idxd: cdev: Fix uninitialized use of sva in idxd_cdev_open (stable-fixes).
dmaengine: ti: Add NULL check in udma_probe() (git-fixes).
drivers/rapidio/rio_cm.c: prevent possible heap overwrite (stable-fixes).
drm/amd/display/dm: drop hw_support check in amdgpu_dm_i2c_xfer() (stable-fixes).
drm/amd/display: Add debugging message for brightness caps (bsc#1240650).
drm/amd/display: Add null pointer check for get_first_active_display() (git-fixes).
drm/amd/display: Add support for disconnected eDP streams (stable-fixes).
drm/amd/display: Call FP Protect Before Mode Programming/Mode Support (stable-fixes).
drm/amd/display: Configure DTBCLK_P with OPTC only for dcn401 (stable-fixes).
drm/amd/display: Correct timing_adjust_pending flag setting (stable-fixes).
drm/amd/display: Defer BW-optimization-blocked DRR adjustments (git-fixes).
drm/amd/display: Do not enable replay when vtotal update is pending (stable-fixes).
drm/amd/display: Do not treat wb connector as physical in create_validate_stream_for_sink (stable-fixes).
drm/amd/display: Do not try AUX transactions on disconnected link (stable-fixes).
drm/amd/display: Ensure DMCUB idle before reset on DCN31/DCN35 (stable-fixes).
drm/amd/display: Fix BT2020 YCbCr limited/full range input (stable-fixes).
drm/amd/display: Fix DMUB reset sequence for DCN401 (stable-fixes).
drm/amd/display: Fix default DC and AC levels (bsc#1240650).
drm/amd/display: Fix incorrect DPCD configs while Replay/PSR switch (stable-fixes).
drm/amd/display: Fix p-state type when p-state is unsupported (stable-fixes).
drm/amd/display: Guard against setting dispclk low for dcn31x (stable-fixes).
drm/amd/display: Guard against setting dispclk low when active (stable-fixes).
drm/amd/display: Increase block_sequence array size (stable-fixes).
drm/amd/display: Initial psr_version with correct setting (stable-fixes).
drm/amd/display: Populate register address for dentist for dcn401 (stable-fixes).
drm/amd/display: Read LTTPR ALPM caps during link cap retrieval (stable-fixes).
drm/amd/display: Request HW cursor on DCN3.2 with SubVP (stable-fixes).
drm/amd/display: Skip checking FRL_MODE bit for PCON BW determination (stable-fixes).
drm/amd/display: Support multiple options during psr entry (stable-fixes).
drm/amd/display: Update CR AUX RD interval interpretation (stable-fixes).
drm/amd/display: Use Nominal vBlank If Provided Instead Of Capping It (stable-fixes).
drm/amd/display: calculate the remain segments for all pipes (stable-fixes).
drm/amd/display: check stream id dml21 wrapper to get plane_id (stable-fixes).
drm/amd/display: fix dcn4x init failed (stable-fixes).
drm/amd/display: fix link_set_dpms_off multi-display MST corner case (stable-fixes).
drm/amd/display: handle max_downscale_src_width fail check (stable-fixes).
drm/amd/display: not abort link train when bw is low (stable-fixes).
drm/amd/display: pass calculated dram_speed_mts to dml2 (stable-fixes).
drm/amd/display: remove minimum Dispclk and apply oem panel timing (stable-fixes).
drm/amd/pm: Fetch current power limit from PMFW (stable-fixes).
drm/amd/pm: Skip P2S load for SMU v13.0.12 (stable-fixes).
drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table (git-fixes).
drm/amd: Adjust output for discovery error handling (git-fixes).
drm/amdgpu/discovery: check ip_discovery fw file available (stable-fixes).
drm/amdgpu/gfx11: do not read registers in mqd init (stable-fixes).
drm/amdgpu/gfx12: do not read registers in mqd init (stable-fixes).
drm/amdgpu/mes11: fix set_hw_resources_1 calculation (stable-fixes).
drm/amdgpu: Allow P2P access through XGMI (stable-fixes).
drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c (stable-fixes).
drm/amdgpu: Fix missing drain retry fault the last entry (stable-fixes).
drm/amdgpu: Fix the race condition for draining retry fault (stable-fixes).
drm/amdgpu: Set snoop bit for SDMA for MI series (stable-fixes).
drm/amdgpu: Skip pcie_replay_count sysfs creation for VF (stable-fixes).
drm/amdgpu: Update SRIOV video codec caps (stable-fixes).
drm/amdgpu: Use active umc info from discovery (stable-fixes).
drm/amdgpu: adjust drm_firmware_drivers_only() handling (stable-fixes).
drm/amdgpu: enlarge the VBIOS binary size limit (stable-fixes).
drm/amdgpu: read back register after written for VCN v4.0.5 (stable-fixes).
drm/amdgpu: release xcp_mgr on exit (stable-fixes).
drm/amdgpu: remove all KFD fences from the BO on release (stable-fixes).
drm/amdgpu: reset psp->cmd to NULL after releasing the buffer (stable-fixes).
drm/amdgpu: switch job hw_fence to amdgpu_fence (git-fixes).
drm/amdkfd: Correct F8_MODE for gfx950 (git-fixes).
drm/amdkfd: KFD release_work possible circular locking (stable-fixes).
drm/amdkfd: Set per-process flags only once cik/vi (stable-fixes).
drm/amdkfd: Set per-process flags only once for gfx9/10/11/12 (stable-fixes).
drm/amdkfd: fix missing L2 cache info in topology (stable-fixes).
drm/amdkfd: set precise mem ops caps to disabled for gfx 11 and 12 (stable-fixes).
drm/ast: Find VBIOS mode from regular display size (stable-fixes).
drm/ast: Fix comment on modeset lock (git-fixes).
drm/atomic: clarify the rules around drm_atomic_state->allow_modeset (stable-fixes).
drm/bridge: cdns-dsi: Check return value when getting default PHY config (git-fixes).
drm/bridge: cdns-dsi: Fix connecting to next bridge (git-fixes).
drm/bridge: cdns-dsi: Fix phy de-init and flag it so (git-fixes).
drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() (git-fixes).
drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready (git-fixes).
drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe() (git-fixes).
drm/buddy: fix issue that force_merge cannot free all roots (stable-fixes).
drm/etnaviv: Protect the scheduler's pending list with its lock (git-fixes).
drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 (git-fixes).
drm/i915/guc: Check if expecting reply before decrementing outstanding_submission_g2h (git-fixes).
drm/i915/guc: Handle race condition where wakeref count drops below 0 (git-fixes).
drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled (git-fixes).
drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP (git-fixes).
drm/i915: fix build error some more (git-fixes).
drm/mediatek: Fix kobject put for component sub-drivers (git-fixes).
drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence (stable-fixes).
drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr (git-fixes).
drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err (git-fixes).
drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3 (git-fixes).
drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE (git-fixes).
drm/msm/disp: Correct porch timing for SDM845 (git-fixes).
drm/msm/dpu: Clear CTL_FETCH_PIPE_ACTIVE before blend setup (git-fixes).
drm/msm/dpu: Clear CTL_FETCH_PIPE_ACTIVE on ctl_path reset (git-fixes).
drm/msm/dpu: enable SmartDMA on SC8180X (git-fixes).
drm/msm/dpu: enable SmartDMA on SM8150 (git-fixes).
drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate (git-fixes).
drm/msm/gpu: Fix crash when throttling GPU immediately during boot (git-fixes).
drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names (git-fixes).
drm/nouveau/bl: increase buffer size to avoid truncate warning (git-fixes).
drm/nouveau: fix the broken marco GSP_MSG_MAX_SIZE (stable-fixes).
drm/panel-edp: Add Starry 116KHD024006 (stable-fixes).
drm/panel-simple: fix the warnings for the Evervision VGG644804 (git-fixes).
drm/panel: samsung-sofef00: Drop s6e3fc2x01 support (git-fixes).
drm/panic: add missing space (git-fixes).
drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions (git-fixes).
drm/panthor: Update panthor_mmu::irq::mask when needed (git-fixes).
drm/rockchip: vop2: Add uv swap for cluster window (stable-fixes).
drm/rockchip: vop2: Improve display modes handling on RK3588 HDMI0 (stable-fixes).
drm/ssd130x: fix ssd132x_clear_screen() columns (git-fixes).
drm/tegra: Assign plane type before registration (git-fixes).
drm/tegra: Fix a possible null pointer dereference (git-fixes).
drm/tegra: rgb: Fix the unbound reference count (git-fixes).
drm/udl: Unregister device before cleaning up on disconnect (git-fixes).
drm/v3d: Add clock handling (stable-fixes).
drm/v3d: Avoid NULL pointer dereference in v3d_job_update_stats() (stable-fixes).
drm/vc4: tests: Use return instead of assert (git-fixes).
drm/vkms: Adjust vkms_state->active_planes allocation type (git-fixes).
drm/vmwgfx: Add error path for xa_store in vmw_bo_add_detached_resource (git-fixes).
drm/vmwgfx: Add seqno waiter for sync_files (git-fixes).
drm/vmwgfx: Fix dumb buffer leak (git-fixes).
drm/xe/bmg: Update Wa_16023588340 (git-fixes).
drm/xe/d3cold: Set power state to D3Cold during s2idle/s3 (git-fixes).
drm/xe/debugfs: Add missing xe_pm_runtime_put in wedge_mode_set (stable-fixes).
drm/xe/debugfs: fixed the return value of wedged_mode_set (stable-fixes).
drm/xe/display: Add check for alloc_ordered_workqueue() (git-fixes).
drm/xe/gt: Update handling of xe_force_wake_get return (stable-fixes).
drm/xe/oa: Ensure that polled read returns latest data (stable-fixes).
drm/xe/pf: Create a link between PF and VF devices (stable-fixes).
drm/xe/pf: Reset GuC VF config when unprovisioning critical resource (stable-fixes).
drm/xe/relay: Do not use GFP_KERNEL for new transactions (stable-fixes).
drm/xe/sa: Always call drm_suballoc_manager_fini() (stable-fixes).
drm/xe/sched: stop re-submitting signalled jobs (git-fixes).
drm/xe/vf: Retry sending MMIO request to GUC on timeout error (stable-fixes).
drm/xe/vm: move rebind_work init earlier (git-fixes).
drm/xe/xe2hpg: Add Wa_22021007897 (stable-fixes).
drm/xe: Create LRC BO without VM (git-fixes).
drm/xe: Do not attempt to bootstrap VF in execlists mode (stable-fixes).
drm/xe: Fix memset on iomem (git-fixes).
drm/xe: Fix xe_tile_init_noalloc() error propagation (stable-fixes).
drm/xe: Make xe_gt_freq part of the Documentation (git-fixes).
drm/xe: Move suballocator init to after display init (stable-fixes).
drm/xe: Nuke VM's mapping upon close (stable-fixes).
drm/xe: Process deferred GGTT node removals on device unwind (git-fixes).
drm/xe: Reject BO eviction if BO is bound to current VM (stable-fixes).
drm/xe: Retry BO allocation (stable-fixes).
drm/xe: Rework eviction rejection of bound external bos (git-fixes).
drm/xe: Save the gt pointer in lrc and drop the tile (stable-fixes).
drm/xe: Stop ignoring errors from xe_ttm_stolen_mgr_init() (stable-fixes).
drm/xe: Wire up device shutdown handler (stable-fixes).
drm/xe: remove unmatched xe_vm_unlock() from __xe_exec_queue_init() (git-fixes).
drm/xe: xe_gen_wa_oob: replace program_invocation_short_name (stable-fixes).
drm: Add valid clones check (stable-fixes).
drm: bridge: adv7511: fill stream capabilities (stable-fixes).
drm: rcar-du: Fix memory leak in rcar_du_vsps_init() (git-fixes).
dummycon: Trigger redraw when switching consoles with deferred takeover (git-fixes).
e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13 (git-fixes).
efi/libstub: Describe missing 'out' parameter in efi_load_initrd (git-fixes).
fbcon: Make sure modelist not set on unregistered console (stable-fixes).
fbcon: Use correct erase colour for clearing in fbcon (stable-fixes).
fbdev/efifb: Remove PM for parent device (bsc#1244261).
fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var (git-fixes).
fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (git-fixes).
fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (git-fixes).
fbdev: core: tileblit: Implement missing margin clearing for tileblit (stable-fixes).
fbdev: fsl-diu-fb: add missing device_remove_file() (stable-fixes).
fgraph: Still initialize idle shadow stacks when starting (git-fixes).
firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES (git-fixes).
firmware: arm_ffa: Reject higher major version as incompatible (stable-fixes).
firmware: arm_ffa: Set dma_mask for ffa devices (stable-fixes).
firmware: arm_scmi: Relax duplicate name constraint across protocol ids (stable-fixes).
firmware: psci: Fix refcount leak in psci_dt_init (git-fixes).
fpga: altera-cvp: Increase credit timeout (stable-fixes).
fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() (git-fixes).
gpio: mlxbf3: only get IRQ for device instance 0 (git-fixes).
gpio: pca953x: Simplify code with cleanup helpers (stable-fixes).
gpio: pca953x: Split pca953x_restore_context() and pca953x_save_context() (stable-fixes).
gpio: pca953x: fix IRQ storm on system wake up (git-fixes).
gpiolib: Revert 'Do not WARN on gpiod_put() for optional GPIO' (stable-fixes).
gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt (git-fixes).
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (git-fixes).
hwmon: (asus-ec-sensors) check sensor index in read_string() (git-fixes).
hwmon: (dell-smm) Increment the number of fans (stable-fixes).
hwmon: (ftsteutates) Fix TOCTOU race in fts_read() (git-fixes).
hwmon: (gpio-fan) Add missing mutex locks (stable-fixes).
hwmon: (nct6775): Actually make use of the HWMON_NCT6775 symbol namespace (git-fixes).
hwmon: (occ) Rework attribute registration for stack usage (git-fixes).
hwmon: (occ) fix unaligned accesses (git-fixes).
hwmon: (peci/dimmtemp) Do not provide fake thresholds data (git-fixes).
hwmon: (xgene-hwmon) use appropriate type for the latency value (stable-fixes).
hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu (git-fixes).
i2c: designware: Invoke runtime suspend on quick slave re-registration (stable-fixes).
i2c: npcm: Add clock toggle recovery (stable-fixes).
i2c: pxa: fix call balance of i2c->clk handling routines (stable-fixes).
i2c: qup: Vote for interconnect bandwidth to DRAM (stable-fixes).
i2c: robotfuzz-osif: disable zero-length read messages (git-fixes).
i2c: tegra: check msg length in SMBUS block read (bsc#1242086)
i2c: tiny-usb: disable zero-length read messages (git-fixes).
i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work() (git-fixes).
i3c: master: svc: Fix missing STOP for master request (stable-fixes).
i3c: master: svc: Flush FIFO before sending Dynamic Address Assignment(DAA) (stable-fixes).
i40e: retry VFLR handling if there is ongoing VF reset (git-fixes).
i40e: return false from i40e_reset_vf if reset is in progress (git-fixes).
ice: Fix LACP bonds without SRIOV environment (git-fixes).
ice: create new Tx scheduler nodes for new queues only (git-fixes).
ice: fix Tx scheduler error handling in XDP callback (git-fixes).
ice: fix rebuilding the Tx scheduler tree for large queue counts (git-fixes).
ice: fix vf->num_mac count with port representors (git-fixes).
ieee802154: ca8210: Use proper setters and getters for bitwise types (stable-fixes).
iio: accel: fxls8962af: Fix temperature scan element sign (git-fixes).
iio: adc: ad7124: Fix 3dB filter frequency reading (git-fixes).
iio: adc: ad7606_spi: fix reg write value mask (git-fixes).
iio: filter: admv8818: Support frequencies >= 2^32 (git-fixes).
iio: filter: admv8818: fix band 4, state 15 (git-fixes).
iio: filter: admv8818: fix integer overflow (git-fixes).
iio: filter: admv8818: fix range calculation (git-fixes).
iio: imu: inv_icm42600: Fix temperature calculation (git-fixes).
ima: Suspend PCR extends and log appends when rebooting (bsc#1210025 ltc#196650).
ima: process_measurement() needlessly takes inode_lock() on MAY_READ (stable-fixes).
intel_th: avoid using deprecated page->mapping, index fields (stable-fixes).
iommu: Protect against overflow in iommu_pgsize() (git-fixes).
iommu: Skip PASID validation for devices without PASID capability (bsc#1244100)
iommu: Validate the PASID in iommu_attach_device_pasid() (bsc#1244100)
ip6mr: fix tables suspicious RCU usage (git-fixes).
ip_tunnel: annotate data-races around t->parms.link (git-fixes).
ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt() function (git-fixes).
ipmr: fix tables suspicious RCU usage (git-fixes).
ipv4: Convert ip_route_input() to dscp_t (git-fixes).
ipv4: Correct/silence an endian warning in __ip_do_redirect (git-fixes).
ipv6: save dontfrag in cork (git-fixes).
ipvs: Always clear ipvs_property flag in skb_scrub_packet() (git-fixes).
isolcpus: fix bug in returning number of allocated cpumask (bsc#1243774).
jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (git-fixes).
jffs2: check that raw node were preallocated before writing summary (git-fixes).
kABI workaround for hda_codec.beep_just_power_on flag (git-fixes).
kABI: PCI: endpoint: Retain fixed-size BAR size as well as aligned size (git-fixes).
kABI: ipv6: save dontfrag in cork (git-fixes).
kABI: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes).
kabi: restore layout of struct cgroup_subsys (bsc#1241166).
kabi: restore layout of struct mem_control (jsc#PED-12551).
kabi: restore layout of struct page_counter (jsc#PED-12551).
kernel-source: Do not use multiple -r in sed parameters
kernel-source: Remove log.sh from sources
leds: pwm-multicolor: Add check for fwnode_property_read_u32 (stable-fixes).
loop: Add sanity check for read/write_iter (git-fixes).
loop: add file_start_write() and file_end_write() (git-fixes).
mailbox: use error ret code of of_parse_phandle_with_args() (stable-fixes).
md/raid1,raid10: do not handle IO error for REQ_RAHEAD and REQ_NOWAIT (git-fixes).
md/raid1: Add check for missing source disk in process_checks() (git-fixes).
media: adv7180: Disable test-pattern control on adv7180 (stable-fixes).
media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() (stable-fixes).
media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case (git-fixes).
media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div (git-fixes).
media: ccs-pll: Start OP pre-PLL multiplier search from correct value (git-fixes).
media: ccs-pll: Start VT pre-PLL multiplier search from correct value (git-fixes).
media: cx231xx: set device_caps for 417 (stable-fixes).
media: cxusb: no longer judge rbuf when the write fails (git-fixes).
media: davinci: vpif: Fix memory leak in probe error path (git-fixes).
media: gspca: Add error handling for stv06xx_read_sensor() (git-fixes).
media: i2c: imx219: Correct the minimum vblanking value (stable-fixes).
media: imx-jpeg: Cleanup after an allocation error (git-fixes).
media: imx-jpeg: Drop the first error frames (git-fixes).
media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead (git-fixes).
media: imx-jpeg: Reset slot data pointers when freed (git-fixes).
media: intel/ipu6: Fix dma mask for non-secure mode (git-fixes).
media: ipu6: Remove workaround for Meteor Lake ES2 (git-fixes).
media: nxp: imx8-isi: better handle the m2m usage_count (git-fixes).
media: omap3isp: use sgtable-based scatterlist wrappers (git-fixes).
media: ov2740: Move pm-runtime cleanup on probe-errors to proper place (git-fixes).
media: ov5675: suppress probe deferral errors (git-fixes).
media: ov8856: suppress probe deferral errors (git-fixes).
media: platform: mtk-mdp3: Remove unused mdp_get_plat_device (git-fixes).
media: qcom: camss: csid: Only add TPG v4l2 ctrl if TPG hardware is available (stable-fixes).
media: rkvdec: Fix frame size enumeration (git-fixes).
media: tc358746: improve calculation of the D-PHY timing registers (stable-fixes).
media: test-drivers: vivid: do not call schedule in loop (stable-fixes).
media: uvcvideo: Add sanity check to uvc_ioctl_xu_ctrl_map (stable-fixes).
media: uvcvideo: Fix deferred probing error (git-fixes).
media: uvcvideo: Handle uvc menu translation inside uvc_get_le_value (stable-fixes).
media: uvcvideo: Return the number of processed controls (git-fixes).
media: v4l2-dev: fix error handling in __video_register_device() (git-fixes).
media: v4l: Memset argument to 0 before calling get_mbus_config pad op (stable-fixes).
media: venus: Fix probe error handling (git-fixes).
media: verisilicon: Free post processor buffers on error (git-fixes).
media: videobuf2: use sgtable-based scatterlist wrappers (git-fixes).
media: vidtv: Terminating the subsequent process of initialization failure (git-fixes).
media: vivid: Change the siize of the composing (git-fixes).
mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() (git-fixes).
mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE (git-fixes).
mfd: tps65219: Remove TPS65219_REG_TI_DEV_ID check (stable-fixes).
mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
mm, memcg: cg2 memory{.swap,}.peak write handlers (jsc#PED-12551).
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431).
mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431).
mm/memcontrol: export memcg.swap watermark via sysfs for v2 memcg (jsc#PED-12551).
mmc: Add quirk to disable DDR50 tuning (stable-fixes).
mmc: dw_mmc: add exynos7870 DW MMC support (stable-fixes).
mmc: host: Wait for Vdd to settle on card power off (stable-fixes).
mmc: sdhci: Disable SD card clock before changing parameters (stable-fixes).
mtd: nand: ecc-mxic: Fix use of uninitialized variable ret (git-fixes).
mtd: nand: sunxi: Add randomizer configuration before randomizer enable (git-fixes).
mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk (git-fixes).
neighbour: Do not let neigh_forced_gc() disable preemption for long (git-fixes).
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (git-fixes).
net/mdiobus: Fix potential out-of-bounds read/write access (git-fixes).
net/mlx4_en: Prevent potential integer overflow calculating Hz (git-fixes).
net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() (git-fixes).
net/mlx5: Ensure fw pages are always allocated on same NUMA (git-fixes).
net/mlx5: Fix ECVF vports unload on shutdown flow (git-fixes).
net/mlx5: Fix return value when searching for existing flow group (git-fixes).
net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() (git-fixes).
net/mlx5e: Fix leak of Geneve TLV option object (git-fixes).
net/neighbor: clear error in case strict check is not set (git-fixes).
net/sched: fix use-after-free in taprio_dev_notifier (git-fixes).
net: Fix TOCTOU issue in sk_is_readable() (git-fixes).
net: Implement missing getsockopt(SO_TIMESTAMPING_NEW) (git-fixes).
net: add rcu safety to rtnl_prop_list_size() (git-fixes).
net: fix udp gso skb_segment after pull from frag_list (git-fixes).
net: give more chances to rcu in netdev_wait_allrefs_any() (git-fixes).
net: ice: Perform accurate aRFS flow match (git-fixes).
net: ipv4: fix a memleak in ip_setup_cork (git-fixes).
net: linkwatch: use system_unbound_wq (git-fixes).
net: mana: Add support for Multi Vports on Bare metal (bsc#1244229).
net: mana: Record doorbell physical address in PF mode (bsc#1244229).
net: page_pool: fix warning code (git-fixes).
net: phy: clear phydev->devlink when the link is deleted (git-fixes).
net: phy: fix up const issues in to_mdio_device() and to_phy_device() (git-fixes).
net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend() (bsc#1243538)
net: phy: mscc: Fix memory leak when using one step timestamping (git-fixes).
net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames (git-fixes).
net: sched: cls_u32: Fix allocation size in u32_init() (git-fixes).
net: sched: consistently use rcu_replace_pointer() in taprio_change() (git-fixes).
net: sched: em_text: fix possible memory leak in em_text_destroy() (git-fixes).
net: sched: fix erspan_opt settings in cls_flower (git-fixes).
net: usb: aqc111: debug info before sanitation (git-fixes).
net: usb: aqc111: fix error handling of usbnet read calls (git-fixes).
net: wwan: t7xx: Fix napi rx poll issue (git-fixes).
net_sched: ets: fix a race in ets_qdisc_change() (git-fixes).
net_sched: prio: fix a race in prio_tune() (git-fixes).
net_sched: red: fix a race in __red_change() (git-fixes).
net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
net_sched: sch_sfq: reject invalid perturb period (git-fixes).
net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504)
net_sched: tbf: fix a race in tbf_change() (git-fixes).
netdev-genl: Hold rcu_read_lock in napi_get (git-fixes).
netlink: fix potential sleeping issue in mqueue_flush_file (git-fixes).
netlink: specs: dpll: replace underscores with dashes in names (git-fixes).
netpoll: Use rcu_access_pointer() in __netpoll_setup (git-fixes).
netpoll: hold rcu read lock in __netpoll_send_skb() (git-fixes).
nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (git-fixes).
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (git-fixes).
nfsd: validate the nfsd_serv pointer before calling svc_wake_up (git-fixes).
ntp: Clamp maxerror and esterror to operating range (git-fixes)
ntp: Remove invalid cast in time offset math (git-fixes)
ntp: Safeguard against time_constant overflow (git-fixes)
nvme-fc: do not reference lsrsp after failure (bsc#1245193).
nvme-pci: add NVME_QUIRK_NO_DEEPEST_PS quirk for SOLIDIGM P44 Pro (git-fixes).
nvme-pci: add quirks for WDC Blue SN550 15b7:5009 (git-fixes).
nvme-pci: add quirks for device 126f:1001 (git-fixes).
nvme: always punt polled uring_cmd end_io work to task_work (git-fixes).
nvme: fix command limits status code (git-fixes).
nvme: fix implicit bool to flags conversion (git-fixes).
nvmet-fc: free pending reqs on tgtport unregister (bsc#1245193).
nvmet-fc: take tgtport refs for portentry (bsc#1245193).
nvmet-fcloop: access fcpreq only when holding reqlock (bsc#1245193).
nvmet-fcloop: add missing fcloop_callback_host_done (bsc#1245193).
nvmet-fcloop: allocate/free fcloop_lsreq directly (bsc#1245193).
nvmet-fcloop: do not wait for lport cleanup (bsc#1245193).
nvmet-fcloop: drop response if targetport is gone (bsc#1245193).
nvmet-fcloop: prevent double port deletion (bsc#1245193).
nvmet-fcloop: refactor fcloop_delete_local_port (bsc#1245193).
nvmet-fcloop: refactor fcloop_nport_alloc and track lport (bsc#1245193).
nvmet-fcloop: remove nport from list on last user (bsc#1245193).
nvmet-fcloop: track ref counts for nports (bsc#1245193).
nvmet-fcloop: update refs on tfcp_req (bsc#1245193).
orangefs: Do not truncate file size (git-fixes).
pNFS/flexfiles: Report ENETDOWN as a connection error (git-fixes).
page_pool: Fix use-after-free in page_pool_recycle_in_ring (git-fixes).
phy: core: do not require set_mode() callback for phy_get_mode() to work (stable-fixes).
phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug (git-fixes).
phy: renesas: rcar-gen3-usb2: Add support to initialize the bus (stable-fixes).
phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off (git-fixes).
phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data (git-fixes).
phy: renesas: rcar-gen3-usb2: Move IRQ request in probe (stable-fixes).
pinctrl-tegra: Restore SFSEL bit when freeing pins (stable-fixes).
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() (stable-fixes).
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() (stable-fixes).
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() (stable-fixes).
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() (stable-fixes).
pinctrl: armada-37xx: set GPIO output value before setting direction (git-fixes).
pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 (git-fixes).
pinctrl: at91: Fix possible out-of-boundary access (git-fixes).
pinctrl: bcm281xx: Use 'unsigned int' instead of bare 'unsigned' (stable-fixes).
pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map (stable-fixes).
pinctrl: mcp23s08: Reset all pins to input at probe (stable-fixes).
pinctrl: meson: define the pull up/down resistor value as 60 kOhm (stable-fixes).
pinctrl: qcom: pinctrl-qcm2290: Add missing pins (git-fixes).
pinctrl: st: Drop unused st_gpio_bank() function (git-fixes).
pinctrl: tegra: Fix off by one in tegra_pinctrl_get_group() (git-fixes).
platform/x86/amd/hsmp: Add new error code and error logs (jsc#PED-13094).
platform/x86/amd/hsmp: Add support for HSMP protocol version 7 messages (jsc#PED-13094).
platform/x86/amd/hsmp: Change generic plat_dev name to hsmp_pdev (jsc#PED-13094).
platform/x86/amd/hsmp: Change the error type (jsc#PED-13094).
platform/x86/amd/hsmp: Convert amd_hsmp_rdwr() to a function pointer (jsc#PED-13094).
platform/x86/amd/hsmp: Create hsmp/ directory (jsc#PED-13094).
platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers (jsc#PED-13094).
platform/x86/amd/hsmp: Create wrapper function init_acpi() (jsc#PED-13094).
platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers (jsc#PED-13094).
platform/x86/amd/hsmp: Make hsmp_pdev static instead of global (jsc#PED-13094).
platform/x86/amd/hsmp: Move ACPI code to acpi.c (jsc#PED-13094).
platform/x86/amd/hsmp: Move platform device specific code to plat.c (jsc#PED-13094).
platform/x86/amd/hsmp: Move structure and macros to header file (jsc#PED-13094).
platform/x86/amd/hsmp: Report power via hwmon sensor (jsc#PED-13094).
platform/x86/amd/hsmp: Use a single DRIVER_VERSION for all hsmp modules (jsc#PED-13094).
platform/x86/amd/hsmp: Use dev_groups in the driver structure (jsc#PED-13094).
platform/x86/amd/hsmp: Use name space while exporting module symbols (jsc#PED-13094).
platform/x86/amd/hsmp: acpi: Add sysfs files to display HSMP telemetry (jsc#PED-13094).
platform/x86/amd/hsmp: fix building with CONFIG_HWMON=m (jsc#PED-13094).
platform/x86/amd/hsmp: mark hsmp_msg_desc_table as maybe_unused (git-fixes).
platform/x86/amd: pmc: Clear metrics table at start of cycle (git-fixes).
platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL (git-fixes).
platform/x86: amd: Use *-y instead of *-objs in Makefiles (jsc#PED-13094).
platform/x86: dell_rbu: Fix list usage (git-fixes).
platform/x86: dell_rbu: Stop overwriting data buffer (git-fixes).
platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (git-fixes).
platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys (stable-fixes).
platform/x86: hp-bioscfg: Annotate struct bios_args with __counted_by (jsc#PED-13019).
platform/x86: hp-bioscfg: Change how enum possible values size is evaluated (jsc#PED-13019).
platform/x86: hp-bioscfg: Change how order list size is evaluated (jsc#PED-13019).
platform/x86: hp-bioscfg: Change how password encoding size is evaluated (jsc#PED-13019).
platform/x86: hp-bioscfg: Change how prerequisites size is evaluated (jsc#PED-13019).
platform/x86: hp-bioscfg: Fix error handling in hp_add_other_attributes() (jsc#PED-13019).
platform/x86: hp-bioscfg: Fix memory leaks in attribute packages (jsc#PED-13019).
platform/x86: hp-bioscfg: Fix reference leak (jsc#PED-13019).
platform/x86: hp-bioscfg: Fix uninitialized variable errors (jsc#PED-13019).
platform/x86: hp-bioscfg: Makefile (jsc#PED-13019).
platform/x86: hp-bioscfg: Remove duplicate use of variable in inner loop (jsc#PED-13019).
platform/x86: hp-bioscfg: Remove unused obj in hp_add_other_attributes() (jsc#PED-13019).
platform/x86: hp-bioscfg: Removed needless asm-generic (jsc#PED-13019).
platform/x86: hp-bioscfg: Replace the word HACK from source code (jsc#PED-13019).
platform/x86: hp-bioscfg: Simplify return check in hp_add_other_attributes() (jsc#PED-13019).
platform/x86: hp-bioscfg: Update steps order list elements are evaluated (jsc#PED-13019).
platform/x86: hp-bioscfg: Use kmemdup() to replace kmalloc + memcpy (jsc#PED-13019).
platform/x86: hp-bioscfg: biosattr-interface (jsc#PED-13019).
platform/x86: hp-bioscfg: bioscfg (jsc#PED-13019).
platform/x86: hp-bioscfg: bioscfg-h (jsc#PED-13019).
platform/x86: hp-bioscfg: enum-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: fix a signedness bug in hp_wmi_perform_query() (jsc#PED-13019).
platform/x86: hp-bioscfg: fix error reporting in hp_add_other_attributes() (jsc#PED-13019).
platform/x86: hp-bioscfg: int-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: move mutex_lock() down in hp_add_other_attributes() (jsc#PED-13019).
platform/x86: hp-bioscfg: order-list-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: passwdobj-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: prevent a small buffer overflow (jsc#PED-13019).
platform/x86: hp-bioscfg: spmobj-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: string-attributes (jsc#PED-13019).
platform/x86: hp-bioscfg: surestart-attributes (jsc#PED-13019).
platform/x86: ideapad-laptop: use usleep_range() for EC polling (git-fixes).
platform/x86: thinkpad_acpi: Ignore battery threshold change event notification (stable-fixes).
platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (git-fixes).
platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS (stable-fixes).
power: reset: at91-reset: Optimize at91_reset() (git-fixes).
power: supply: bq27xxx: Retrieve again when busy (stable-fixes).
power: supply: collie: Fix wakeup source leaks on device unbind (stable-fixes).
powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery (bsc#1215199).
powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790).
powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states (bsc#1215199).
powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790).
pstore: Change kmsg_bytes storage size to u32 (git-fixes).
ptp: ocp: fix start time alignment in ptp_ocp_signal_set (git-fixes).
ptp: ocp: reject unsupported periodic output flags (git-fixes).
ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() (git-fixes).
r8152: add vendor/device ID pair for Dell Alienware AW1022z (git-fixes).
regulator: ad5398: Add device tree support (stable-fixes).
regulator: max14577: Add error check for max14577_read_reg() (git-fixes).
regulator: max20086: Change enable gpio to optional (git-fixes).
regulator: max20086: Fix MAX200086 chip id (git-fixes).
regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt() (git-fixes).
rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang.
rpm/kernel-source.changes.old: Drop bogus bugzilla reference (bsc#1244725)
rpm: Stop using is_kotd_qa macro This macro is set by bs-upload-kernel, and a conditional in each spec file is used to determine when to build the spec file. This logic should not really be in the spec file. Previously this was done with package links and package meta for the individula links. However, the use of package links is rejected for packages in git based release projects (nothing to do with git actually, new policy). An alternative to package links is multibuild. However, for multibuild packages package meta cannot be used to set which spec file gets built. Use prjcon buildflags instead, and remove this conditional. Depends on bs-upload-kernel adding the build flag.
rtc: Fix offset calculation for .start_secs < 0 (git-fixes).
rtc: Make rtc_time64_to_tm() support dates before 1970 (stable-fixes).
rtc: at91rm9200: drop unused module alias (git-fixes).
rtc: cmos: use spin_lock_irqsave in cmos_interrupt (git-fixes).
rtc: cpcap: drop unused module alias (git-fixes).
rtc: da9063: drop unused module alias (git-fixes).
rtc: ds1307: stop disabling alarms on probe (stable-fixes).
rtc: jz4740: drop unused module alias (git-fixes).
rtc: pm8xxx: drop unused module alias (git-fixes).
rtc: rv3032: fix EERD location (stable-fixes).
rtc: s3c: drop unused module alias (git-fixes).
rtc: sh: assign correct interrupts with DT (git-fixes).
rtc: stm32: drop unused module alias (git-fixes).
s390/pci: Allow re-add of a reserved but not yet removed device (bsc#1244145).
s390/pci: Fix __pcilg_mio_inuser() inline assembly (git-fixes bsc#1245226).
s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs (git-fixes bsc#1244145).
s390/pci: Fix potential double remove of hotplug slot (bsc#1244145).
s390/pci: Prevent self deletion in disable_slot() (bsc#1244145).
s390/pci: Remove redundant bus removal and disable from zpci_release_device() (bsc#1244145).
s390/pci: Serialize device addition and removal (bsc#1244145).
s390/pci: introduce lock to synchronize state of zpci_dev's (jsc#PED-10253 bsc#1244145).
s390/pci: remove hotplug slot when releasing the device (bsc#1244145).
s390/pci: rename lock member in struct zpci_dev (jsc#PED-10253 bsc#1244145).
s390/tty: Fix a potential memory leak bug (git-fixes bsc#1245228).
scsi: Improve CDL control (git-fixes).
scsi: dc395x: Remove DEBUG conditional compilation (git-fixes).
scsi: dc395x: Remove leftover if statement in reselect() (git-fixes).
scsi: elx: efct: Fix memory leak in efct_hw_parse_filter() (git-fixes).
scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk (git-fixes).
scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (git-fixes).
scsi: iscsi: Fix incorrect error path labels for flashnode operations (git-fixes).
scsi: megaraid_sas: Block zero-length ATA VPD inquiry (git-fixes).
scsi: mpi3mr: Add level check to control event logging (git-fixes).
scsi: mpt3sas: Fix _ctl_get_mpt_mctp_passthru_adapter() to return IOC pointer (git-fixes).
scsi: mpt3sas: Send a diag reset if target reset fails (git-fixes).
scsi: pm80xx: Set phy_attached to zero when device is gone (git-fixes).
scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops (git-fixes).
scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer (git-fixes).
scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels (git-fixes).
scsi: st: ERASE does not change tape location (git-fixes).
scsi: st: Restore some drive settings after reset (git-fixes).
scsi: st: Tighten the page format heuristics with MODE SELECT (git-fixes).
scsi: storvsc: Do not report the host packet status as the hv status (git-fixes).
scsi: storvsc: Increase the timeouts to storvsc_timeout (git-fixes).
selftests/bpf: Fix bpf_nf selftest failure (git-fixes).
selftests/mm: restore default nr_hugepages value during cleanup in hugetlb_reparenting_test.sh (git-fixes).
selftests/net: have gro.sh -t return a correct exit code (stable-fixes).
selftests/seccomp: fix syscall_restart test for arm compat (git-fixes).
serial: Fix potential null-ptr-deref in mlb_usio_probe() (git-fixes).
serial: core: restore of_node information in sysfs (git-fixes).
serial: imx: Restore original RXTL for console to fix data loss (git-fixes).
serial: jsm: fix NPE during jsm_uart_port_init (git-fixes).
serial: mctrl_gpio: split disable_ms into sync and no_sync APIs (git-fixes).
serial: sh-sci: Move runtime PM enable to sci_probe_single() (stable-fixes).
serial: sh-sci: Save and restore more registers (git-fixes).
serial: sh-sci: Update the suspend/resume support (stable-fixes).
smb3: fix Open files on server counter going negative (git-fixes).
smb: client: Use str_yes_no() helper function (git-fixes).
smb: client: allow more DFS referrals to be cached (git-fixes).
smb: client: avoid unnecessary reconnects when refreshing referrals (git-fixes).
smb: client: change return value in open_cached_dir_by_dentry() if !cfids (git-fixes).
smb: client: do not retry DFS targets on server shutdown (git-fixes).
smb: client: do not trust DFSREF_STORAGE_SERVER bit (git-fixes).
smb: client: do not try following DFS links in cifs_tree_connect() (git-fixes).
smb: client: fix DFS interlink failover (git-fixes).
smb: client: fix DFS mount against old servers with NTLMSSP (git-fixes).
smb: client: fix hang in wait_for_response() for negproto (bsc#1242709).
smb: client: fix potential race in cifs_put_tcon() (git-fixes).
smb: client: fix return value of parse_dfs_referrals() (git-fixes).
smb: client: get rid of @nlsc param in cifs_tree_connect() (git-fixes).
smb: client: get rid of TCP_Server_Info::refpath_lock (git-fixes).
smb: client: get rid of kstrdup() in get_ses_refpath() (git-fixes).
smb: client: improve purging of cached referrals (git-fixes).
smb: client: introduce av_for_each_entry() helper (git-fixes).
smb: client: optimize referral walk on failed link targets (git-fixes).
smb: client: parse DNS domain name from domain= option (git-fixes).
smb: client: parse av pair type 4 in CHALLENGE_MESSAGE (git-fixes).
smb: client: provide dns_resolve_{unc,name} helpers (git-fixes).
smb: client: refresh referral without acquiring refpath_lock (git-fixes).
smb: client: remove unnecessary checks in open_cached_dir() (git-fixes).
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (git-fixes).
soc: aspeed: lpc: Fix impossible judgment condition (git-fixes).
soc: qcom: smp2p: Fix fallback to qcom,ipc parse (git-fixes).
soc: ti: k3-socinfo: Do not use syscon helper to build regmap (stable-fixes).
software node: Correct a OOB check in software_node_get_reference_args() (stable-fixes).
soundwire: amd: change the soundwire wake enable/disable sequence (stable-fixes).
spi-rockchip: Fix register out of bounds access (stable-fixes).
spi: bcm63xx-hsspi: fix shared reset (git-fixes).
spi: bcm63xx-spi: fix shared reset (git-fixes).
spi: sh-msiof: Fix maximum DMA transfer size (git-fixes).
spi: spi-sun4i: fix early activation (stable-fixes).
spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (git-fixes).
spi: tegra210-quad: modify chip select (CS) deactivation (git-fixes).
spi: tegra210-quad: remove redundant error handling code (git-fixes).
spi: zynqmp-gqspi: Always acknowledge interrupts (stable-fixes).
staging: iio: ad5933: Correct settling cycles encoding per datasheet (git-fixes).
staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() (git-fixes).
struct usci: hide additional member (git-fixes).
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (git-fixes).
supported.conf: Add SNP SVSM vTPM driver
supported.conf: add it
supported.conf: support firmware_attributes_class
svsm: Add header with SVSM_VTPM_CMD helpers (bsc#1241191).
sysfb: Fix screen_info type check for VGA (git-fixes).
tcp/dccp: allow a connection when sk_max_ack_backlog is zero (git-fixes).
tcp/dccp: bypass empty buckets in inet_twsk_purge() (git-fixes).
tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog (git-fixes).
tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() (git-fixes).
tcp_metrics: optimize tcp_metrics_flush_all() (git-fixes).
thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure (git-fixes).
thermal/drivers/qoriq: Power down TMU on system suspend (stable-fixes).
thunderbolt: Do not add non-active NVM if NVM upgrade is disabled for retimer (stable-fixes).
thunderbolt: Do not double dequeue a configuration request (stable-fixes).
thunderbolt: Fix a logic error in wake on connect (git-fixes).
thunderbolt: Improve redrive mode handling (git-fixes).
timekeeping: Fix bogus clock_was_set() invocation in (git-fixes)
timekeeping: Fix cross-timestamp interpolation corner case (git-fixes)
timekeeping: Fix cross-timestamp interpolation for non-x86 (git-fixes)
timekeeping: Fix cross-timestamp interpolation on counter (git-fixes)
tpm: Add SNP SVSM vTPM driver (bsc#1241191).
tpm: Make chip->{status,cancel,req_canceled} opt (bsc#1241191).
trace/trace_event_perf: remove duplicate samples on the first tracepoint event (git-fixes).
tracing/eprobe: Fix to release eprobe when failed to add dyn_event (git-fixes).
tracing: Add __print_dynamic_array() helper (bsc#1243544).
tracing: Add __string_len() example (bsc#1243544).
tracing: Fix cmp_entries_dup() to respect sort() comparison rules (git-fixes).
tracing: Fix compilation warning on arm32 (bsc#1243551).
tracing: Use atomic64_inc_return() in trace_clock_counter() (git-fixes).
truct dwc3 hide new member wakeup_pending_funcs (git-fixes).
tty: serial: 8250_omap: fix TX with DMA for am33xx (git-fixes).
ucsi_debugfs_entry: hide signedness change (git-fixes).
udp: annotate data-races around up->pending (git-fixes).
udp: fix incorrect parameter validation in the udp_lib_getsockopt() function (git-fixes).
udp: fix receiving fraglist GSO packets (git-fixes).
udp: preserve the connected status if only UDP cmsg (git-fixes).
uprobes: Use kzalloc to allocate xol area (git-fixes).
usb: Flush altsetting 0 endpoints before reinitializating them after reset (git-fixes).
usb: cdnsp: Fix issue with detecting USB 3.2 speed (git-fixes).
usb: cdnsp: Fix issue with detecting command completion event (git-fixes).
usb: dwc3: gadget: Make gadget_wakeup asynchronous (git-fixes).
usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs (git-fixes).
usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE (stable-fixes).
usb: renesas_usbhs: Reorder clock handling and power management in probe (git-fixes).
usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device (stable-fixes).
usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx() (git-fixes).
usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work (git-fixes).
usb: typec: ucsi: Only enable supported notifications (git-fixes).
usb: typec: ucsi: allow non-partner GET_PDOS for Qualcomm devices (git-fixes).
usb: typec: ucsi: fix Clang -Wsign-conversion warning (git-fixes).
usb: typec: ucsi: fix UCSI on buggy Qualcomm devices (git-fixes).
usb: typec: ucsi: limit the UCSI_NO_PARTNER_PDOS even further (git-fixes).
usb: usbtmc: Fix read_stb function and get_stb ioctl (git-fixes).
usb: usbtmc: Fix timeout value in get_stb (git-fixes).
usb: xhci: Do not change the status of stalled TDs on failed Stop EP (stable-fixes).
usbnet: asix AX88772: leave the carrier control to phylink (stable-fixes).
vgacon: Add check for vc_origin address range in vgacon_scroll() (git-fixes).
vmxnet3: correctly report gso type for UDP tunnels (bsc#1244626).
vmxnet3: support higher link speeds from vmxnet3 v9 (bsc#1244626).
vmxnet3: update MTU after device quiesce (bsc#1244626).
vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() (git-fixes).
watchdog: da9052_wdt: respect TWDMIN (stable-fixes).
watchdog: exar: Shorten identity name to fit correctly (git-fixes).
watchdog: fix watchdog may detect false positive of softlockup (stable-fixes).
watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 (git-fixes).
watchdog: mediatek: Add support for MT6735 TOPRGU/WDT (git-fixes).
wifi: ath11k: Fix QMI memory reuse logic (stable-fixes).
wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request() (git-fixes).
wifi: ath11k: convert timeouts to secs_to_jiffies() (stable-fixes).
wifi: ath11k: do not use static variables in ath11k_debugfs_fw_stats_process() (git-fixes).
wifi: ath11k: do not wait when there is no vdev started (git-fixes).
wifi: ath11k: fix node corruption in ar->arvifs list (git-fixes).
wifi: ath11k: fix ring-buffer corruption (git-fixes).
wifi: ath11k: fix rx completion meta data corruption (git-fixes).
wifi: ath11k: fix soc_dp_stats debugfs file permission (stable-fixes).
wifi: ath11k: move some firmware stats related functions outside of debugfs (git-fixes).
wifi: ath11k: update channel list in worker when wait flag is set (bsc#1243847).
wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready (git-fixes).
wifi: ath12k: ACPI CCA threshold support (bsc#1240998).
wifi: ath12k: ACPI SAR support (bsc#1240998).
wifi: ath12k: ACPI TAS support (bsc#1240998).
wifi: ath12k: ACPI band edge channel power support (bsc#1240998).
wifi: ath12k: Add MSDU length validation for TKIP MIC error (git-fixes).
wifi: ath12k: Add additional checks for vif and sta iterators (bsc#1240998).
wifi: ath12k: Add firmware coredump collection support (bsc#1240998).
wifi: ath12k: Add htt_stats_dump file ops support (bsc#1240998).
wifi: ath12k: Add lock to protect the hardware state (bsc#1240998).
wifi: ath12k: Add missing htt_metadata flag in ath12k_dp_tx() (bsc#1240998).
wifi: ath12k: Add support to enable debugfs_htt_stats (bsc#1240998).
wifi: ath12k: Add support to parse requested stats_type (bsc#1240998).
wifi: ath12k: Avoid -Wflex-array-member-not-at-end warnings (bsc#1240998).
wifi: ath12k: Avoid napi_sync() before napi_enable() (stable-fixes).
wifi: ath12k: Cache vdev configs before vdev create (bsc#1240998).
wifi: ath12k: Dump additional Tx PDEV HTT stats (bsc#1240998).
wifi: ath12k: Fetch regdb.bin file from board-2.bin (stable-fixes).
wifi: ath12k: Fix WARN_ON during firmware crash in split-phy (bsc#1240998).
wifi: ath12k: Fix WMI tag for EHT rate in peer assoc (git-fixes).
wifi: ath12k: Fix buffer overflow in debugfs (bsc#1240998).
wifi: ath12k: Fix devmem address prefix when logging (bsc#1240998).
wifi: ath12k: Fix end offset bit definition in monitor ring descriptor (stable-fixes).
wifi: ath12k: Fix for out-of bound access error (bsc#1240998).
wifi: ath12k: Fix invalid memory access while forming 802.11 header (git-fixes).
wifi: ath12k: Fix memory leak during vdev_id mismatch (git-fixes).
wifi: ath12k: Fix pdev id sent to firmware for single phy devices (bsc#1240998).
wifi: ath12k: Fix the QoS control field offset to build QoS header (git-fixes).
wifi: ath12k: Handle error cases during extended skb allocation (git-fixes).
wifi: ath12k: Improve BSS discovery with hidden SSID in 6 GHz band (stable-fixes).
wifi: ath12k: Introduce device index (bsc#1240998).
wifi: ath12k: Modify add and remove chanctx ops for single wiphy support (bsc#1240998).
wifi: ath12k: Modify print_array_to_buf() to support arrays with 1-based semantics (bsc#1240998).
wifi: ath12k: Modify rts threshold mac op for single wiphy (bsc#1240998).
wifi: ath12k: Modify set and get antenna mac ops for single wiphy (bsc#1240998).
wifi: ath12k: Optimize the lock contention of used list in Rx data path (bsc#1240998).
wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz (stable-fixes).
wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash (bsc#1240998).
wifi: ath12k: Refactor Rxdma buffer replinish argument (bsc#1240998).
wifi: ath12k: Refactor data path cmem init (bsc#1240998).
wifi: ath12k: Refactor error handler of Rxdma replenish (bsc#1240998).
wifi: ath12k: Refactor idle ring descriptor setup (bsc#1240998).
wifi: ath12k: Refactor the hardware cookie conversion init (bsc#1240998).
wifi: ath12k: Refactor the hardware recovery procedure (bsc#1240998).
wifi: ath12k: Refactor the hardware state (bsc#1240998).
wifi: ath12k: Remove unsupported tx monitor handling (bsc#1240998).
wifi: ath12k: Remove unused ath12k_base from ath12k_hw (bsc#1240998).
wifi: ath12k: Remove unused tcl_*_ring configuration (bsc#1240998).
wifi: ath12k: Replace 'chip' with 'device' in hal Rx return buffer manager (bsc#1240998).
wifi: ath12k: Report proper tx completion status to mac80211 (stable-fixes).
wifi: ath12k: Resolve multicast packet drop by populating key_cipher in ath12k_install_key() (bsc#1240998).
wifi: ath12k: Support BE OFDMA Pdev Rate Stats (bsc#1240998).
wifi: ath12k: Support DMAC Reset Stats (bsc#1240998).
wifi: ath12k: Support Pdev OBSS Stats (bsc#1240998).
wifi: ath12k: Support Pdev Scheduled Algorithm Stats (bsc#1240998).
wifi: ath12k: Support Ring and SFM stats (bsc#1240998).
wifi: ath12k: Support Self-Generated Transmit stats (bsc#1240998).
wifi: ath12k: Support TQM stats (bsc#1240998).
wifi: ath12k: Support Transmit DE stats (bsc#1240998).
wifi: ath12k: Support Transmit Scheduler stats (bsc#1240998).
wifi: ath12k: Support pdev CCA Stats (bsc#1240998).
wifi: ath12k: Support pdev Transmit Multi-user stats (bsc#1240998).
wifi: ath12k: Support pdev error stats (bsc#1240998).
wifi: ath12k: add 6 GHz params in peer assoc command (bsc#1240998).
wifi: ath12k: add ATH12K_DBG_WOW log level (bsc#1240998).
wifi: ath12k: add EMA beacon support (bsc#1240998).
wifi: ath12k: add MBSSID beacon support (bsc#1240998).
wifi: ath12k: add WoW net-detect functionality (bsc#1240998).
wifi: ath12k: add basic WoW functionalities (bsc#1240998).
wifi: ath12k: add channel 2 into 6 GHz channel list (bsc#1240998).
wifi: ath12k: add hw_link_id in ath12k_pdev (bsc#1240998).
wifi: ath12k: add missing lockdep_assert_wiphy() for ath12k_mac_op_ functions (bsc#1240998).
wifi: ath12k: add multi device support for WBM idle ring buffer setup (bsc#1240998).
wifi: ath12k: add multiple radio support in a single MAC HW un/register (bsc#1240998).
wifi: ath12k: add panic handler (bsc#1240998).
wifi: ath12k: add support to handle beacon miss for WCN7850 (bsc#1240998).
wifi: ath12k: advertise driver capabilities for MBSSID and EMA (bsc#1240998).
wifi: ath12k: allocate dummy net_device dynamically (bsc#1240998).
wifi: ath12k: ath12k_mac_op_set_key(): fix uninitialized symbol 'ret' (bsc#1240998).
wifi: ath12k: ath12k_mac_op_sta_state(): clean up update_wk cancellation (bsc#1240998).
wifi: ath12k: ath12k_mac_set_key(): remove exit label (bsc#1240998).
wifi: ath12k: avoid double SW2HW_MACID conversion (bsc#1240998).
wifi: ath12k: avoid duplicated vdev down (bsc#1240998).
wifi: ath12k: avoid redundant code in Rx cookie conversion init (bsc#1240998).
wifi: ath12k: avoid stopping mac80211 queues in ath12k_core_restart() (bsc#1240998).
wifi: ath12k: avoid unnecessary MSDU drop in the Rx error process (bsc#1240998).
wifi: ath12k: change supports_suspend to true for WCN7850 (bsc#1240998).
wifi: ath12k: cleanup unneeded labels (bsc#1240998).
wifi: ath12k: configure MBSSID parameters in AP mode (bsc#1240998).
wifi: ath12k: configure MBSSID params in vdev create/start (bsc#1240998).
wifi: ath12k: convert struct ath12k_sta::update_wk to use struct wiphy_work (bsc#1240998).
wifi: ath12k: correct the capital word typo (bsc#1240998).
wifi: ath12k: create a structure for WMI vdev up parameters (bsc#1240998).
wifi: ath12k: debugfs: radar simulation support (bsc#1240998).
wifi: ath12k: decrease MHI channel buffer length to 8KB (bsc#1240998).
wifi: ath12k: delete NSS and TX power setting for monitor vdev (bsc#1240998).
wifi: ath12k: displace the Tx and Rx descriptor in cookie conversion table (bsc#1240998).
wifi: ath12k: do not dump SRNG statistics during resume (bsc#1240998).
wifi: ath12k: do not process consecutive RDDM event (bsc#1240998).
wifi: ath12k: do not use %pK in dmesg format strings (bsc#1240998).
wifi: ath12k: dynamic VLAN support (bsc#1240998).
wifi: ath12k: dynamically update peer puncturing bitmap for STA (bsc#1240998).
wifi: ath12k: enable WIPHY_FLAG_DISABLE_WEXT (bsc#1240998).
wifi: ath12k: enable service flag for survey dump stats (bsc#1240998).
wifi: ath12k: extend the link capable flag (bsc#1240998).
wifi: ath12k: fetch correct radio based on vdev status (bsc#1240998).
wifi: ath12k: fix A-MSDU indication in monitor mode (bsc#1240998).
wifi: ath12k: fix ACPI warning when resume (bsc#1240998).
wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 (git-fixes).
wifi: ath12k: fix NULL pointer access in ath12k_mac_op_get_survey() (bsc#1240998).
wifi: ath12k: fix Smatch warnings on ath12k_core_suspend() (bsc#1240998).
wifi: ath12k: fix a possible dead lock caused by ab->base_lock (stable-fixes).
wifi: ath12k: fix ack signal strength calculation (bsc#1240998).
wifi: ath12k: fix ath12k_hal_tx_cmd_ext_desc_setup() info1 override (stable-fixes).
wifi: ath12k: fix build vs old compiler (bsc#1240998).
wifi: ath12k: fix calling correct function for rx monitor mode (bsc#1240998).
wifi: ath12k: fix cleanup path after mhi init (git-fixes).
wifi: ath12k: fix desc address calculation in wbm tx completion (bsc#1240998).
wifi: ath12k: fix driver initialization for WoW unsupported devices (bsc#1240998).
wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping (stable-fixes).
wifi: ath12k: fix flush failure in recovery scenarios (bsc#1240998).
wifi: ath12k: fix hal_rx_buf_return_buf_manager documentation (bsc#1240998).
wifi: ath12k: fix incorrect CE addresses (stable-fixes).
wifi: ath12k: fix invalid access to memory (git-fixes).
wifi: ath12k: fix key cache handling (bsc#1240998).
wifi: ath12k: fix legacy peer association due to missing HT or 6 GHz capabilities (bsc#1240998).
wifi: ath12k: fix link capable flags (bsc#1240998).
wifi: ath12k: fix link valid field initialization in the monitor Rx (stable-fixes).
wifi: ath12k: fix mac id extraction when MSDU spillover in rx error path (bsc#1240998).
wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET (stable-fixes).
wifi: ath12k: fix mbssid max interface advertisement (bsc#1240998).
wifi: ath12k: fix missing endianness conversion in wmi_vdev_create_cmd() (bsc#1240998).
wifi: ath12k: fix misspelling of 'dma' in num_rxmda_per_pdev (bsc#1240998).
wifi: ath12k: fix node corruption in ar->arvifs list (git-fixes).
wifi: ath12k: fix one more memcpy size error (bsc#1240998).
wifi: ath12k: fix per pdev debugfs registration (bsc#1240998).
wifi: ath12k: fix reusing outside iterator in ath12k_wow_vif_set_wakeups() (bsc#1240998).
wifi: ath12k: fix ring-buffer corruption (git-fixes).
wifi: ath12k: fix skb_ext_desc leak in ath12k_dp_tx() error path (bsc#1240998).
wifi: ath12k: fix struct hal_rx_mpdu_start (bsc#1240998).
wifi: ath12k: fix struct hal_rx_phyrx_rssi_legacy_info (bsc#1240998).
wifi: ath12k: fix struct hal_rx_ppdu_end_user_stats (bsc#1240998).
wifi: ath12k: fix struct hal_rx_ppdu_start (bsc#1240998).
wifi: ath12k: fix survey dump collection in 6 GHz (bsc#1240998).
wifi: ath12k: fix the ampdu id fetch in the HAL_RX_MPDU_START TLV (stable-fixes).
wifi: ath12k: fix the stack frame size warning in ath12k_mac_op_hw_scan (bsc#1240998).
wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() (bsc#1240998).
wifi: ath12k: fix warning on DMA ring capabilities event (bsc#1240998).
wifi: ath12k: flush all packets before suspend (bsc#1240998).
wifi: ath12k: handle keepalive during WoWLAN suspend and resume (bsc#1240998).
wifi: ath12k: handle symlink cleanup for per pdev debugfs dentry (bsc#1240998).
wifi: ath12k: implement WoW enable and wakeup commands (bsc#1240998).
wifi: ath12k: implement hardware data filter (bsc#1240998).
wifi: ath12k: improve the rx descriptor error information (bsc#1240998).
wifi: ath12k: initial debugfs support (bsc#1240998).
wifi: ath12k: make read-only array svc_id static const (bsc#1240998).
wifi: ath12k: modify ath12k mac start/stop ops for single wiphy (bsc#1240998).
wifi: ath12k: modify ath12k_get_arvif_iter() for MLO (bsc#1240998).
wifi: ath12k: modify ath12k_mac_op_bss_info_changed() for MLO (bsc#1240998).
wifi: ath12k: modify ath12k_mac_op_set_key() for MLO (bsc#1240998).
wifi: ath12k: modify ath12k_mac_vif_chan() for MLO (bsc#1240998).
wifi: ath12k: modify link arvif creation and removal for MLO (bsc#1240998).
wifi: ath12k: modify regulatory support for single wiphy architecture (bsc#1240998).
wifi: ath12k: modify remain on channel for single wiphy (bsc#1240998).
wifi: ath12k: move txbaddr/rxbaddr into struct ath12k_dp (bsc#1240998).
wifi: ath12k: no need to handle pktlog during suspend/resume (bsc#1240998).
wifi: ath12k: pass ath12k_link_vif instead of vif/ahvif (bsc#1240998).
wifi: ath12k: prepare sta data structure for MLO handling (bsc#1240998).
wifi: ath12k: prepare vif config caching for MLO (bsc#1240998).
wifi: ath12k: prepare vif data structure for MLO handling (bsc#1240998).
wifi: ath12k: read single_chip_mlo_support parameter from QMI PHY capability (bsc#1240998).
wifi: ath12k: rearrange IRQ enable/disable in reset path (bsc#1240998).
wifi: ath12k: refactor SMPS configuration (bsc#1240998).
wifi: ath12k: refactor arvif security parameter configuration (bsc#1240998).
wifi: ath12k: refactor ath12k_hw_regs structure (stable-fixes).
wifi: ath12k: refactor rx descriptor CMEM configuration (bsc#1240998).
wifi: ath12k: remove MHI LOOPBACK channels (bsc#1240998).
wifi: ath12k: remove duplicate definition of MAX_RADIOS (bsc#1240998).
wifi: ath12k: remove duplicate definitions in wmi.h (bsc#1240998).
wifi: ath12k: remove invalid peer create logic (bsc#1240998).
wifi: ath12k: remove obsolete struct wmi_start_scan_arg (bsc#1240998).
wifi: ath12k: remove redundant peer delete for WCN7850 (bsc#1240998).
wifi: ath12k: remove unused variable monitor_flags (bsc#1240998).
wifi: ath12k: remove unused variable monitor_present (bsc#1240998).
wifi: ath12k: rename MBSSID fields in wmi_vdev_up_cmd (bsc#1240998).
wifi: ath12k: restore ASPM for supported hardwares only (bsc#1240998).
wifi: ath12k: scan statemachine changes for single wiphy (bsc#1240998).
wifi: ath12k: set mlo_capable_flags based on QMI PHY capability (bsc#1240998).
wifi: ath12k: skip sending vdev down for channel switch (bsc#1240998).
wifi: ath12k: support ARP and NS offload (bsc#1240998).
wifi: ath12k: support GTK rekey offload (bsc#1240998).
wifi: ath12k: support SMPS configuration for 6 GHz (bsc#1240998).
wifi: ath12k: support get_survey mac op for single wiphy (bsc#1240998).
wifi: ath12k: support suspend/resume (bsc#1240998).
wifi: ath12k: switch to using wiphy_lock() and remove ar->conf_mutex (bsc#1240998).
wifi: ath12k: unregister per pdev debugfs (bsc#1240998).
wifi: ath12k: update ath12k_mac_op_conf_tx() for MLO (bsc#1240998).
wifi: ath12k: update ath12k_mac_op_update_vif_offload() for MLO (bsc#1240998).
wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850 (bsc#1240998).
wifi: ath12k: use correct MAX_RADIOS (bsc#1240998).
wifi: ath12k: use tail MSDU to get MSDU information (bsc#1240998).
wifi: ath12k: using msdu end descriptor to check for rx multicast packets (stable-fixes).
wifi: ath12k: vdev statemachine changes for single wiphy (bsc#1240998).
wifi: ath9k: return by of_get_mac_address (stable-fixes).
wifi: ath9k_htc: Abort software beacon handling if disabled (git-fixes).
wifi: carl9170: do not ping device which has failed to load firmware (git-fixes).
wifi: cfg80211: allow IR in 20 MHz configurations (stable-fixes).
wifi: iwlfiwi: mvm: Fix the rate reporting (git-fixes).
wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 (stable-fixes).
wifi: iwlwifi: add support for Killer on MTL (stable-fixes).
wifi: iwlwifi: do not warn during reprobe (stable-fixes).
wifi: iwlwifi: do not warn when if there is a FW error (stable-fixes).
wifi: iwlwifi: fix debug actions order (stable-fixes).
wifi: iwlwifi: fix the ECKV UEFI variable name (stable-fixes).
wifi: iwlwifi: mark Br device not integrated (stable-fixes).
wifi: iwlwifi: mvm: fix beacon CCK flag (stable-fixes).
wifi: iwlwifi: mvm: fix setting the TK when associated (stable-fixes).
wifi: iwlwifi: pcie: make sure to lock rxq->read (stable-fixes).
wifi: iwlwifi: use correct IMR dump variable (stable-fixes).
wifi: iwlwifi: w/a FW SMPS mode selection (stable-fixes).
wifi: mac80211: VLAN traffic in multicast path (stable-fixes).
wifi: mac80211: do not offer a mesh path if forwarding is disabled (stable-fixes).
wifi: mac80211: do not unconditionally call drv_mgd_complete_tx() (stable-fixes).
wifi: mac80211: fix beacon interval calculation overflow (git-fixes).
wifi: mac80211: fix warning on disconnect during failed ML reconf (stable-fixes).
wifi: mac80211: remove misplaced drv_mgd_complete_tx() call (stable-fixes).
wifi: mac80211: set ieee80211_prep_tx_info::link_id upon Auth Rx (stable-fixes).
wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO (stable-fixes).
wifi: mac80211_hwsim: Fix MLD address translation (stable-fixes).
wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled (stable-fixes).
wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R (stable-fixes).
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() (git-fixes).
wifi: mt76: mt7921: add 160 MHz AP for mt7922 device (stable-fixes).
wifi: mt76: mt7925: ensure all MCU commands wait for response (git-fixes).
wifi: mt76: mt7925: fix fails to enter low power mode in suspend state (stable-fixes).
wifi: mt76: mt7925: fix host interrupt register initialization (git-fixes).
wifi: mt76: mt7925: introduce thermal protection (stable-fixes).
wifi: mt76: mt7925: load the appropriate CLC data based on hardware type (stable-fixes).
wifi: mt76: mt7925: prevent multiple scan commands (git-fixes).
wifi: mt76: mt7925: refine the sniffer commnad (git-fixes).
wifi: mt76: mt7996: drop fragments with multicast or broadcast RA (stable-fixes).
wifi: mt76: mt7996: fix RX buffer size of MCU event (git-fixes).
wifi: mt76: mt7996: revise TXS size (stable-fixes).
wifi: mt76: mt7996: set EHT max ampdu length capability (git-fixes).
wifi: mt76: only mark tx-status-failed frames as ACKed on mt76x0/2 (stable-fixes).
wifi: mwifiex: Fix HT40 bandwidth issue (stable-fixes).
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (git-fixes).
wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 (git-fixes).
wifi: rtw88: Do not use static local variable in rtw8822b_set_tx_power_index_by_rate (stable-fixes).
wifi: rtw88: Fix __rtw_download_firmware() for RTL8814AU (stable-fixes).
wifi: rtw88: Fix download_firmware_validate() for RTL8814AU (stable-fixes).
wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 (stable-fixes).
wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU (stable-fixes).
wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU (stable-fixes).
wifi: rtw88: do not ignore hardware read error during DPK (git-fixes).
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds (git-fixes).
wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally (git-fixes).
wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT (git-fixes).
wifi: rtw88: usb: Reduce control message timeout to 500 ms (git-fixes).
wifi: rtw89: 8922a: fix TX fail with wrong VCO setting (stable-fixes).
wifi: rtw89: 8922a: fix incorrect STA-ID in EHT MU PPDU (stable-fixes).
wifi: rtw89: add wiphy_lock() to work that isn't held wiphy_lock() yet (stable-fixes).
wifi: rtw89: call power_on ahead before selecting firmware (stable-fixes).
wifi: rtw89: fw: get sb_sel_ver via get_unaligned_le32() (stable-fixes).
wifi: rtw89: fw: propagate error code from rtw89_h2c_tx() (stable-fixes).
wifi: rtw89: leave idle mode when setting WEP encryption for AP mode (stable-fixes).
wifi: rtw89: pci: enlarge retry times of RX tag to 1000 (git-fixes).
wifi: rtw89: phy: add dummy C2H event handler for report of TAS power (stable-fixes).
wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() (stable-fixes).
workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() (bsc#1245101 jsc#PED-11934).
x86/acpi: Fix LAPIC/x2APIC parsing order (git-fixes).
x86/amd_nb, hwmon: (k10temp): Simplify amd_pci_dev_to_node_id() (jsc#PED-13094).
x86/amd_nb: Clean up early_is_amd_nb() (jsc#PED-13094).
x86/amd_nb: Move SMN access code to a new amd_node driver (jsc#PED-13094).
x86/amd_nb: Restrict init function to AMD-based systems (jsc#PED-13094).
x86/amd_nb: Simplify function 4 search (jsc#PED-13094).
x86/amd_nb: Simplify root device search (jsc#PED-13094).
x86/amd_node: Add SMN offsets to exclusive region access (jsc#PED-13094).
x86/amd_node: Add support for debugfs access to SMN registers (jsc#PED-13094).
x86/amd_node: Remove dependency on AMD_NB (jsc#PED-13094).
x86/amd_node: Update __amd_smn_rw() error paths (jsc#PED-13094).
x86/amd_node: Use defines for SMN register offsets (jsc#PED-13094).
x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler (git-fixes).
x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt() (git-fixes).
x86/kaslr: Reduce KASLR entropy on most x86 systems (git-fixes).
x86/mce/amd: Remove shared threshold bank plumbing (jsc#PED-13094).
x86/microcode/AMD: Add get_patch_level() (git-fixes).
x86/microcode/AMD: Do not return error when microcode update is not necessary (git-fixes).
x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (git-fixes).
x86/microcode/AMD: Have __apply_microcode_amd() return bool (git-fixes).
x86/microcode/AMD: Make __verify_patch_size() return bool (git-fixes).
x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (git-fixes).
x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (git-fixes).
x86/microcode/AMD: Return bool from find_blobs_in_containers() (git-fixes).
x86/microcode: Consolidate the loader enablement checking (git-fixes).
x86/mm/init: Handle the special case of device private pages in add_pages(), to not increase max_pfn and trigger dma_addressing_limited() bounce buffers (git-fixes).
x86/platform/amd: Move the <asm/amd_hsmp.h> header to <asm/amd/hsmp.h> (jsc#PED-13094).
x86/sev: Add SVSM vTPM probe/send_command functions (bsc#1241191).
x86/sev: Provide guest VMPL level to userspace (bsc#1241191).
x86/sev: Register tpm-svsm platform device (bsc#1241191).
x86/xen: fix balloon target initialization for PVH dom0 (git-fixes).
x86: Start moving AMD node functionality out of AMD_NB (jsc#PED-13094).
xen/arm: call uaccess_ttbr0_enable for dm_op hypercall (git-fixes)
xen/x86: fix initial memory balloon target (git-fixes).
xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive (git-fixes).
xsk: always clear DMA mapping information when unmapping the pool (git-fixes).

Список пакетов

SUSE Linux Enterprise High Availability Extension 15 SP7

cluster-md-kmp-default-6.4.0-150700.53.6.1

dlm-kmp-default-6.4.0-150700.53.6.1

gfs2-kmp-default-6.4.0-150700.53.6.1

ocfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise Live Patching 15 SP7

kernel-default-livepatch-6.4.0-150700.53.6.1

kernel-default-livepatch-devel-6.4.0-150700.53.6.1

kernel-livepatch-6_4_0-150700_53_6-default-1-150700.15.3.1

SUSE Linux Enterprise Module for Basesystem 15 SP7

kernel-64kb-6.4.0-150700.53.6.1

kernel-64kb-devel-6.4.0-150700.53.6.1

kernel-default-6.4.0-150700.53.6.1

kernel-default-base-6.4.0-150700.53.6.1.150700.17.6.1

kernel-default-devel-6.4.0-150700.53.6.1

kernel-devel-6.4.0-150700.53.6.1

kernel-macros-6.4.0-150700.53.6.1

kernel-zfcpdump-6.4.0-150700.53.6.1

SUSE Linux Enterprise Module for Development Tools 15 SP7

kernel-docs-6.4.0-150700.53.6.1

kernel-obs-build-6.4.0-150700.53.6.1

kernel-source-6.4.0-150700.53.6.1

kernel-syms-6.4.0-150700.53.6.1

SUSE Linux Enterprise Module for Legacy 15 SP7

reiserfs-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise Workstation Extension 15 SP7

kernel-default-extra-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/support/update/announcement/2025/suse-su-202502307-1/
Link for SUSE-SU-2025:02307-1
https://lists.suse.com/pipermail/sle-updates/2025-July/040706.html
E-Mail link for SUSE-SU-2025:02307-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1012628
SUSE Bug 1012628
https://bugzilla.suse.com/1151679
SUSE Bug 1151679
https://bugzilla.suse.com/1151680
SUSE Bug 1151680
https://bugzilla.suse.com/1151794
SUSE Bug 1151794
https://bugzilla.suse.com/1151927
SUSE Bug 1151927
https://bugzilla.suse.com/1210025
SUSE Bug 1210025
https://bugzilla.suse.com/1211226
SUSE Bug 1211226
https://bugzilla.suse.com/1215199
SUSE Bug 1215199
https://bugzilla.suse.com/1218184
SUSE Bug 1218184
https://bugzilla.suse.com/1220112
SUSE Bug 1220112
https://bugzilla.suse.com/1223008
SUSE Bug 1223008
https://bugzilla.suse.com/1226498
SUSE Bug 1226498
https://bugzilla.suse.com/1228478
SUSE Bug 1228478
https://bugzilla.suse.com/1228557
SUSE Bug 1228557
https://bugzilla.suse.com/1228854
SUSE Bug 1228854
https://bugzilla.suse.com/1229491
SUSE Bug 1229491
https://bugzilla.suse.com/1230337
SUSE Bug 1230337

Описание

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52888.html
CVE-2023-52888
https://bugzilla.suse.com/1228557
SUSE Bug 1228557

Описание

In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages to buffer size")

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-53146.html
CVE-2023-53146
https://bugzilla.suse.com/1220112
SUSE Bug 1220112

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Skip to handle RAS errors if CXL.mem device is detached The PCI AER model is an awkward fit for CXL error handling. While the expectation is that a PCI device can escalate to link reset to recover from an AER event, the same reset on CXL amounts to a surprise memory hotplug of massive amounts of memory. At present, the CXL error handler attempts some optimistic error handling to unbind the device from the cxl_mem driver after reaping some RAS register values. This results in a "hopeful" attempt to unplug the memory, but there is no guarantee that will succeed. A subsequent AER notification after the memdev unbind event can no longer assume the registers are mapped. Check for memdev bind before reaping status register values to avoid crashes of the form: BUG: unable to handle page fault for address: ffa00000195e9100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page [...] RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core] [...] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? kernelmode_fixup_or_oops+0x84/0x110 ? exc_page_fault+0x113/0x170 ? asm_exc_page_fault+0x26/0x30 ? __pfx_dpc_reset_link+0x10/0x10 ? __cxl_handle_ras+0x30/0x110 [cxl_core] ? find_cxl_port+0x59/0x80 [cxl_core] cxl_handle_rp_ras+0xbc/0xd0 [cxl_core] cxl_error_detected+0x6c/0xf0 [cxl_core] report_error_detected+0xc7/0x1c0 pci_walk_bus+0x73/0x90 pcie_do_recovery+0x23f/0x330 Longer term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might need to be replaced with a new PCI_ERS_RESULT_PANIC.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26762.html
CVE-2024-26762
https://bugzilla.suse.com/1230337
SUSE Bug 1230337

Описание

In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshake_req_destroy_test1 Recently, handshake_req_destroy_test1 started failing: Expected handshake_req_destroy_test == req, but handshake_req_destroy_test == 0000000000000000 req == 0000000060f99b40 not ok 11 req_destroy works This is because "sock_release(sock)" was replaced with "fput(filp)" to address a memory leak. Note that sock_release() is synchronous but fput() usually delays the final close and clean-up. The delay is not consequential in the other cases that were changed but handshake_req_destroy_test1 is testing that handshake_req_cancel() followed by closing the file actually does call the ->hp_destroy method. Thus the PTR_EQ test at the end has to be sure that the final close is complete before it checks the pointer. We cannot use a completion here because if ->hp_destroy is never called (ie, there is an API bug) then the test will hang. Reported by: Guenter Roeck <linux@roeck-us.net>

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26831.html
CVE-2024-26831
https://bugzilla.suse.com/1223008
SUSE Bug 1223008

Описание

In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix no cxl_nvd during pmem region auto-assembling When CXL subsystem is auto-assembling a pmem region during cxl endpoint port probing, always hit below calltrace. BUG: kernel NULL pointer dereference, address: 0000000000000078 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? do_user_addr_fault+0x65/0x6b0 ? exc_page_fault+0x7d/0x170 ? asm_exc_page_fault+0x26/0x30 ? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem] cxl_bus_probe+0x1b/0x60 [cxl_core] really_probe+0x173/0x410 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x80/0x170 driver_probe_device+0x1e/0x90 __device_attach_driver+0x90/0x120 bus_for_each_drv+0x84/0xe0 __device_attach+0xbc/0x1f0 bus_probe_device+0x90/0xa0 device_add+0x51c/0x710 devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core] cxl_bus_probe+0x1b/0x60 [cxl_core] The cxl_nvd of the memdev needs to be available during the pmem region probe. Currently the cxl_nvd is registered after the endpoint port probe. The endpoint probe, in the case of autoassembly of regions, can cause a pmem region probe requiring the not yet available cxl_nvd. Adjust the sequence so this dependency is met. This requires adding a port parameter to cxl_find_nvdimm_bridge() that can be used to query the ancestor root port. The endpoint port is not yet available, but will share a common ancestor with its parent, so start the query from there instead.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41085.html
CVE-2024-41085
https://bugzilla.suse.com/1228478
SUSE Bug 1228478

Описание

In the Linux kernel, the following vulnerability has been resolved: perf: Fix event leak upon exec and file release The perf pending task work is never waited upon the matching event release. In the case of a child event, released via free_event() directly, this can potentially result in a leaked event, such as in the following scenario that doesn't even require a weak IRQ work implementation to trigger: schedule() prepare_task_switch() =======> <NMI> perf_event_overflow() event->pending_sigtrap = ... irq_work_queue(&event->pending_irq) <======= </NMI> perf_event_task_sched_out() event_sched_out() event->pending_sigtrap = 0; atomic_long_inc_not_zero(&event->refcount) task_work_add(&event->pending_task) finish_lock_switch() =======> <IRQ> perf_pending_irq() //do nothing, rely on pending task work <======= </IRQ> begin_new_exec() perf_event_exit_task() perf_event_exit_event() // If is child event free_event() WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1) // event is leaked Similar scenarios can also happen with perf_event_remove_on_exec() or simply against concurrent perf_event_release(). Fix this with synchonizing against the possibly remaining pending task work while freeing the event, just like is done with remaining pending IRQ work. This means that the pending task callback neither need nor should hold a reference to the event, preventing it from ever beeing freed.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-43869.html
CVE-2024-43869
https://bugzilla.suse.com/1229491
SUSE Bug 1229491

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg When receiving proposal msg in server, the fields v2_ext_offset/ eid_cnt/ism_gid_cnt in proposal msg are from the remote client and can not be fully trusted. Especially the field v2_ext_offset, once exceed the max value, there has the chance to access wrong address, and crash may happen. This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt before using them.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49568.html
CVE-2024-49568
https://bugzilla.suse.com/1235728
SUSE Bug 1235728

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC Eric report a panic on IPPROTO_SMC, and give the facts that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too. Bug: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000005 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000 [0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003, pud=0000000000000000 Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910 sp : ffff80009b887a90 x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000 x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00 x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000 x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001 x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003 x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000 Call trace: 0x0 netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593 smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973 security_socket_post_create+0x94/0xd4 security/security.c:4425 __sock_create+0x4c8/0x884 net/socket.c:1587 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x134/0x340 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1718 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: ???????? ???????? ???????? ???????? (????????) ---[ end trace 0000000000000000 ]--- This patch add a toy implementation that performs a simple return to prevent such panic. This is because MSS can be set in sock_create_kern or smc_setsockopt, similar to how it's done in AF_SMC. However, for AF_SMC, there is currently no way to synchronize MSS within __sys_connect_file. This toy implementation lays the groundwork for us to support such feature for IPPROTO_SMC in the future.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50034.html
CVE-2024-50034
https://bugzilla.suse.com/1231913
SUSE Bug 1231913

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing free_stateid processing thread does the following (1) it calls list_del_init() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file. Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsd_breaker_owns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning: kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dump_backtrace+0x98/0x120 kernel: show_stack+0x1c/0x30 kernel: dump_stack_lvl+0x80/0xe8 kernel: print_address_description.constprop.0+0x84/0x390 kernel: print_report+0xa4/0x268 kernel: kasan_report+0xb4/0xf8 kernel: __asan_report_load8_noabort+0x1c/0x28 kernel: nfsd_breaker_owns_lease+0x140/0x160 [nfsd] kernel: nfsd_file_do_acquire+0xb3c/0x11d0 [nfsd] kernel: nfsd_file_acquire_opened+0x84/0x110 [nfsd] kernel: nfs4_get_vfs_file+0x634/0x958 [nfsd] kernel: nfsd4_process_open2+0xa40/0x1a40 [nfsd] kernel: nfsd4_open+0xa08/0xe80 [nfsd] kernel: nfsd4_proc_compound+0xb8c/0x2130 [nfsd] kernel: nfsd_dispatch+0x22c/0x718 [nfsd] kernel: svc_process_common+0x8e8/0x1960 [sunrpc] kernel: svc_process+0x3d4/0x7e0 [sunrpc] kernel: svc_handle_xprt+0x828/0xe10 [sunrpc] kernel: svc_recv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: ret_from_fork+0x10/0x20 This patch proposes a fixed that's based on adding 2 new additional stid's sc_status values that help coordinate between the laundromat and other operations (nfsd4_free_stateid() and nfsd4_delegreturn()). First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4_free_stateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the cl_revoked list or we are processing FREE_STATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the cl_revoke list before the arrival of FREE_STATEID, then nfsd4_free_stateid() knows to remove it from the list. If nfsd4_free_stateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list. Also, for nfsd4_delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserr_deleg_revoked and not nfserr_bad_stateid. The latter will not trigger a FREE_STATEID and the lack of it will leave this stid on the cl_revoked list indefinitely.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50106.html
CVE-2024-50106
https://bugzilla.suse.com/1232882
SUSE Bug 1232882

Описание

In the Linux kernel, the following vulnerability has been resolved: net/smc: do not leave a dangling sk pointer in __smc_create() Thanks to commit 4bbd360a5084 ("socket: Print pf->create() when it does not clear sock->sk on failure."), syzbot found an issue with AF_SMC: smc_create must clear sock->sk on failure, family: 43, type: 1, protocol: 0 WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563 Modules linked in: CPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563 Code: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 <0f> 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7 RSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246 RAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50 R10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8 R13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0 FS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sock_create net/socket.c:1616 [inline] __sys_socket_create net/socket.c:1653 [inline] __sys_socket+0x150/0x3c0 net/socket.c:1700 __do_sys_socket net/socket.c:1714 [inline] __se_sys_socket net/socket.c:1712 [inline] For reference, see commit 2d859aff775d ("Merge branch 'do-not-leave-dangling-sk-pointers-in-pf-create-functions'")

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50293.html
CVE-2024-50293
https://bugzilla.suse.com/1233482
SUSE Bug 1233482

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup() During ath12k module removal, in ath12k_core_deinit(), ath12k_mac_destroy() un-registers ah->hw from mac80211 and frees the ah->hw as well as all the ar's in it. After this ath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup() tries to access one of the freed ar's from pending skb. This is because during mac destroy, driver failed to flush few data packets, which were accessed later in ath12k_dp_cc_cleanup() and freed, but using ar from the packet led to this use-after-free. BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] Write of size 4 at addr ffff888150bd3514 by task modprobe/8926 CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted 6.11.0-rc2-wt-ath+ #1746 Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 Call Trace: <TASK> dump_stack_lvl+0x7d/0xe0 print_address_description.constprop.0+0x33/0x3a0 print_report+0xb5/0x260 ? kasan_addr_to_slab+0x24/0x80 kasan_report+0xd8/0x110 ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] kasan_check_range+0xf3/0x1a0 __kasan_check_write+0x14/0x20 ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k] ath12k_dp_free+0x178/0x420 [ath12k] ath12k_core_stop+0x176/0x200 [ath12k] ath12k_core_deinit+0x13f/0x210 [ath12k] ath12k_pci_remove+0xad/0x1c0 [ath12k] pci_device_remove+0x9b/0x1b0 device_remove+0xbf/0x150 device_release_driver_internal+0x3c3/0x580 ? __kasan_check_read+0x11/0x20 driver_detach+0xc4/0x190 bus_remove_driver+0x130/0x2a0 driver_unregister+0x68/0x90 pci_unregister_driver+0x24/0x240 ? find_module_all+0x13e/0x1e0 ath12k_pci_exit+0x10/0x20 [ath12k] __do_sys_delete_module+0x32c/0x580 ? module_flags+0x2f0/0x2f0 ? kmem_cache_free+0xf0/0x410 ? __fput+0x56f/0xab0 ? __fput+0x56f/0xab0 ? debug_smp_processor_id+0x17/0x20 __x64_sys_delete_module+0x4f/0x70 x64_sys_call+0x522/0x9f0 do_syscall_64+0x64/0x130 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f8182c6ac8b Commit 24de1b7b231c ("wifi: ath12k: fix flush failure in recovery scenarios") added the change to decrement the pending packets count in case of recovery which make sense as ah->hw as well all ar's in it are intact during recovery, but during core deinit there is no use in decrementing packets count or waking up the empty waitq as the module is going to be removed also ar's from pending skb's can't be used and the packets should just be released back. To fix this, avoid accessing ar from skb->cb when driver is being unregistered. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-56541.html
CVE-2024-56541
https://bugzilla.suse.com/1235064
SUSE Bug 1235064

Описание

In the Linux kernel, the following vulnerability has been resolved: sched/numa: fix memory leak due to the overwritten vma->numab_state [Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak. # /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks. # dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0 [<ffffffff8113f715>] task_numa_work+0x725/0xa00 [<ffffffff8110f878>] task_work_run+0x58/0x90 [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0 [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150 [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e ... This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server [Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten. Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1]. Note that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000` cannot the reproduce the issue. It is verified with 200+ test runs. [Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment. [1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-56613.html
CVE-2024-56613
https://bugzilla.suse.com/1244176
SUSE Bug 1244176

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix potential double remove of hotplug slot In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed. Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state. Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-56699.html
CVE-2024-56699
https://bugzilla.suse.com/1235490
SUSE Bug 1235490

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm: state: fix out-of-bounds read during lookup lookup and resize can run in parallel. The xfrm_state_hash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array. rehash does: rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..] net->xfrm.state_hmask = nhashmask; While state lookup does: h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) { This is only safe in case the update to state_bydst is larger than net->xfrm.xfrm_state_hmask (or if the lookup function gets serialized via state spinlock again). Fix this by prefetching state_hmask and the associated pointers. The xfrm_state_hash_generation seqlock retry will ensure that the pointer and the hmask will be consistent. The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side. xfrm_state_lookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-57982.html
CVE-2024-57982
https://bugzilla.suse.com/1237913
SUSE Bug 1237913

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() If insert an USB dongle which chip is not maintained in ic_id_table, it will hit the NULL point accessed. Add a null point check to avoid the Kernel Oops.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-57987.html
CVE-2024-57987
https://bugzilla.suse.com/1237905
SUSE Bug 1237905

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() devm_kstrdup() can return a NULL pointer on failure,but this returned value in btbcm_get_board_name() is not checked. Add NULL check in btbcm_get_board_name(), to handle kernel NULL pointer dereference error.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-57988.html
CVE-2024-57988
https://bugzilla.suse.com/1237910
SUSE Bug 1237910

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different radio, it gets deleted from that radio through a call to ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. Subsequently, there is a check involving arvif, which will result in a read-after-free scenario. Fix this by moving this check after arvif is again assigned via call to ath12k_mac_assign_link_vif(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-57995.html
CVE-2024-57995
https://bugzilla.suse.com/1237895
SUSE Bug 1237895

Описание

In the Linux kernel, the following vulnerability has been resolved: media: intel/ipu6: remove cpu latency qos request on error Fix cpu latency qos list corruption like below. It happens when we do not remove cpu latency request on error path and free corresponding memory. [ 30.634378] l7 kernel: list_add corruption. prev->next should be next (ffffffff9645e960), but was 0000000100100001. (prev=ffff8e9e877e20a8). [ 30.634388] l7 kernel: WARNING: CPU: 2 PID: 2008 at lib/list_debug.c:32 __list_add_valid_or_report+0x83/0xa0 <snip> [ 30.634640] l7 kernel: Call Trace: [ 30.634650] l7 kernel: <TASK> [ 30.634659] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634669] l7 kernel: ? __warn.cold+0x93/0xf6 [ 30.634678] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634690] l7 kernel: ? report_bug+0xff/0x140 [ 30.634702] l7 kernel: ? handle_bug+0x58/0x90 [ 30.634712] l7 kernel: ? exc_invalid_op+0x17/0x70 [ 30.634723] l7 kernel: ? asm_exc_invalid_op+0x1a/0x20 [ 30.634733] l7 kernel: ? __list_add_valid_or_report+0x83/0xa0 [ 30.634742] l7 kernel: plist_add+0xdd/0x140 [ 30.634754] l7 kernel: pm_qos_update_target+0xa0/0x1f0 [ 30.634764] l7 kernel: cpu_latency_qos_update_request+0x61/0xc0 [ 30.634773] l7 kernel: intel_dp_aux_xfer+0x4c7/0x6e0 [i915 1f824655ed04687c2b0d23dbce759fa785f6d033]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58004.html
CVE-2024-58004
https://bugzilla.suse.com/1238508
SUSE Bug 1238508

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix for out-of bound access error Selfgen stats are placed in a buffer using print_array_to_buf_index() function. Array length parameter passed to the function is too big, resulting in possible out-of bound memory error. Decreasing buffer size by one fixes faulty upper bound of passed array. Discovered in coverity scan, CID 1600742 and CID 1600758

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58015.html
CVE-2024-58015
https://bugzilla.suse.com/1238995
SUSE Bug 1238995

Описание

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix handling of received connection abort Fix the handling of a connection abort that we've received. Though the abort is at the connection level, it needs propagating to the calls on that connection. Whilst the propagation bit is performed, the calls aren't then woken up to go and process their termination, and as no further input is forthcoming, they just hang. Also add some tracing for the logging of connection aborts.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58053.html
CVE-2024-58053
https://bugzilla.suse.com/1238982
SUSE Bug 1238982

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference When iterating over the links of a vif, we need to make sure that the pointer is valid (in other words - that the link exists) before dereferncing it. Use for_each_vif_active_link that also does the check.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58062.html
CVE-2024-58062
https://bugzilla.suse.com/1238965
SUSE Bug 1238965

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback commit 1f5664351410 ("ASoC: lower "no backend DAIs enabled for ... Port" log severity") ignores -EINVAL error message on common soc_pcm_ret(). It is used from many functions, ignoring -EINVAL is over-kill. The reason why -EINVAL was ignored was it really should only be used upon invalid parameters coming from userspace and in that case we don't want to log an error since we do not want to give userspace a way to do a denial-of-service attack on the syslog / diskspace. So don't use soc_pcm_ret() on .prepare callback is better idea.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58077.html
CVE-2024-58077
https://bugzilla.suse.com/1239090
SUSE Bug 1239090

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: track changes_pkt_data property for global functions When processing calls to certain helpers, verifier invalidates all packet pointers in a current state. For example, consider the following program: __attribute__((__noinline__)) long skb_pull_data(struct __sk_buff *sk, __u32 len) { return bpf_skb_pull_data(sk, len); } SEC("tc") int test_invalidate_checks(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; if ((void *)(p + 1) > (void *)(long)sk->data_end) return TCX_DROP; skb_pull_data(sk, 0); *p = 42; return TCX_PASS; } After a call to bpf_skb_pull_data() the pointer 'p' can't be used safely. See function filter.c:bpf_helper_changes_pkt_data() for a list of such helpers. At the moment verifier invalidates packet pointers when processing helper function calls, and does not traverse global sub-programs when processing calls to global sub-programs. This means that calls to helpers done from global sub-programs do not invalidate pointers in the caller state. E.g. the program above is unsafe, but is not rejected by verifier. This commit fixes the omission by computing field bpf_subprog_info->changes_pkt_data for each sub-program before main verification pass. changes_pkt_data should be set if: - subprogram calls helper for which bpf_helper_changes_pkt_data returns true; - subprogram calls a global function, for which bpf_subprog_info->changes_pkt_data should be set. The verifier.c:check_cfg() pass is modified to compute this information. The commit relies on depth first instruction traversal done by check_cfg() and absence of recursive function calls: - check_cfg() would eventually visit every call to subprogram S in a state when S is fully explored; - when S is fully explored: - every direct helper call within S is explored (and thus changes_pkt_data is set if needed); - every call to subprogram S1 called by S was visited with S1 fully explored (and thus S inherits changes_pkt_data from S1). The downside of such approach is that dead code elimination is not taken into account: if a helper call inside global function is dead because of current configuration, verifier would conservatively assume that the call occurs for the purpose of the changes_pkt_data computation.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58098.html
CVE-2024-58098
https://bugzilla.suse.com/1242565
SUSE Bug 1242565

Описание

In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame Andrew and Nikolay reported connectivity issues with Cilium's service load-balancing in case of vmxnet3. If a BPF program for native XDP adds an encapsulation header such as IPIP and transmits the packet out the same interface, then in case of vmxnet3 a corrupted packet is being sent and subsequently dropped on the path. vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp() through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address: page = virt_to_page(xdpf->data); tbi->dma_addr = page_pool_get_dma_addr(page) + VMXNET3_XDP_HEADROOM; dma_sync_single_for_device(&adapter->pdev->dev, tbi->dma_addr, buf_size, DMA_TO_DEVICE); The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP BPF program could have moved xdp->data. While the passed buf_size is correct (xdpf->len), the dma_addr needs to have a dynamic offset which can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data - xdp->data_hard_start.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58099.html
CVE-2024-58099
https://bugzilla.suse.com/1242035
SUSE Bug 1242035

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: check changes_pkt_data property for extension programs When processing calls to global sub-programs, verifier decides whether to invalidate all packet pointers in current state depending on the changes_pkt_data property of the global sub-program. Because of this, an extension program replacing a global sub-program must be compatible with changes_pkt_data property of the sub-program being replaced. This commit: - adds changes_pkt_data flag to struct bpf_prog_aux: - this flag is set in check_cfg() for main sub-program; - in jit_subprogs() for other sub-programs; - modifies bpf_check_attach_btf_id() to check changes_pkt_data flag; - moves call to check_attach_btf_id() after the call to check_cfg(), because it needs changes_pkt_data flag to be set: bpf_check: ... ... - check_attach_btf_id resolve_pseudo_ldimm64 resolve_pseudo_ldimm64 --> bpf_prog_is_offloaded bpf_prog_is_offloaded check_cfg check_cfg + check_attach_btf_id ... ... The following fields are set by check_attach_btf_id(): - env->ops - prog->aux->attach_btf_trace - prog->aux->attach_func_name - prog->aux->attach_func_proto - prog->aux->dst_trampoline - prog->aux->mod - prog->aux->saved_dst_attach_type - prog->aux->saved_dst_prog_type - prog->expected_attach_type Neither of these fields are used by resolve_pseudo_ldimm64() or bpf_prog_offload_verifier_prep() (for netronome and netdevsim drivers), so the reordering is safe.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58100.html
CVE-2024-58100
https://bugzilla.suse.com/1242564
SUSE Bug 1242564

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: consider that tail calls invalidate packet pointers Tail-called programs could execute any of the helpers that invalidate packet pointers. Hence, conservatively assume that each tail call invalidates packet pointers. Making the change in bpf_helper_changes_pkt_data() automatically makes use of check_cfg() logic that computes 'changes_pkt_data' effect for global sub-programs, such that the following program could be rejected: int tail_call(struct __sk_buff *sk) { bpf_tail_call_static(sk, &jmp_table, 0); return 0; } SEC("tc") int not_safe(struct __sk_buff *sk) { int *p = (void *)(long)sk->data; ... make p valid ... tail_call(sk); *p = 42; /* this is unsafe */ ... } The tc_bpf2bpf.c:subprog_tc() needs change: mark it as a function that can invalidate packet pointers. Otherwise, it can't be freplaced with tailcall_freplace.c:entry_freplace() that does a tail call.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-58237.html
CVE-2024-58237
https://bugzilla.suse.com/1242574
SUSE Bug 1242574

Описание

In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to checksum plain * TCP or UDP packets over IPv6. These are specifically * unencapsulated packets of the form IPv6|TCP or * IPv6|UDP where the Next Header field in the IPv6 * header is either TCP or UDP. IPv6 extension headers * are not supported with this feature. This feature * cannot be set in features for a device with * NETIF_F_HW_CSUM also set. This feature is being * DEPRECATED (see below). The change causes skb_warn_bad_offload to fire for BIG TCP packets. [ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0 [ 496.310300] skb_checksum_help+0x129/0x1f0 [ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0 [ 496.310306] validate_xmit_skb+0x159/0x270 [ 496.310309] validate_xmit_skb_list+0x41/0x70 [ 496.310312] sch_direct_xmit+0x5c/0x250 [ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to communicate packet length, as this is an IPv6 jumbogram. But, the feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices. For this specific case of extension headers that are not transmitted, return to the situation before the blamed commit and support hardware offload. ipv6_has_hopopt_jumbo() tests not only whether this header is present, but also that it is the only extension header before a terminal (L4) header.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21629.html
CVE-2025-21629
https://bugzilla.suse.com/1235968
SUSE Bug 1235968
https://bugzilla.suse.com/1244722
SUSE Bug 1244722

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21658.html
CVE-2025-21658
https://bugzilla.suse.com/1236208
SUSE Bug 1236208

Описание

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: Don't unset window if it was never set On pSeries, when user attempts to use the same vfio container used by different iommu group, the spapr_tce_set_window() returns -EPERM and the subsequent cleanup leads to the below crash. Kernel attempted to read user page (308) - exploit attempt? BUG: Kernel NULL pointer dereference on read at 0x00000308 Faulting instruction address: 0xc0000000001ce358 Oops: Kernel access of bad area, sig: 11 [#1] NIP: c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0 <snip> NIP [c0000000001ce358] spapr_tce_unset_window+0x3b8/0x510 LR [c0000000001ce05c] spapr_tce_unset_window+0xbc/0x510 Call Trace: spapr_tce_unset_window+0xbc/0x510 (unreliable) tce_iommu_attach_group+0x24c/0x340 [vfio_iommu_spapr_tce] vfio_container_attach_group+0xec/0x240 [vfio] vfio_group_fops_unl_ioctl+0x548/0xb00 [vfio] sys_ioctl+0x754/0x1580 system_call_exception+0x13c/0x330 system_call_vectored_common+0x15c/0x2ec <snip> --- interrupt: 3000 Fix this by having null check for the tbl passed to the spapr_tce_unset_window().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21713.html
CVE-2025-21713
https://bugzilla.suse.com/1237887
SUSE Bug 1237887

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm: delete intermediate secpath entry in packet offload mode Packets handled by hardware have added secpath as a way to inform XFRM core code that this path was already handled. That secpath is not needed at all after policy is checked and it is removed later in the stack. However, in the case of IP forwarding is enabled (/proc/sys/net/ipv4/ip_forward), that secpath is not removed and packets which already were handled are reentered to the driver TX path with xfrm_offload set. The following kernel panic is observed in mlx5 in such case: mlx5_core 0000:04:00.0 enp4s0f0np0: Link up mlx5_core 0000:04:00.1 enp4s0f1np1: Link up Initializing XFRM netlink socket IPsec XFRM device driver BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] PREEMPT SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc1-alex #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffb87380003800 EFLAGS: 00010206 RAX: ffff8df004e02600 RBX: ffffb873800038d8 RCX: 00000000ffff98cf RDX: ffff8df00733e108 RSI: ffff8df00521fb80 RDI: ffff8df001661f00 RBP: ffffb87380003850 R08: ffff8df013980000 R09: 0000000000000010 R10: 0000000000000002 R11: 0000000000000002 R12: ffff8df001661f00 R13: ffff8df00521fb80 R14: ffff8df00733e108 R15: ffff8df011faf04e FS: 0000000000000000(0000) GS:ffff8df46b800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000106384000 CR4: 0000000000350ef0 Call Trace: <IRQ> ? show_regs+0x63/0x70 ? __die_body+0x20/0x60 ? __die+0x2b/0x40 ? page_fault_oops+0x15c/0x550 ? do_user_addr_fault+0x3ed/0x870 ? exc_page_fault+0x7f/0x190 ? asm_exc_page_fault+0x27/0x30 mlx5e_ipsec_handle_tx_skb+0xe7/0x2f0 [mlx5_core] mlx5e_xmit+0x58e/0x1980 [mlx5_core] ? __fib_lookup+0x6a/0xb0 dev_hard_start_xmit+0x82/0x1d0 sch_direct_xmit+0xfe/0x390 __dev_queue_xmit+0x6d8/0xee0 ? __fib_lookup+0x6a/0xb0 ? internal_add_timer+0x48/0x70 ? mod_timer+0xe2/0x2b0 neigh_resolve_output+0x115/0x1b0 __neigh_update+0x26a/0xc50 neigh_update+0x14/0x20 arp_process+0x2cb/0x8e0 ? __napi_build_skb+0x5e/0x70 arp_rcv+0x11e/0x1c0 ? dev_gro_receive+0x574/0x820 __netif_receive_skb_list_core+0x1cf/0x1f0 netif_receive_skb_list_internal+0x183/0x2a0 napi_complete_done+0x76/0x1c0 mlx5e_napi_poll+0x234/0x7a0 [mlx5_core] __napi_poll+0x2d/0x1f0 net_rx_action+0x1a6/0x370 ? atomic_notifier_call_chain+0x3b/0x50 ? irq_int_handler+0x15/0x20 [mlx5_core] handle_softirqs+0xb9/0x2f0 ? handle_irq_event+0x44/0x60 irq_exit_rcu+0xdb/0x100 common_interrupt+0x98/0xc0 </IRQ> <TASK> asm_common_interrupt+0x27/0x40 RIP: 0010:pv_native_safe_halt+0xb/0x10 Code: 09 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 22 0f 1f 84 00 00 00 00 00 90 eb 07 0f 00 2d 7f e9 36 00 fb 40 00 83 ff 07 77 21 89 ff ff 24 fd 88 3d a1 bd 0f 21 f8 RSP: 0018:ffffffffbe603de8 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000f92f46680 RDX: 0000000000000037 RSI: 00000000ffffffff RDI: 00000000000518d4 RBP: ffffffffbe603df0 R08: 000000cd42e4dffb R09: ffffffffbe603d70 R10: 0000004d80d62680 R11: 0000000000000001 R12: ffffffffbe60bf40 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffbe60aff8 ? default_idle+0x9/0x20 arch_cpu_idle+0x9/0x10 default_idle_call+0x29/0xf0 do_idle+0x1f2/0x240 cpu_startup_entry+0x2c/0x30 rest_init+0xe7/0x100 start_kernel+0x76b/0xb90 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0xc0/0x110 ? setup_ghcb+0xe/0x130 common_startup_64+0x13e/0x141 </TASK> Modules linked in: esp4_offload esp4 xfrm_interface xfrm6_tunnel tunnel4 tunnel6 xfrm_user xfrm_algo binf ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21720.html
CVE-2025-21720
https://bugzilla.suse.com/1238859
SUSE Bug 1238859

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential memory leak in iopf_queue_remove_device() The iopf_queue_remove_device() helper removes a device from the per-iommu iopf queue when PRI is disabled on the device. It responds to all outstanding iopf's with an IOMMU_PAGE_RESP_INVALID code and detaches the device from the queue. However, it fails to release the group structure that represents a group of iopf's awaiting for a response after responding to the hardware. This can cause a memory leak if iopf_queue_remove_device() is called with pending iopf's. Fix it by calling iopf_free_group() after the iopf group is responded.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21770.html
CVE-2025-21770
https://bugzilla.suse.com/1238495
SUSE Bug 1238495

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Add missing deinit() call A warning is triggered when repeatedly connecting and disconnecting the rnbd: list_add corruption. prev->next should be next (ffff88800b13e480), but was ffff88801ecd1338. (prev=ffff88801ecd1340). WARNING: CPU: 1 PID: 36562 at lib/list_debug.c:32 __list_add_valid_or_report+0x7f/0xa0 Workqueue: ib_cm cm_work_handler [ib_cm] RIP: 0010:__list_add_valid_or_report+0x7f/0xa0 ? __list_add_valid_or_report+0x7f/0xa0 ib_register_event_handler+0x65/0x93 [ib_core] rtrs_srv_ib_dev_init+0x29/0x30 [rtrs_server] rtrs_ib_dev_find_or_add+0x124/0x1d0 [rtrs_core] __alloc_path+0x46c/0x680 [rtrs_server] ? rtrs_rdma_connect+0xa6/0x2d0 [rtrs_server] ? rcu_is_watching+0xd/0x40 ? __mutex_lock+0x312/0xcf0 ? get_or_create_srv+0xad/0x310 [rtrs_server] ? rtrs_rdma_connect+0xa6/0x2d0 [rtrs_server] rtrs_rdma_connect+0x23c/0x2d0 [rtrs_server] ? __lock_release+0x1b1/0x2d0 cma_cm_event_handler+0x4a/0x1a0 [rdma_cm] cma_ib_req_handler+0x3a0/0x7e0 [rdma_cm] cm_process_work+0x28/0x1a0 [ib_cm] ? _raw_spin_unlock_irq+0x2f/0x50 cm_req_handler+0x618/0xa60 [ib_cm] cm_work_handler+0x71/0x520 [ib_cm] Commit 667db86bcbe8 ("RDMA/rtrs: Register ib event handler") introduced a new element .deinit but never used it at all. Fix it by invoking the `deinit()` to appropriately unregister the IB event handler.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21805.html
CVE-2025-21805
https://bugzilla.suse.com/1238741
SUSE Bug 1238741

Описание

In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix a use of uninitialized mutex commit c8347f915e67 ("gpu: host1x: Fix boot regression for Tegra") caused a use of uninitialized mutex leading to below warning when CONFIG_DEBUG_MUTEXES and CONFIG_DEBUG_LOCK_ALLOC are enabled. [ 41.662843] ------------[ cut here ]------------ [ 41.663012] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [ 41.663035] WARNING: CPU: 4 PID: 794 at kernel/locking/mutex.c:587 __mutex_lock+0x670/0x878 [ 41.663458] Modules linked in: rtw88_8822c(+) bluetooth(+) rtw88_pci rtw88_core mac80211 aquantia libarc4 crc_itu_t cfg80211 tegra194_cpufreq dwmac_tegra(+) arm_dsu_pmu stmmac_platform stmmac pcs_xpcs rfkill at24 host1x(+) tegra_bpmp_thermal ramoops reed_solomon fuse loop nfnetlink xfs mmc_block rpmb_core ucsi_ccg ina3221 crct10dif_ce xhci_tegra ghash_ce lm90 sha2_ce sha256_arm64 sha1_ce sdhci_tegra pwm_fan sdhci_pltfm sdhci gpio_keys rtc_tegra cqhci mmc_core phy_tegra_xusb i2c_tegra tegra186_gpc_dma i2c_tegra_bpmp spi_tegra114 dm_mirror dm_region_hash dm_log dm_mod [ 41.665078] CPU: 4 UID: 0 PID: 794 Comm: (udev-worker) Not tainted 6.11.0-29.31_1538613708.el10.aarch64+debug #1 [ 41.665838] Hardware name: NVIDIA NVIDIA Jetson AGX Orin Developer Kit/Jetson, BIOS 36.3.0-gcid-35594366 02/26/2024 [ 41.672555] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 41.679636] pc : __mutex_lock+0x670/0x878 [ 41.683834] lr : __mutex_lock+0x670/0x878 [ 41.688035] sp : ffff800084b77090 [ 41.691446] x29: ffff800084b77160 x28: ffffdd4bebf7b000 x27: ffffdd4be96b1000 [ 41.698799] x26: 1fffe0002308361c x25: 1ffff0001096ee18 x24: 0000000000000000 [ 41.706149] x23: 0000000000000000 x22: 0000000000000002 x21: ffffdd4be6e3c7a0 [ 41.713500] x20: ffff800084b770f0 x19: ffff00011841b1e8 x18: 0000000000000000 [ 41.720675] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 41.728023] x14: 0000000000000000 x13: 0000000000000001 x12: ffff6001a96eaab3 [ 41.735375] x11: 1fffe001a96eaab2 x10: ffff6001a96eaab2 x9 : ffffdd4be4838bbc [ 41.742723] x8 : 00009ffe5691554e x7 : ffff000d4b755593 x6 : 0000000000000001 [ 41.749985] x5 : ffff000d4b755590 x4 : 1fffe0001d88f001 x3 : dfff800000000000 [ 41.756988] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000ec478000 [ 41.764251] Call trace: [ 41.766695] __mutex_lock+0x670/0x878 [ 41.770373] mutex_lock_nested+0x2c/0x40 [ 41.774134] host1x_intr_start+0x54/0xf8 [host1x] [ 41.778863] host1x_runtime_resume+0x150/0x228 [host1x] [ 41.783935] pm_generic_runtime_resume+0x84/0xc8 [ 41.788485] __rpm_callback+0xa0/0x478 [ 41.792422] rpm_callback+0x15c/0x1a8 [ 41.795922] rpm_resume+0x698/0xc08 [ 41.799597] __pm_runtime_resume+0xa8/0x140 [ 41.803621] host1x_probe+0x810/0xbc0 [host1x] [ 41.807909] platform_probe+0xcc/0x1a8 [ 41.811845] really_probe+0x188/0x800 [ 41.815347] __driver_probe_device+0x164/0x360 [ 41.819810] driver_probe_device+0x64/0x1a8 [ 41.823834] __driver_attach+0x180/0x490 [ 41.827773] bus_for_each_dev+0x104/0x1a0 [ 41.831797] driver_attach+0x44/0x68 [ 41.835296] bus_add_driver+0x23c/0x4e8 [ 41.839235] driver_register+0x15c/0x3a8 [ 41.843170] __platform_register_drivers+0xa4/0x208 [ 41.848159] tegra_host1x_init+0x4c/0xff8 [host1x] [ 41.853147] do_one_initcall+0xd4/0x380 [ 41.856997] do_init_module+0x1dc/0x698 [ 41.860758] load_module+0xc70/0x1300 [ 41.864435] __do_sys_init_module+0x1a8/0x1d0 [ 41.868721] __arm64_sys_init_module+0x74/0xb0 [ 41.873183] invoke_syscall.constprop.0+0xdc/0x1e8 [ 41.877997] do_el0_svc+0x154/0x1d0 [ 41.881671] el0_svc+0x54/0x140 [ 41.884820] el0t_64_sync_handler+0x120/0x130 [ 41.889285] el0t_64_sync+0x1a4/0x1a8 [ 41.892960] irq event stamp: 69737 [ 41.896370] hardirqs last enabled at (69737): [<ffffdd4be6d7768c>] _raw_spin_unlock_irqrestore+0x44/0xe8 [ 41.905739] hardirqs last disabled at (69736): ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21824.html
CVE-2025-21824
https://bugzilla.suse.com/1238478
SUSE Bug 1238478

Описание

In the Linux kernel, the following vulnerability has been resolved: amdkfd: properly free gang_ctx_bo when failed to init user queue The destructor of a gtt bo is declared as void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj); Which takes void** as the second parameter. GCC allows passing void* to the function because void* can be implicitly casted to any other types, so it can pass compiling. However, passing this void* parameter into the function's execution process(which expects void** and dereferencing void**) will result in errors.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21842.html
CVE-2025-21842
https://bugzilla.suse.com/1239063
SUSE Bug 1239063

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Use spin_lock_irqsave() in interruptible context spin_lock/unlock() functions used in interrupt contexts could result in a deadlock, as seen in GitLab issue #13399, which occurs when interrupt comes in while holding a lock. Try to remedy the problem by saving irq state before spin lock acquisition. v2: add irqs' state save/restore calls to all locks/unlocks in signal_irq_work() execution (Maciej) v3: use with spin_lock_irqsave() in guc_lrc_desc_unpin() instead of other lock/unlock calls and add Fixes and Cc tags (Tvrtko); change title and commit message (cherry picked from commit c088387ddd6482b40f21ccf23db1125e8fa4af7e)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21849.html
CVE-2025-21849
https://bugzilla.suse.com/1239485
SUSE Bug 1239485

Описание

In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21868.html
CVE-2025-21868
https://bugzilla.suse.com/1240180
SUSE Bug 1240180

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix EFAULT handling Currently we treat EFAULT from hmm_range_fault() as a non-fatal error when called from xe_vm_userptr_pin() with the idea that we want to avoid killing the entire vm and chucking an error, under the assumption that the user just did an unmap or something, and has no intention of actually touching that memory from the GPU. At this point we have already zapped the PTEs so any access should generate a page fault, and if the pin fails there also it will then become fatal. However it looks like it's possible for the userptr vma to still be on the rebind list in preempt_rebind_work_func(), if we had to retry the pin again due to something happening in the caller before we did the rebind step, but in the meantime needing to re-validate the userptr and this time hitting the EFAULT. This explains an internal user report of hitting: [ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe] [ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738690] Call Trace: [ 191.738692] <TASK> [ 191.738694] ? show_regs+0x69/0x80 [ 191.738698] ? __warn+0x93/0x1a0 [ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738759] ? report_bug+0x18f/0x1a0 [ 191.738764] ? handle_bug+0x63/0xa0 [ 191.738767] ? exc_invalid_op+0x19/0x70 [ 191.738770] ? asm_exc_invalid_op+0x1b/0x20 [ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738834] ? ret_from_fork_asm+0x1a/0x30 [ 191.738849] bind_op_prepare+0x105/0x7b0 [xe] [ 191.738906] ? dma_resv_reserve_fences+0x301/0x380 [ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe] [ 191.738966] ? kmemleak_alloc+0x4b/0x80 [ 191.738973] ops_execute+0x188/0x9d0 [xe] [ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe] [ 191.739098] ? trace_hardirqs_on+0x4d/0x60 [ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe] Followed by NPD, when running some workload, since the sg was never actually populated but the vma is still marked for rebind when it should be skipped for this special EFAULT case. This is confirmed to fix the user report. v2 (MattB): - Move earlier. v3 (MattB): - Update the commit message to make it clear that this indeed fixes the issue. (cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21880.html
CVE-2025-21880
https://bugzilla.suse.com/1240170
SUSE Bug 1240170

Описание

In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21898.html
CVE-2025-21898
https://bugzilla.suse.com/1240610
SUSE Bug 1240610

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix bad hist from corrupting named_triggers list The following commands causes a crash: ~# cd /sys/kernel/tracing/events/rcu/rcu_callback ~# echo 'hist:name=bad:keys=common_pid:onmax(bogus).save(common_pid)' > trigger bash: echo: write error: Invalid argument ~# echo 'hist:name=bad:keys=common_pid' > trigger Because the following occurs: event_trigger_write() { trigger_process_regex() { event_hist_trigger_parse() { data = event_trigger_alloc(..); event_trigger_register(.., data) { cmd_ops->reg(.., data, ..) [hist_register_trigger()] { data->ops->init() [event_hist_trigger_init()] { save_named_trigger(name, data) { list_add(&data->named_list, &named_triggers); } } } } ret = create_actions(); (return -EINVAL) if (ret) goto out_unreg; [..] ret = hist_trigger_enable(data, ...) { list_add_tail_rcu(&data->list, &file->triggers); <<<---- SKIPPED!!! (this is important!) [..] out_unreg: event_hist_unregister(.., data) { cmd_ops->unreg(.., data, ..) [hist_unregister_trigger()] { list_for_each_entry(iter, &file->triggers, list) { if (!hist_trigger_match(data, iter, named_data, false)) <- never matches continue; [..] test = iter; } if (test && test->ops->free) <<<-- test is NULL test->ops->free(test) [event_hist_trigger_free()] { [..] if (data->name) del_named_trigger(data) { list_del(&data->named_list); <<<<-- NEVER gets removed! } } } } [..] kfree(data); <<<-- frees item but it is still on list The next time a hist with name is registered, it causes an u-a-f bug and the kernel can crash. Move the code around such that if event_trigger_register() succeeds, the next thing called is hist_trigger_enable() which adds it to the list. A bunch of actions is called if get_named_trigger_data() returns false. But that doesn't need to be called after event_trigger_register(), so it can be moved up, allowing event_trigger_register() to be called just before hist_trigger_enable() keeping them together and allowing the file->triggers to be properly populated.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21899.html
CVE-2025-21899
https://bugzilla.suse.com/1240577
SUSE Bug 1240577

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Add sanity checks on rdev validity There is a possibility that ulp_irq_stop and ulp_irq_start callbacks will be called when the device is in detached state. This can cause a crash due to NULL pointer dereference as the rdev is already freed.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21901.html
CVE-2025-21901
https://bugzilla.suse.com/1240579
SUSE Bug 1240579

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: avoid deadlock on fence release Do scheduler queue fence release processing on a workqueue, rather than in the release function itself. Fixes deadlock issues such as the following: [ 607.400437] ============================================ [ 607.405755] WARNING: possible recursive locking detected [ 607.415500] -------------------------------------------- [ 607.420817] weston:zfq0/24149 is trying to acquire lock: [ 607.426131] ffff000017d041a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: pvr_gem_object_vunmap+0x40/0xc0 [powervr] [ 607.436728] but task is already holding lock: [ 607.442554] ffff000017d105a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: dma_buf_ioctl+0x250/0x554 [ 607.451727] other info that might help us debug this: [ 607.458245] Possible unsafe locking scenario: [ 607.464155] CPU0 [ 607.466601] ---- [ 607.469044] lock(reservation_ww_class_mutex); [ 607.473584] lock(reservation_ww_class_mutex); [ 607.478114] *** DEADLOCK ***

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21911.html
CVE-2025-21911
https://bugzilla.suse.com/1240589
SUSE Bug 1240589

Описание

In the Linux kernel, the following vulnerability has been resolved: vlan: enforce underlying device type Currently, VLAN devices can be created on top of non-ethernet devices. Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode. When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device. As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add. __dev_mc_add uses dev->addr_len to determine the length of the new multicast address. This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long. This behaviour can be reproduced using the following commands: ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100 Then, the following command will display the address of garp_pdu_rcv: ip maddr show | grep 01:80:c2:00:00:21 Fix the bug by enforcing the type of the underlying device during VLAN device initialization.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21920.html
CVE-2025-21920
https://bugzilla.suse.com/1240686
SUSE Bug 1240686

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21938.html
CVE-2025-21938
https://bugzilla.suse.com/1240723
SUSE Bug 1240723

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe/hmm: Don't dereference struct page pointers without notifier lock The pnfs that we obtain from hmm_range_fault() point to pages that we don't have a reference on, and the guarantee that they are still in the cpu page-tables is that the notifier lock must be held and the notifier seqno is still valid. So while building the sg table and marking the pages accesses / dirty we need to hold this lock with a validated seqno. However, the lock is reclaim tainted which makes sg_alloc_table_from_pages_segment() unusable, since it internally allocates memory. Instead build the sg-table manually. For the non-iommu case this might lead to fewer coalesces, but if that's a problem it can be fixed up later in the resource cursor code. For the iommu case, the whole sg-table may still be coalesced to a single contigous device va region. This avoids marking pages that we don't own dirty and accessed, and it also avoid dereferencing struct pages that we don't own. v2: - Use assert to check whether hmm pfns are valid (Matthew Auld) - Take into account that large pages may cross range boundaries (Matthew Auld) v3: - Don't unnecessarily check for a non-freed sg-table. (Matthew Auld) - Add a missing up_read() in an error path. (Matthew Auld) (cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21939.html
CVE-2025-21939
https://bugzilla.suse.com/1240710
SUSE Bug 1240710

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix NULL Pointer Dereference in KFD queue Through KFD IOCTL Fuzzing we encountered a NULL pointer derefrence when calling kfd_queue_acquire_buffers. (cherry picked from commit 049e5bf3c8406f87c3d8e1958e0a16804fa1d530)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21940.html
CVE-2025-21940
https://bugzilla.suse.com/1240702
SUSE Bug 1240702

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21959.html
CVE-2025-21959
https://bugzilla.suse.com/1240814
SUSE Bug 1240814

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: init return value in amdgpu_ttm_clear_buffer Otherwise an uninitialized value can be returned if amdgpu_res_cleared returns true for all regions. Possibly closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 (cherry picked from commit 7c62aacc3b452f73a1284198c81551035fac6d71)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21987.html
CVE-2025-21987
https://bugzilla.suse.com/1240798
SUSE Bug 1240798

Описание

In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-21997.html
CVE-2025-21997
https://bugzilla.suse.com/1240823
SUSE Bug 1240823

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22005.html
CVE-2025-22005
https://bugzilla.suse.com/1240866
SUSE Bug 1240866

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Don't skip on Stopped - Length Invalid Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are returned when isoc ring is stopped") in v6.11, the driver didn't skip missed isochronous TDs when handling Stoppend and Stopped - Length Invalid events. Instead, it erroneously cleared the skip flag, which would cause the ring to get stuck, as future events won't match the missed TD which is never removed from the queue until it's cancelled. This buggy logic seems to have been in place substantially unchanged since the 3.x series over 10 years ago, which probably speaks first and foremost about relative rarity of this case in normal usage, but by the spec I see no reason why it shouldn't be possible. After d56b0b2ab142, TDs are immediately skipped when handling those Stopped events. This poses a potential problem in case of Stopped - Length Invalid, which occurs either on completed TDs (likely already given back) or Link and No-Op TRBs. Such event won't be recognized as matching any TD (unless it's the rare Link TRB inside a TD) and will result in skipping all pending TDs, giving them back possibly before they are done, risking isoc data loss and maybe UAF by HW. As a compromise, don't skip and don't clear the skip flag on this kind of event. Then the next event will skip missed TDs. A downside of not handling Stopped - Length Invalid on a Link inside a TD is that if the TD is cancelled, its actual length will not be updated to account for TRBs (silently) completed before the TD was stopped. I had no luck producing this sequence of completion events so there is no compelling demonstration of any resulting disaster. It may be a very rare, obscure condition. The sole motivation for this patch is that if such unlikely event does occur, I'd rather risk reporting a cancelled partially done isoc frame as empty than gamble with UAF. This will be fixed more properly by looking at Stopped event's TRB pointer when making skipping decisions, but such rework is unlikely to be backported to v6.12, which will stay around for a few years.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22023.html
CVE-2025-22023
https://bugzilla.suse.com/1241298
SUSE Bug 1241298

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the following script: $ echo function_graph > current_tracer $ cat trace > /dev/null & $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point $ echo timerlat > current_tracer The root cause lies in the two calls to print_graph_function_flags within print_trace_line during each s_show(): * One through 'iter->trace->print_line()'; * Another through 'event->funcs->trace()', which is hidden in print_trace_fmt() before print_trace_line returns. Tracer switching only updates the former, while the latter continues to use the print_line function of the old tracer, which in the script above is print_graph_function_flags. Moreover, when switching from the 'function_graph' tracer to the 'timerlat' tracer, s_start only calls graph_trace_close of the 'function_graph' tracer to free 'iter->private', but does not set it to NULL. This provides an opportunity for 'event->funcs->trace()' to use an invalid 'iter->private'. To fix this issue, set 'iter->private' to NULL immediately after freeing it in graph_trace_close(), ensuring that an invalid pointer is not passed to other tracers. Additionally, clean up the unnecessary 'iter->private = NULL' during each 'cat trace' when using wakeup and irqsoff tracers. [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22035.html
CVE-2025-22035
https://bugzilla.suse.com/1241544
SUSE Bug 1241544

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, imx_card_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22066.html
CVE-2025-22066
https://bugzilla.suse.com/1241340
SUSE Bug 1241340

Описание

In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22083.html
CVE-2025-22083
https://bugzilla.suse.com/1241414
SUSE Bug 1241414

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a crash like this one: [42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 [42021.814463] #PF: supervisor read access in kernel mode [42021.819549] #PF: error_code(0x0000) - not-present page [42021.824636] PGD 0 P4D 0 [42021.827145] Oops: 0000 [#1] SMP PTI [42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX [42021.841697] Hardware name: XXX [42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] [42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 [42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 [42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 [42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 [42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 [42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 [42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 [42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 [42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 [42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [42021.949324] Call Trace: [42021.951756] <TASK> [42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70 [42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0 [42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0 [42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0 [42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30 [42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] [42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core] [42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50 [42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0 [42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410 [42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0 [42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0 [42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0 [42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2 The problem can be reproduced using the following steps: ip netns add foo ip netns exec foo bash cat /sys/class/infiniband/mlx4_0/hw_counters/* The panic occurs because of casting the device pointer into an ib_device pointer using container_of() in hw_stat_device_show() is wrong and leads to a memory corruption. However the real problem is that hw counters should never been exposed outside of the non-init net namespace. Fix this by saving the index of the corresponding attribute group (it might be 1 or 2 depending on the presence of driver-specific attributes) and zeroing the pointer to hw_counters group for compat devices during the initialization. With this fix applied hw_counters are not available in a non-init net namespace: find /sys/class/infiniband/mlx4_0/ -name hw_counters /sys/class/infiniband/mlx4_0/ports/1/hw_counters /sys/class/infiniband/mlx4_0/ports/2/hw_counters /sys/class/infiniband/mlx4_0/hw_counters ip netns add foo ip netns exec foo bash find /sys/class/infiniband/mlx4_0/ -name hw_counters

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22089.html
CVE-2025-22089
https://bugzilla.suse.com/1241538
SUSE Bug 1241538

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While at it, print the error value, as we cannot return an error upwards as the kernel will WARN() on an error from add_bus(). [kwilczynski: commit log, use comma in the message to match style with other similar messages]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22095.html
CVE-2025-22095
https://bugzilla.suse.com/1241519
SUSE Bug 1241519

Описание

In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22111.html
CVE-2025-22111
https://bugzilla.suse.com/1241572
SUSE Bug 1241572

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22113.html
CVE-2025-22113
https://bugzilla.suse.com/1241617
SUSE Bug 1241617

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: init wiphy_work before allocating rfkill fails syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1] After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211_dev_free to access the uninitialized wiphy_work related data. Move the initialization of wiphy_work to before rfkill initialization to avoid this issue. [1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 assign_lock_key kernel/locking/lockdep.c:983 [inline] register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297 __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196 device_release+0xa1/0x240 drivers/base/core.c:2568 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3774 wiphy_free net/wireless/core.c:1224 [inline] wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562 ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835 mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185 hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:733 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627 __sys_sendmsg+0x16e/0x220 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22119.html
CVE-2025-22119
https://bugzilla.suse.com/1241576
SUSE Bug 1241576
https://bugzilla.suse.com/1241577
SUSE Bug 1241577

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22120.html
CVE-2025-22120
https://bugzilla.suse.com/1241592
SUSE Bug 1241592

Описание

In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb In clustermd, separate write-intent-bitmaps are used for each cluster node: 0 4k 8k 12k ------------------------------------------------------------------- | idle | md super | bm super [0] + bits | | bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] | | bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits | | bm bits [3, contd] | | | So in node 1, pg_index in __write_sb_page() could equal to bitmap->storage.file_pages. Then bitmap_limit will be calculated to 0. md_super_write() will be called with 0 size. That means the first 4k sb area of node 1 will never be updated through filemap_write_page(). This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize. Here use (pg_index % bitmap->storage.file_pages) to make calculation of bitmap_limit correct.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22124.html
CVE-2025-22124
https://bugzilla.suse.com/1241595
SUSE Bug 1241595

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23141.html
CVE-2025-23141
https://bugzilla.suse.com/1242782
SUSE Bug 1242782

Описание

In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent. There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly unbinding an address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have been set up and before the message is sent. This can happen if the send buffer is full, during the period when the sender thread temporarily releases the socket lock in sctp_wait_for_sndbuf(). This causes the access to the transport data in sctp_outq_select_transport(), when the association outqueue is flushed, to result in a use-after-free read. This change avoids this scenario by having sctp_transport_free() signal the freeing of the transport, tagging it as "dead". In order to do this, the patch restores the "dead" bit in struct sctp_transport, which was removed in commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport"). Then, in the scenario where the sender thread has released the socket lock in sctp_wait_for_sndbuf(), the bit is checked again after re-acquiring the socket lock to detect the deletion. This is done while holding a reference to the transport to prevent it from being freed in the process. If the transport was deleted while the socket lock was relinquished, sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the send. The bug was found by a private syzbot instance (see the error report [1] and the C reproducer that triggers it [2]).

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23142.html
CVE-2025-23142
https://bugzilla.suse.com/1242760
SUSE Bug 1242760

Описание

In the Linux kernel, the following vulnerability has been resolved: backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Lockdep detects the following issue on led-backlight removal: [ 142.315935] ------------[ cut here ]------------ [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80 ... [ 142.500725] Call trace: [ 142.503176] led_sysfs_enable+0x54/0x80 (P) [ 142.507370] led_bl_remove+0x80/0xa8 [led_bl] [ 142.511742] platform_remove+0x30/0x58 [ 142.515501] device_remove+0x54/0x90 ... Indeed, led_sysfs_enable() has to be called with the led_access lock held. Hold the lock when calling led_sysfs_disable().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23144.html
CVE-2025-23144
https://bugzilla.suse.com/1242568
SUSE Bug 1242568

Описание

In the Linux kernel, the following vulnerability has been resolved: mfd: ene-kb3930: Fix a potential NULL pointer dereference The off_gpios could be NULL. Add missing check in the kb3930_probe(). This is similar to the issue fixed in commit b1ba8bcb2d1f ("backlight: hx8357: Fix potential NULL pointer dereference"). This was detected by our static analysis tool.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23146.html
CVE-2025-23146
https://bugzilla.suse.com/1242559
SUSE Bug 1242559

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: Add NULL pointer check in i3c_master_queue_ibi() The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and resulting in a kernel panic. Typical IBI handling flow: 1. The I3C master scans target devices and probes their respective drivers. 2. The target device driver calls `i3c_device_request_ibi()` to enable IBI and assigns `dev->ibi = ibi`. 3. The I3C master receives an IBI from the target device and calls `i3c_master_queue_ibi()` to queue the target device driver's IBI handler task. However, since target device events are asynchronous to the I3C probe sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`, leading to a kernel panic. Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing an uninitialized `dev->ibi`, ensuring stability.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23147.html
CVE-2025-23147
https://bugzilla.suse.com/1242530
SUSE Bug 1242530

Описание

In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() soc_dev_attr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23148.html
CVE-2025-23148
https://bugzilla.suse.com/1242578
SUSE Bug 1242578

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm: do not start chip while suspended Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can lead to a spurious tpm_chip_start() call: [35985.503771] i2c i2c-1: Transfer while suspended [35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810 [35985.503802] Modules linked in: [35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f [35985.503814] Tainted: [W]=WARN [35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 [35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810 [35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5 [35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246 [35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000 [35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001 [35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820 [35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120 [35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000 [35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0 [35985.503855] Call Trace: [35985.503859] <TASK> [35985.503863] ? __warn+0xd4/0x260 [35985.503868] ? __i2c_transfer+0xbe/0x810 [35985.503874] ? report_bug+0xf3/0x210 [35985.503882] ? handle_bug+0x63/0xb0 [35985.503887] ? exc_invalid_op+0x16/0x50 [35985.503892] ? asm_exc_invalid_op+0x16/0x20 [35985.503904] ? __i2c_transfer+0xbe/0x810 [35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0 [35985.503920] tpm_cr50_i2c_read+0x8e/0x120 [35985.503928] tpm_cr50_request_locality+0x75/0x170 [35985.503935] tpm_chip_start+0x116/0x160 [35985.503942] tpm_try_get_ops+0x57/0x90 [35985.503948] tpm_find_get_ops+0x26/0xd0 [35985.503955] tpm_get_random+0x2d/0x80 Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in such a failure case.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23149.html
CVE-2025-23149
https://bugzilla.suse.com/1242758
SUSE Bug 1242758

Описание

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Fix race between unprepare and queue_buf A client driver may use mhi_unprepare_from_transfer() to quiesce incoming data during the client driver's tear down. The client driver might also be processing data at the same time, resulting in a call to mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs after mhi_unprepare_from_transfer() has torn down the channel, a panic will occur due to an invalid dereference leading to a page fault. This occurs because mhi_gen_tre() does not verify the channel state after locking it. Fix this by having mhi_gen_tre() confirm the channel state is valid, or return error to avoid accessing deinitialized data. [mani: added stable tag]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23151.html
CVE-2025-23151
https://bugzilla.suse.com/1242512
SUSE Bug 1242512

Описание

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix accessing freed irq affinity_hint The cpumask should not be a local variable, since its pointer is saved to irq_desc and may be accessed from procfs. To fix it, use the persistent mask cpumask_of(cpu#).

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23155.html
CVE-2025-23155
https://bugzilla.suse.com/1242573
SUSE Bug 1242573

Описание

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated before parsing the payload, thereby eliminates the OOB access possibilities.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23156.html
CVE-2025-23156
https://bugzilla.suse.com/1242569
SUSE Bug 1242569

Описание

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23157.html
CVE-2025-23157
https://bugzilla.suse.com/1242532
SUSE Bug 1242532

Описание

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add check to handle incorrect queue size qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) .... if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2) --> OOB write Add check to ensure qsize is within the allocated size while reading and writing packets into the queue.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23158.html
CVE-2025-23158
https://bugzilla.suse.com/1242531
SUSE Bug 1242531

Описание

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23159.html
CVE-2025-23159
https://bugzilla.suse.com/1242529
SUSE Bug 1242529

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type The access to the PCI config space via pci_ops::read and pci_ops::write is a low-level hardware access. The functions can be accessed with disabled interrupts even on PREEMPT_RT. The pci_lock is a raw_spinlock_t for this purpose. A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be acquired with disabled interrupts. The vmd_dev::cfg_lock is accessed in the same context as the pci_lock. Make vmd_dev::cfg_lock a raw_spinlock_t type so it can be used with interrupts disabled. This was reported as: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 Call Trace: rt_spin_lock+0x4e/0x130 vmd_pci_read+0x8d/0x100 [vmd] pci_user_read_config_byte+0x6f/0xe0 pci_read_config+0xfe/0x290 sysfs_kf_bin_read+0x68/0x90 [bigeasy: reword commit message] Tested-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com> [kwilczynski: commit log] [bhelgaas: add back report info from https://lore.kernel.org/lkml/20241218115951.83062-1-ryotkkr98@gmail.com/]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23161.html
CVE-2025-23161
https://bugzilla.suse.com/1242792
SUSE Bug 1242792

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe/vf: Don't try to trigger a full GT reset if VF VFs don't have access to the GDRST(0x941c) register that driver uses to reset a GT. Attempt to trigger a reset using debugfs: $ cat /sys/kernel/debug/dri/0000:00:02.1/gt0/force_reset or due to a hang condition detected by the driver leads to: [ ] xe 0000:00:02.1: [drm] GT0: trying reset from force_reset [xe] [ ] xe 0000:00:02.1: [drm] GT0: reset queued [ ] xe 0000:00:02.1: [drm] GT0: reset started [ ] ------------[ cut here ]------------ [ ] xe 0000:00:02.1: [drm] GT0: VF is trying to write 0x1 to an inaccessible register 0x941c+0x0 [ ] WARNING: CPU: 3 PID: 3069 at drivers/gpu/drm/xe/xe_gt_sriov_vf.c:996 xe_gt_sriov_vf_write32+0xc6/0x580 [xe] [ ] RIP: 0010:xe_gt_sriov_vf_write32+0xc6/0x580 [xe] [ ] Call Trace: [ ] <TASK> [ ] ? show_regs+0x6c/0x80 [ ] ? __warn+0x93/0x1c0 [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe] [ ] ? report_bug+0x182/0x1b0 [ ] ? handle_bug+0x6e/0xb0 [ ] ? exc_invalid_op+0x18/0x80 [ ] ? asm_exc_invalid_op+0x1b/0x20 [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe] [ ] ? xe_gt_sriov_vf_write32+0xc6/0x580 [xe] [ ] ? xe_gt_tlb_invalidation_reset+0xef/0x110 [xe] [ ] ? __mutex_unlock_slowpath+0x41/0x2e0 [ ] xe_mmio_write32+0x64/0x150 [xe] [ ] do_gt_reset+0x2f/0xa0 [xe] [ ] gt_reset_worker+0x14e/0x1e0 [xe] [ ] process_one_work+0x21c/0x740 [ ] worker_thread+0x1db/0x3c0 Fix that by sending H2G VF_RESET(0x5507) action instead.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-23162.html
CVE-2025-23162
https://bugzilla.suse.com/1242834
SUSE Bug 1242834

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37738.html
CVE-2025-37738
https://bugzilla.suse.com/1242846
SUSE Bug 1242846

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: add sanity check for agwidth in dbMount The width in dmapctl of the AG is zero, it trigger a divide error when calculating the control page level in dbAllocAG. To avoid this issue, add a check for agwidth in dbAllocAG.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37740.html
CVE-2025-37740
https://bugzilla.suse.com/1243006
SUSE Bug 1243006

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: Prevent copying of nlink with value 0 from disk inode syzbot report a deadlock in diFree. [1] When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated. When creating the directory and creating the inode of iag in diReadSpecial(), read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the metapage data it returns is corrupted, which causes the nlink value of 0 to be assigned to the iag inode when executing copy_from_dinode(), which ultimately causes a deadlock when entering diFree(). To avoid this, first check the nlink value of dinode before setting iag inode. [1] WARNING: possible recursive locking detected 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted -------------------------------------------- syz-executor301/5309 is trying to acquire lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 but task is already holding lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(imap->im_aglock[index])); lock(&(imap->im_aglock[index])); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by syz-executor301/5309: #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline] #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline] #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669 stack backtrace: CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037 check_deadlock kernel/locking/lockdep.c:3089 [inline] validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156 evict+0x4e8/0x9b0 fs/inode.c:725 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline] duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022 diNewIAG fs/jfs/jfs_imap.c:2597 [inline] diAllocExt fs/jfs/jfs_imap.c:1905 [inline] diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/en ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37741.html
CVE-2025-37741
https://bugzilla.suse.com/1243015
SUSE Bug 1243015

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of imap allocated in the diMount() function syzbot reports that hex_dump_to_buffer is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876 jfs_evict_inode+0x510/0x550 fs/jfs/inode.c:156 evict+0x723/0xd10 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput+0x97b/0xdb0 fs/inode.c:1972 txUpdateMap+0xf3e/0x1150 fs/jfs/jfs_txnmgr.c:2367 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x627/0x11d0 fs/jfs/jfs_txnmgr.c:2733 kthread+0x6b9/0xef0 kernel/kthread.c:464 ret_from_fork+0x6d/0x90 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] __kmalloc_cache_noprof+0x8e3/0xdf0 mm/slub.c:4320 kmalloc_noprof include/linux/slab.h:901 [inline] diMount+0x61/0x7f0 fs/jfs/jfs_imap.c:105 jfs_mount+0xa8e/0x11d0 fs/jfs/jfs_mount.c:176 jfs_fill_super+0xa47/0x17c0 fs/jfs/super.c:523 get_tree_bdev_flags+0x6ec/0x910 fs/super.c:1636 get_tree_bdev+0x37/0x50 fs/super.c:1659 jfs_get_tree+0x34/0x40 fs/jfs/super.c:635 vfs_get_tree+0xb1/0x5a0 fs/super.c:1814 do_new_mount+0x71f/0x15e0 fs/namespace.c:3560 path_mount+0x742/0x1f10 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount+0x71f/0x800 fs/namespace.c:4088 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4088 x64_sys_call+0x39bf/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ===================================================== The reason is that imap is not properly initialized after memory allocation. It will cause the snprintf() function to write uninitialized data into linebuf within hex_dump_to_buffer(). Fix this by using kzalloc instead of kmalloc to clear its content at the beginning in diMount().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37742.html
CVE-2025-37742
https://bugzilla.suse.com/1243011
SUSE Bug 1243011

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid memory leak while enabling statistics Driver uses monitor destination rings for extended statistics mode and standalone monitor mode. In extended statistics mode, TLVs are parsed from the buffer received from the monitor destination ring and assigned to the ppdu_info structure to update per-packet statistics. In standalone monitor mode, along with per-packet statistics, the packet data (payload) is captured, and the driver updates per MSDU to mac80211. When the AP interface is enabled, only extended statistics mode is activated. As part of enabling monitor rings for collecting statistics, the driver subscribes to HAL_RX_MPDU_START TLV in the filter configuration. This TLV is received from the monitor destination ring, and kzalloc for the mon_mpdu object occurs, which is not freed, leading to a memory leak. The kzalloc for the mon_mpdu object is only required while enabling the standalone monitor interface. This causes a memory leak while enabling extended statistics mode in the driver. Fix this memory leak by removing the kzalloc for the mon_mpdu object in the HAL_RX_MPDU_START TLV handling. Additionally, remove the standalone monitor mode handlings in the HAL_MON_BUF_ADDR and HAL_RX_MSDU_END TLVs. These TLV tags will be handled properly when enabling standalone monitor mode in the future. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37743.html
CVE-2025-37743
https://bugzilla.suse.com/1242163
SUSE Bug 1242163

Описание

In the Linux kernel, the following vulnerability has been resolved: perf: Fix hang while freeing sigtrap event Perf can hang while freeing a sigtrap event if a related deferred signal hadn't managed to be sent before the file got closed: perf_event_overflow() task_work_add(perf_pending_task) fput() task_work_add(____fput()) task_work_run() ____fput() perf_release() perf_event_release_kernel() _free_event() perf_pending_task_sync() task_work_cancel() -> FAILED rcuwait_wait_event() Once task_work_run() is running, the list of pending callbacks is removed from the task_struct and from this point on task_work_cancel() can't remove any pending and not yet started work items, hence the task_work_cancel() failure and the hang on rcuwait_wait_event(). Task work could be changed to remove one work at a time, so a work running on the current task can always cancel a pending one, however the wait / wake design is still subject to inverted dependencies when remote targets are involved, as pictured by Oleg: T1 T2 fd = perf_event_open(pid => T2->pid); fd = perf_event_open(pid => T1->pid); close(fd) close(fd) <IRQ> <IRQ> perf_event_overflow() perf_event_overflow() task_work_add(perf_pending_task) task_work_add(perf_pending_task) </IRQ> </IRQ> fput() fput() task_work_add(____fput()) task_work_add(____fput()) task_work_run() task_work_run() ____fput() ____fput() perf_release() perf_release() perf_event_release_kernel() perf_event_release_kernel() _free_event() _free_event() perf_pending_task_sync() perf_pending_task_sync() rcuwait_wait_event() rcuwait_wait_event() Therefore the only option left is to acquire the event reference count upon queueing the perf task work and release it from the task work, just like it was done before 3a5465418f5f ("perf: Fix event leak upon exec and file release") but without the leaks it fixed. Some adjustments are necessary to make it work: * A child event might dereference its parent upon freeing. Care must be taken to release the parent last. * Some places assuming the event doesn't have any reference held and therefore can be freed right away must instead put the reference and let the reference counting to its job.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37747.html
CVE-2025-37747
https://bugzilla.suse.com/1242520
SUSE Bug 1242520

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37752.html
CVE-2025-37752
https://bugzilla.suse.com/1242504
SUSE Bug 1242504
https://bugzilla.suse.com/1245776
SUSE Bug 1245776

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/i915/huc: Fix fence not released on early probe errors HuC delayed loading fence, introduced with commit 27536e03271da ("drm/i915/huc: track delayed HuC load with a fence"), is registered with object tracker early on driver probe but unregistered only from driver remove, which is not called on early probe errors. Since its memory is allocated under devres, then released anyway, it may happen to be allocated again to the fence and reused on future driver probes, resulting in kernel warnings that taint the kernel: <4> [309.731371] ------------[ cut here ]------------ <3> [309.731373] ODEBUG: init destroyed (active state 0) object: ffff88813d7dd2e0 object type: i915_sw_fence hint: sw_fence_dummy_notify+0x0/0x20 [i915] <4> [309.731575] WARNING: CPU: 2 PID: 3161 at lib/debugobjects.c:612 debug_print_object+0x93/0xf0 ... <4> [309.731693] CPU: 2 UID: 0 PID: 3161 Comm: i915_module_loa Tainted: G U 6.14.0-CI_DRM_16362-gf0fd77956987+ #1 ... <4> [309.731700] RIP: 0010:debug_print_object+0x93/0xf0 ... <4> [309.731728] Call Trace: <4> [309.731730] <TASK> ... <4> [309.731949] __debug_object_init+0x17b/0x1c0 <4> [309.731957] debug_object_init+0x34/0x50 <4> [309.732126] __i915_sw_fence_init+0x34/0x60 [i915] <4> [309.732256] intel_huc_init_early+0x4b/0x1d0 [i915] <4> [309.732468] intel_uc_init_early+0x61/0x680 [i915] <4> [309.732667] intel_gt_common_init_early+0x105/0x130 [i915] <4> [309.732804] intel_root_gt_init_early+0x63/0x80 [i915] <4> [309.732938] i915_driver_probe+0x1fa/0xeb0 [i915] <4> [309.733075] i915_pci_probe+0xe6/0x220 [i915] <4> [309.733198] local_pci_probe+0x44/0xb0 <4> [309.733203] pci_device_probe+0xf4/0x270 <4> [309.733209] really_probe+0xee/0x3c0 <4> [309.733215] __driver_probe_device+0x8c/0x180 <4> [309.733219] driver_probe_device+0x24/0xd0 <4> [309.733223] __driver_attach+0x10f/0x220 <4> [309.733230] bus_for_each_dev+0x7d/0xe0 <4> [309.733236] driver_attach+0x1e/0x30 <4> [309.733239] bus_add_driver+0x151/0x290 <4> [309.733244] driver_register+0x5e/0x130 <4> [309.733247] __pci_register_driver+0x7d/0x90 <4> [309.733251] i915_pci_register_driver+0x23/0x30 [i915] <4> [309.733413] i915_init+0x34/0x120 [i915] <4> [309.733655] do_one_initcall+0x62/0x3f0 <4> [309.733667] do_init_module+0x97/0x2a0 <4> [309.733671] load_module+0x25ff/0x2890 <4> [309.733688] init_module_from_file+0x97/0xe0 <4> [309.733701] idempotent_init_module+0x118/0x330 <4> [309.733711] __x64_sys_finit_module+0x77/0x100 <4> [309.733715] x64_sys_call+0x1f37/0x2650 <4> [309.733719] do_syscall_64+0x91/0x180 <4> [309.733763] entry_SYSCALL_64_after_hwframe+0x76/0x7e <4> [309.733792] </TASK> ... <4> [309.733806] ---[ end trace 0000000000000000 ]--- That scenario is most easily reproducible with igt@i915_module_load@reload-with-fault-injection. Fix the issue by moving the cleanup step to driver release path. (cherry picked from commit 795dbde92fe5c6996a02a5b579481de73035e7bf)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37754.html
CVE-2025-37754
https://bugzilla.suse.com/1242524
SUSE Bug 1242524

Описание

In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled we'd need to wait for all packets to be _acked_. Disconnect is not commonly used, disallow it. The immediate problem syzbot run into is the warning in the strp, but that's just the easiest bug to trigger: WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486 Call Trace: <TASK> tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363 tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043 inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678 sock_recvmsg_nosec net/socket.c:1023 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1045 __sys_recvfrom+0x202/0x380 net/socket.c:2237

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37756.html
CVE-2025-37756
https://bugzilla.suse.com/1242515
SUSE Bug 1242515

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb list before tipc_link_xmit() returns.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37757.html
CVE-2025-37757
https://bugzilla.suse.com/1242521
SUSE Bug 1242521

Описание

In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does not check for this case, which can result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37758.html
CVE-2025-37758
https://bugzilla.suse.com/1242514
SUSE Bug 1242514

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix an out-of-bounds shift when invalidating TLB When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1]. Use a full TLB invalidation for such cases. v2: - Use a define for the range size limit over which we use a full TLB invalidation. (Lucas) - Use a better calculation of the limit. [1]: [ 39.202421] ------------[ cut here ]------------ [ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 [ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int' [ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10 [ 39.202690] Tainted: [U]=USER [ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 [ 39.202691] Call Trace: [ 39.202692] <TASK> [ 39.202695] dump_stack_lvl+0x6e/0xa0 [ 39.202699] ubsan_epilogue+0x5/0x30 [ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6 [ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe] [ 39.202800] ? find_held_lock+0x2b/0x80 [ 39.202803] ? mark_held_locks+0x40/0x70 [ 39.202806] xe_svm_invalidate+0x459/0x700 [xe] [ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm] [ 39.202900] __mmu_notifier_release+0x1f5/0x270 [ 39.202905] exit_mmap+0x40e/0x450 [ 39.202912] __mmput+0x45/0x110 [ 39.202914] exit_mm+0xc5/0x130 [ 39.202916] do_exit+0x21c/0x500 [ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190 [ 39.202920] do_group_exit+0x36/0xa0 [ 39.202922] get_signal+0x8f8/0x900 [ 39.202926] arch_do_signal_or_restart+0x35/0x100 [ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290 [ 39.202932] do_syscall_64+0xa1/0x180 [ 39.202934] ? do_user_addr_fault+0x59f/0x8a0 [ 39.202937] ? lock_release+0xd2/0x2a0 [ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0 [ 39.202942] ? trace_hardirqs_off+0x4b/0xc0 [ 39.202944] ? clear_bhb_loop+0x25/0x80 [ 39.202946] ? clear_bhb_loop+0x25/0x80 [ 39.202947] ? clear_bhb_loop+0x25/0x80 [ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 39.202952] RIP: 0033:0x7fa945e543e1 [ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7. [ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293 [ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3 [ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff [ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0 [ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 [ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000 [ 39.202970] </TASK> [ 39.202970] ---[ end trace ]--- (cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37761.html
CVE-2025-37761
https://bugzilla.suse.com/1242724
SUSE Bug 1242724

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: take paired job reference For paired jobs, have the fragment job take a reference on the geometry job, so that the geometry job cannot be freed until the fragment job has finished with it. The geometry job structure is accessed when the fragment job is being prepared by the GPU scheduler. Taking the reference prevents the geometry job being freed until the fragment job no longer requires it. Fixes a use after free bug detected by KASAN: [ 124.256386] BUG: KASAN: slab-use-after-free in pvr_queue_prepare_job+0x108/0x868 [powervr] [ 124.264893] Read of size 1 at addr ffff0000084cb960 by task kworker/u16:4/63

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37763.html
CVE-2025-37763
https://bugzilla.suse.com/1242508
SUSE Bug 1242508

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: fix firmware memory leaks Free the memory used to hold the results of firmware image processing when the module is unloaded. Fix the related issue of the same memory being leaked if processing of the firmware image fails during module load. Ensure all firmware GEM objects are destroyed if firmware image processing fails. Fixes memory leaks on powervr module unload detected by Kmemleak: unreferenced object 0xffff000042e20000 (size 94208): comm "modprobe", pid 470, jiffies 4295277154 hex dump (first 32 bytes): 02 ae 7f ed bf 45 84 00 3c 5b 1f ed 9f 45 45 05 .....E..<[...EE. d5 4f 5d 14 6c 00 3d 23 30 d0 3a 4a 66 0e 48 c8 .O].l.=#0.:Jf.H. backtrace (crc dd329dec): kmemleak_alloc+0x30/0x40 ___kmalloc_large_node+0x140/0x188 __kmalloc_large_node_noprof+0x2c/0x13c __kmalloc_noprof+0x48/0x4c0 pvr_fw_init+0xaa4/0x1f50 [powervr] unreferenced object 0xffff000042d20000 (size 20480): comm "modprobe", pid 470, jiffies 4295277154 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 09 00 00 00 0b 00 00 00 ................ 00 00 00 00 00 00 00 00 07 00 00 00 08 00 00 00 ................ backtrace (crc 395b02e3): kmemleak_alloc+0x30/0x40 ___kmalloc_large_node+0x140/0x188 __kmalloc_large_node_noprof+0x2c/0x13c __kmalloc_noprof+0x48/0x4c0 pvr_fw_init+0xb0c/0x1f50 [powervr]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37764.html
CVE-2025-37764
https://bugzilla.suse.com/1242577
SUSE Bug 1242577

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_delete [ttm] RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? die_addr+0x3d/0x70 ? exc_general_protection+0x159/0x460 ? asm_exc_general_protection+0x27/0x30 ? dma_resv_iter_first_unlocked+0x55/0x290 dma_resv_wait_timeout+0x56/0x100 ttm_bo_delayed_delete+0x69/0xb0 [ttm] process_one_work+0x217/0x5c0 worker_thread+0x1c8/0x3d0 ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 kthread+0x10b/0x240 ? kthreads_online_cpu+0x140/0x140 ret_from_fork+0x40/0x70 ? kthreads_online_cpu+0x140/0x140 ret_from_fork_asm+0x11/0x20 </TASK> The cause of this is: - drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the reference to the shared dma_buf. The reference count is 0, so the dma_buf is destroyed, which in turn decrements the corresponding amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - calling drm_gem_object_release then dma_resv_fini (which destroys the reservation object), then finally freeing the amdgpu_bo. - nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory formerly allocated to the amdgpu_bo. - nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls ttm_bo_release, which schedules ttm_bo_delayed_delete. - ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, resulting in a general protection fault. Fix this by moving the drm_prime_gem_destroy call from nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will be run after ttm_bo_delayed_delete.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37765.html
CVE-2025-37765
https://bugzilla.suse.com/1242761
SUSE Bug 1242761

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37766.html
CVE-2025-37766
https://bugzilla.suse.com/1242785
SUSE Bug 1242785

Описание

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37767.html
CVE-2025-37767
https://bugzilla.suse.com/1242501
SUSE Bug 1242501

Описание

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37768.html
CVE-2025-37768
https://bugzilla.suse.com/1242567
SUSE Bug 1242567

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm/smu11: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE. (cherry picked from commit da7dc714a8f8e1c9fc33c57cd63583779a3bef71)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37769.html
CVE-2025-37769
https://bugzilla.suse.com/1242587
SUSE Bug 1242587

Описание

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37770.html
CVE-2025-37770
https://bugzilla.suse.com/1242764
SUSE Bug 1242764

Описание

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37771.html
CVE-2025-37771
https://bugzilla.suse.com/1242781
SUSE Bug 1242781

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler struct rdma_cm_id has member "struct work_struct net_work" that is reused for enqueuing cma_netevent_work_handler()s onto cma_wq. Below crash[1] can occur if more than one call to cma_netevent_callback() occurs in quick succession, which further enqueues cma_netevent_work_handler()s for the same rdma_cm_id, overwriting any previously queued work-item(s) that was just scheduled to run i.e. there is no guarantee the queued work item may run between two successive calls to cma_netevent_callback() and the 2nd INIT_WORK would overwrite the 1st work item (for the same rdma_cm_id), despite grabbing id_table_lock during enqueue. Also drgn analysis [2] indicates the work item was likely overwritten. Fix this by moving the INIT_WORK() to __rdma_create_id(), so that it doesn't race with any existing queue_work() or its worker thread. [1] Trimmed crash stack: ============================================= BUG: kernel NULL pointer dereference, address: 0000000000000008 kworker/u256:6 ... 6.12.0-0... Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm) RIP: 0010:process_one_work+0xba/0x31a Call Trace: worker_thread+0x266/0x3a0 kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 ============================================= [2] drgn crash analysis: >>> trace = prog.crashed_thread().stack_trace() >>> trace (0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15) (1) __crash_kexec (kernel/crash_core.c:122:4) (2) panic (kernel/panic.c:399:3) (3) oops_end (arch/x86/kernel/dumpstack.c:382:3) ... (8) process_one_work (kernel/workqueue.c:3168:2) (9) process_scheduled_works (kernel/workqueue.c:3310:3) (10) worker_thread (kernel/workqueue.c:3391:4) (11) kthread (kernel/kthread.c:389:9) Line workqueue.c:3168 for this kernel version is in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); >>> trace[8]["work"] *(struct work_struct *)0xffff92577d0a21d8 = { .data = (atomic_long_t){ .counter = (s64)536870912, <=== Note }, .entry = (struct list_head){ .next = (struct list_head *)0xffff924d075924c0, .prev = (struct list_head *)0xffff924d075924c0, }, .func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280, } Suspicion is that pwq is NULL: >>> trace[8]["pwq"] (struct pool_workqueue *)<absent> In process_one_work(), pwq is assigned from: struct pool_workqueue *pwq = get_work_pwq(work); and get_work_pwq() is: static struct pool_workqueue *get_work_pwq(struct work_struct *work) { unsigned long data = atomic_long_read(&work->data); if (data & WORK_STRUCT_PWQ) return work_struct_pwq(data); else return NULL; } WORK_STRUCT_PWQ is 0x4: >>> print(repr(prog['WORK_STRUCT_PWQ'])) Object(prog, 'enum work_flags', value=4) But work->data is 536870912 which is 0x20000000. So, get_work_pwq() returns NULL and we crash in process_one_work(): 3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); =============================================

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37772.html
CVE-2025-37772
https://bugzilla.suse.com/1242563
SUSE Bug 1242563

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: cros-ec-tunnel: defer probe if parent EC is not present When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference. That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device). [ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access in kernel mode [ 272.003351] #PF: error_code(0x0000) - not-present page [ 272.008485] PGD 0 P4D 0 [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 [ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021 [ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel] [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 [ 272.129155] Call Trace: [ 272.131606] <TASK> [ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110 [ 272.137985] platform_probe+0x69/0xa0 [ 272.141652] really_probe+0x152/0x310 [ 272.145318] __driver_probe_device+0x77/0x110 [ 272.149678] driver_probe_device+0x1e/0x190 [ 272.153864] __driver_attach+0x10b/0x1e0 [ 272.157790] ? driver_attach+0x20/0x20 [ 272.161542] bus_for_each_dev+0x107/0x150 [ 272.165553] bus_add_driver+0x15d/0x270 [ 272.169392] driver_register+0x65/0x110 [ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] [ 272.182617] do_one_initcall+0x110/0x350 [ 272.186543] ? security_kernfs_init_security+0x49/0xd0 [ 272.191682] ? __kernfs_new_node+0x1b9/0x240 [ 272.195954] ? security_kernfs_init_security+0x49/0xd0 [ 272.201093] ? __kernfs_new_node+0x1b9/0x240 [ 272.205365] ? kernfs_link_sibling+0x105/0x130 [ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0 [ 272.214773] ? kernfs_activate+0x57/0x70 [ 272.218699] ? kernfs_add_one+0x118/0x160 [ 272.222710] ? __kernfs_create_file+0x71/0xa0 [ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110 [ 272.232033] ? internal_create_group+0x453/0x4a0 [ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0 [ 272.241355] ? __free_frozen_pages+0x1dc/0x420 [ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0 [ 272.250505] ? load_module+0x1509/0x16f0 [ 272.254431] do_init_module+0x60/0x230 [ 272.258181] __se_sys_finit_module+0x27a/0x370 [ 272.262627] do_syscall_64+0x6a/0xf0 [ 272.266206] ? do_syscall_64+0x76/0xf0 [ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90 [ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 272.279887] RIP: 0033:0x7b9309168d39 [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 000 ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37781.html
CVE-2025-37781
https://bugzilla.suse.com/1242575
SUSE Bug 1242575

Описание

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37782.html
CVE-2025-37782
https://bugzilla.suse.com/1242770
SUSE Bug 1242770

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequent function may fail. If that happens, the entire tree setup is in limbo: the first N-1 switches have successfully finished probing (doing nothing but having allocated persistent memory in the tree's dst->ports, and maybe dst->rtable), and switch N failed to probe, ending the tree setup process before anything is tangible from the user's PoV. If switch N fails to probe, its memory (ports) will be freed and removed from dst->ports. However, the dst->rtable elements pointing to its ports, as created by dsa_link_touch(), will remain there, and will lead to use-after-free if dereferenced. If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely possible because that is where ds->ops->setup() is, we get a kasan report like this: ================================================================== BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 Call trace: __asan_report_load8_noabort+0x20/0x30 mv88e6xxx_setup_upstream_port+0x240/0x568 mv88e6xxx_setup+0xebc/0x1eb0 dsa_register_switch+0x1af4/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Allocated by task 42: __kasan_kmalloc+0x84/0xa0 __kmalloc_cache_noprof+0x298/0x490 dsa_switch_touch_ports+0x174/0x3d8 dsa_register_switch+0x800/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 Freed by task 42: __kasan_slab_free+0x48/0x68 kfree+0x138/0x418 dsa_register_switch+0x2694/0x2ae0 mv88e6xxx_register_switch+0x1b8/0x2a8 mv88e6xxx_probe+0xc4c/0xf60 mdio_probe+0x78/0xb8 really_probe+0x2b8/0x5a8 __driver_probe_device+0x164/0x298 driver_probe_device+0x78/0x258 __device_attach_driver+0x274/0x350 The simplest way to fix the bug is to delete the routing table in its entirety. dsa_tree_setup_routing_table() has no problem in regenerating it even if we deleted links between ports other than those of switch N, because dsa_link_touch() first checks whether the port pair already exists in dst->rtable, allocating if not. The deletion of the routing table in its entirety already exists in dsa_tree_teardown(), so refactor that into a function that can also be called from the tree setup error path. In my analysis of the commit to blame, it is the one which added dsa_link elements to dst->rtable. Prior to that, each switch had its own ds->rtable which is freed when the switch fails to probe. But the tree is potentially persistent memory.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37786.html
CVE-2025-37786
https://bugzilla.suse.com/1242725
SUSE Bug 1242725

Описание

In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path In the for loop used to allocate the loc_array and bmap for each port, a memory leak is possible when the allocation for loc_array succeeds, but the allocation for bmap fails. This is because when the control flow goes to the label free_eth_finfo, only the allocations starting from (i-1)th iteration are freed. Fix that by freeing the loc_array in the bmap allocation error path.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37788.html
CVE-2025-37788
https://bugzilla.suse.com/1242766
SUSE Bug 1242766

Описание

In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ethtool_cmis_wait_for_cond+0xf4/0x100 CPU: 72 UID: 0 PID: 4440 Comm: kworker/72:2 Kdump: loaded Tainted: G OE 6.11.0 #24 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R760/04GWWM, BIOS 1.6.6 09/20/2023 Workqueue: events module_flash_fw_work Call Trace: <TASK> panic+0x339/0x360 ? ethtool_cmis_wait_for_cond+0xf4/0x100 ? __pfx_status_success+0x10/0x10 ? __pfx_status_fail+0x10/0x10 __stack_chk_fail+0x10/0x10 ethtool_cmis_wait_for_cond+0xf4/0x100 ethtool_cmis_cdb_execute_cmd+0x1fc/0x330 ? __pfx_status_fail+0x10/0x10 cmis_cdb_module_features_get+0x6d/0xd0 ethtool_cmis_cdb_init+0x8a/0xd0 ethtool_cmis_fw_update+0x46/0x1d0 module_flash_fw_work+0x17/0xa0 process_one_work+0x179/0x390 worker_thread+0x239/0x340 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37791.html
CVE-2025-37791
https://bugzilla.suse.com/1242729
SUSE Bug 1242729

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37792.html
CVE-2025-37792
https://bugzilla.suse.com/1242591
SUSE Bug 1242591

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix null-ptr-deref in avs_component_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, avs_component_probe() does not check for this case, which results in a NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37793.html
CVE-2025-37793
https://bugzilla.suse.com/1242584
SUSE Bug 1242584

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below. Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P) ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158 To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point).

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37794.html
CVE-2025-37794
https://bugzilla.suse.com/1242566
SUSE Bug 1242566

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37796.html
CVE-2025-37796
https://bugzilla.suse.com/1242727
SUSE Bug 1242727

Описание

In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37798.html
CVE-2025-37798
https://bugzilla.suse.com/1242414
SUSE Bug 1242414
https://bugzilla.suse.com/1242417
SUSE Bug 1242417

Описание

In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37800.html
CVE-2025-37800
https://bugzilla.suse.com/1242849
SUSE Bug 1242849

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: 0x0 spi_imx_pio_transfer+0x50/0xd8 spi_imx_transfer_one+0x18c/0x858 spi_transfer_one_message+0x43c/0x790 __spi_pump_transfer_message+0x238/0x5d4 __spi_sync+0x2b0/0x454 spi_write_then_read+0x11c/0x200

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37801.html
CVE-2025-37801
https://bugzilla.suse.com/1242850
SUSE Bug 1242850

Описание

In the Linux kernel, the following vulnerability has been resolved: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs Betty reported hitting the following warning: [ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 ... [ 8.713282][ T221] Call trace: [ 8.713365][ T221] __flush_work+0x8d0/0x914 [ 8.713468][ T221] __cancel_work_sync+0xac/0xfc [ 8.713570][ T221] cancel_work_sync+0x24/0x34 [ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] [ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 [ 8.714139][ T221] really_probe+0x1bc/0x4c8 ... It seems we're hitting the error path in virtsnd_probe(), which triggers a virtsnd_remove() which iterates over the substreams calling cancel_work_sync() on the elapsed_period work_struct. Looking at the code, from earlier in: virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() We set snd->nsubstreams, allocate the snd->substreams, and if we then hit an error on the info allocation or something in virtsnd_ctl_query_info() fails, we will exit without having initialized the elapsed_period work_struct. When that error path unwinds we then call virtsnd_remove() which as long as the substreams array is allocated, will iterate through calling cancel_work_sync() on the uninitialized work struct hitting this warning. Takashi Iwai suggested this fix, which initializes the substreams structure right after allocation, so that if we hit the error paths we avoid trying to cleanup uninitialized data. Note: I have not yet managed to reproduce the issue myself, so this patch has had limited testing. Feedback or thoughts would be appreciated!

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37805.html
CVE-2025-37805
https://bugzilla.suse.com/1242930
SUSE Bug 1242930

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: check that event count does not exceed event buffer length The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0x114/0x180 lr : dwc3_check_event_buf+0xec/0x348 x3 : 0000000000000030 x2 : 000000000000dfc4 x1 : ffffffc0129be000 x0 : ffffff87aad60080 Call trace: __memcpy+0x114/0x180 dwc3_interrupt+0x24/0x34

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37810.html
CVE-2025-37810
https://bugzilla.suse.com/1242906
SUSE Bug 1242906

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: fix usbmisc handling usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value. Check that before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37811.html
CVE-2025-37811
https://bugzilla.suse.com/1242907
SUSE Bug 1242907

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --bidir" over NCM ethernet link. The deadlock occurs because the threaded interrupt handler gets preempted by a softirq, but both are protected by the same spinlock. Prevent deadlock by disabling softirq during threaded irq handler.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37812.html
CVE-2025-37812
https://bugzilla.suse.com/1242908
SUSE Bug 1242908

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37813.html
CVE-2025-37813
https://bugzilla.suse.com/1242909
SUSE Bug 1242909

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSEREPORT might actually be a small security risk after all, and (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN already. In more detail: 1. The previous patch has inconsistent logic: In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), we checked for sel_mode == TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of this "mode" parameter were actually used as an additional way to pass an argument. So the patch did actually still require CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not require it if none of the mouse buttons bits are set. This logic is inconsistent and was not intentional. We should have the same policies for using TIOCL_SELMOUSEREPORT independent of the value of the "hidden" mouse button argument. I sent a separate documentation patch to the man page list with more details on TIOCL_SELMOUSEREPORT: https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/ 2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can let an attacker simulate "keyboard" input to command line applications on the same terminal, like TIOCSTI and some other TIOCLINUX "selection mode" IOCTLs. By enabling mouse reporting on a terminal and then injecting mouse reports through TIOCL_SELMOUSEREPORT, an attacker can simulate mouse movements on the same terminal, similar to the TIOCSTI keystroke injection attacks that were previously possible with TIOCSTI and other TIOCL_SETSEL selection modes. Many programs (including libreadline/bash) are then prone to misinterpret these mouse reports as normal keyboard input because they do not expect input in the X11 mouse protocol form. The attacker does not have complete control over the escape sequence, but they can at least control the values of two consecutive bytes in the binary mouse reporting escape sequence. I went into more detail on that in the discussion at https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/ It is not equally trivial to simulate arbitrary keystrokes as it was with TIOCSTI (commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be disabled")), but the general mechanism is there, and together with the small number of existing legit use cases (see below), it would be better to revert back to requiring CAP_SYS_ADMIN for TIOCL_SELMOUSEREPORT, as it was already the case before commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"). 3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or Consolation), and they are the only legit use case: To quote console_codes(4): The mouse tracking facility is intended to return xterm(1)-compatible mouse status reports. Because the console driver has no way to know the device or type of the mouse, these reports are returned in the console input stream only when the virtual terminal driver receives a mouse update ioctl. These ioctls must be generated by a mouse-aware user-mode application such as the gpm(8) daemon. Jared Finder has also confirmed in https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/ that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it would be difficult to find good reasons for doing that, given that it would interfere with the reports that GPM is sending. More information on the interaction between GPM, terminals and th ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37814.html
CVE-2025-37814
https://bugzilla.suse.com/1242865
SUSE Bug 1242865

Описание

In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_irq. A previous fix patch was submitted where 'generic_handle_irq' was replaced with 'handle_nested_irq'. However, this change also causes the kernel panic where after determining which GPIO triggered the interrupt and attempting to call handle_nested_irq with the mapped IRQ number, leads to a failure in locating the registered handler.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37815.html
CVE-2025-37815
https://bugzilla.suse.com/1242871
SUSE Bug 1242871

Описание

In the Linux kernel, the following vulnerability has been resolved: mei: vsc: Fix fortify-panic caused by invalid counted_by() use gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] and the vsc-tp.c code is using this in a wrong way. len does not contain the available size in the buffer, it contains the actual packet length *without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to buf[] the fortify-panic handler gets triggered: [ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 [ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 ... [ 80.843175] __fortify_panic+0x9/0xb [ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] [ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 [ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] [ 80.843270] mei_reset+0x11d/0x420 [mei] The easiest fix would be to just drop the counted-by but with the exception of the ack buffer in vsc_tp_xfer_helper() which only contains enough room for the packet-header, all other uses of vsc_tp_packet always use a buffer of VSC_TP_MAX_XFER_SIZE bytes for the packet. Instead of just dropping the counted-by, split the vsc_tp_packet struct definition into a header and a full-packet definition and use a fixed size buf[] in the packet definition, this way fortify-source buffer overrun checking still works when enabled.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37816.html
CVE-2025-37816
https://bugzilla.suse.com/1242863
SUSE Bug 1242863

Описание

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37819.html
CVE-2025-37819
https://bugzilla.suse.com/1242873
SUSE Bug 1242873

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: Fix reference leak in pci_register_host_bridge() If device_register() fails, call put_device() to give up the reference to avoid a memory leak, per the comment at device_register(). Found by code review. [bhelgaas: squash Dan Carpenter's double free fix from https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37836.html
CVE-2025-37836
https://bugzilla.suse.com/1242957
SUSE Bug 1242957

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Two WARNINGs are observed when SMMU driver rolls back upon failure: arm-smmu-v3.9.auto: Failed to register iommu arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22 ------------[ cut here ]------------ WARNING: CPU: 5 PID: 1 at kernel/dma/mapping.c:74 dmam_free_coherent+0xc0/0xd8 Call trace: dmam_free_coherent+0xc0/0xd8 (P) tegra241_vintf_free_lvcmdq+0x74/0x188 tegra241_cmdqv_remove_vintf+0x60/0x148 tegra241_cmdqv_remove+0x48/0xc8 arm_smmu_impl_remove+0x28/0x60 devm_action_release+0x1c/0x40 ------------[ cut here ]------------ 128 pages are still in use! WARNING: CPU: 16 PID: 1 at mm/page_alloc.c:6902 free_contig_range+0x18c/0x1c8 Call trace: free_contig_range+0x18c/0x1c8 (P) cma_release+0x154/0x2f0 dma_free_contiguous+0x38/0xa0 dma_direct_free+0x10c/0x248 dma_free_attrs+0x100/0x290 dmam_free_coherent+0x78/0xd8 tegra241_vintf_free_lvcmdq+0x74/0x160 tegra241_cmdqv_remove+0x98/0x198 arm_smmu_impl_remove+0x28/0x60 devm_action_release+0x1c/0x40 This is because the LVCMDQ queue memory are managed by devres, while that dmam_free_coherent() is called in the context of devm_action_release(). Jason pointed out that "arm_smmu_impl_probe() has mis-ordered the devres callbacks if ops->device_remove() is going to be manually freeing things that probe allocated": https://lore.kernel.org/linux-iommu/20250407174408.GB1722458@nvidia.com/ In fact, tegra241_cmdqv_init_structures() only allocates memory resources which means any failure that it generates would be similar to -ENOMEM, so there is no point in having that "falling back to standard SMMU" routine, as the standard SMMU would likely fail to allocate memory too. Remove the unwind part in tegra241_cmdqv_init_structures(), and return a proper error code to ask SMMU driver to call tegra241_cmdqv_remove() via impl_ops->device_remove(). Then, drop tegra241_vintf_free_lvcmdq() since devres will take care of that.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37837.html
CVE-2025-37837
https://bugzilla.suse.com/1242952
SUSE Bug 1242952

Описание

In the Linux kernel, the following vulnerability has been resolved: jbd2: remove wrong sb->s_sequence check Journal emptiness is not determined by sb->s_sequence == 0 but rather by sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a valid transaction ID so the check can spuriously trigger. Remove the invalid WARN_ON.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37839.html
CVE-2025-37839
https://bugzilla.suse.com/1242990
SUSE Bug 1242990

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: brcmnand: fix PM resume warning Fixed warning on PM resume as shown below caused due to uninitialized struct nand_operation that checks chip select field : WARN_ON(op->cs >= nanddev_ntargets(&chip->base) [ 14.588522] ------------[ cut here ]------------ [ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8 [ 14.588553] Modules linked in: bdc udc_core [ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16 [ 14.588590] Tainted: [W]=WARN [ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree) [ 14.588598] Call trace: [ 14.588604] dump_backtrace from show_stack+0x18/0x1c [ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c [ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c [ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c [ 14.588653] r5:c08d40b0 r4:c1003cb0 [ 14.588656] dump_stack from __warn+0x84/0xe4 [ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194 [ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000 [ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8 [ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048 [ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150 [ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040 [ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54 [ 14.588735] r5:00000010 r4:c0840a50 [ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c [ 14.588757] dpm_run_callback from device_resume+0xc0/0x324 [ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010 [ 14.588779] device_resume from dpm_resume+0x130/0x160 [ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0 [ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20 [ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414 [ 14.588826] r4:00000010 [ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8 [ 14.588848] r5:c228a414 r4:00000000 [ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc [ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000 [ 14.588871] r4:00000003 [ 14.588874] pm_suspend from state_store+0x74/0xd0 [ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003 [ 14.588892] state_store from kobj_attr_store+0x1c/0x28 [ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250 [ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c [ 14.588936] r5:c3502900 r4:c0d92a48 [ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0 [ 14.588956] r5:c3502900 r4:c3501f40 [ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420 [ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00 [ 14.588983] r4:c042a88c [ 14.588987] vfs_write from ksys_write+0x74/0xe4 [ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00 [ 14.589008] r4:c34f7f00 [ 14.589011] ksys_write from sys_write+0x10/0x14 [ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004 [ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c [ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0) [ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001 [ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78 [ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8 [ 14.589065] ---[ end trace 0000000000000000 ]--- The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when doing PM resume operation in compliance with the controller support for single die nand chip. Switching from nand_reset_op() to nan ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37840.html
CVE-2025-37840
https://bugzilla.suse.com/1242953
SUSE Bug 1242953

Описание

In the Linux kernel, the following vulnerability has been resolved: pm: cpupower: bench: Prevent NULL dereference on malloc failure If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37841.html
CVE-2025-37841
https://bugzilla.suse.com/1242974
SUSE Bug 1242974

Описание

In the Linux kernel, the following vulnerability has been resolved: cifs: avoid NULL pointer dereference in dbg call cifs_server_dbg() implies server to be non-NULL so move call under condition to avoid NULL pointer dereference. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37844.html
CVE-2025-37844
https://bugzilla.suse.com/1242946
SUSE Bug 1242946

Описание

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix deadlock in ivpu_ms_cleanup() Fix deadlock in ivpu_ms_cleanup() by preventing runtime resume after file_priv->ms_lock is acquired. During a failure in runtime resume, a cold boot is executed, which calls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup() that acquires file_priv->ms_lock and causes the deadlock.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37847.html
CVE-2025-37847
https://bugzilla.suse.com/1242947
SUSE Bug 1242947

Описание

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix PM related deadlocks in MS IOCTLs Prevent runtime resume/suspend while MS IOCTLs are in progress. Failed suspend will call ivpu_ms_cleanup() that would try to acquire file_priv->ms_lock, which is already held by the IOCTLs.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37848.html
CVE-2025-37848
https://bugzilla.suse.com/1242943
SUSE Bug 1242943

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Tear down vGIC on failed vCPU creation If kvm_arch_vcpu_create() fails to share the vCPU page with the hypervisor, we propagate the error back to the ioctl but leave the vGIC vCPU data initialised. Note only does this leak the corresponding memory when the vCPU is destroyed but it can also lead to use-after-free if the redistributor device handling tries to walk into the vCPU. Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the vGIC vCPU structures are destroyed on error.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37849.html
CVE-2025-37849
https://bugzilla.suse.com/1243000
SUSE Bug 1243000

Описание

In the Linux kernel, the following vulnerability has been resolved: pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() With CONFIG_COMPILE_TEST && !CONFIG_HAVE_CLK, pwm_mediatek_config() has a divide-by-zero in the following line: do_div(resolution, clk_get_rate(pc->clk_pwms[pwm->hwpwm])); due to the fact that the !CONFIG_HAVE_CLK version of clk_get_rate() returns zero. This is presumably just a theoretical problem: COMPILE_TEST overrides the dependency on RALINK which would select COMMON_CLK. Regardless it's a good idea to check for the error explicitly to avoid divide-by-zero. Fixes the following warning: drivers/pwm/pwm-mediatek.o: warning: objtool: .text: unexpected end of section [ukleinek: s/CONFIG_CLK/CONFIG_HAVE_CLK/]

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37850.html
CVE-2025-37850
https://bugzilla.suse.com/1242955
SUSE Bug 1242955

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: omapfb: Add 'plane' value check Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB of the enum parameter plane. The value of this parameter is initialized in dss_init_overlays and in the current state of the code it cannot take this value so it's not a real problem. For the purposes of defensive coding it wouldn't be superfluous to check the parameter value, because some functions down the call stack process this value correctly and some not. For example, in dispc_ovl_setup_global_alpha it may lead to buffer overflow. Add check for this value. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37851.html
CVE-2025-37851
https://bugzilla.suse.com/1242977
SUSE Bug 1242977

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Add error handling to propagate amdgpu_cgs_create_device() failures to the caller. When amdgpu_cgs_create_device() fails, release hwmgr and return -ENOMEM to prevent null pointer dereference. [v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37852.html
CVE-2025-37852
https://bugzilla.suse.com/1243074
SUSE Bug 1243074

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: debugfs hang_hws skip GPU with MES debugfs hang_hws is used by GPU reset test with HWS, for MES this crash the kernel with NULL pointer access because dqm->packet_mgr is not setup for MES path. Skip GPU with MES for now, MES hang_hws debugfs interface will be supported later.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37853.html
CVE-2025-37853
https://bugzilla.suse.com/1243076
SUSE Bug 1243076

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mode1 reset crash issue If HW scheduler hangs and mode1 reset is used to recover GPU, KFD signal user space to abort the processes. After process abort exit, user queues still use the GPU to access system memory before h/w is reset while KFD cleanup worker free system memory and free VRAM. There is use-after-free race bug that KFD allocate and reuse the freed system memory, and user queue write to the same system memory to corrupt the data structure and cause driver crash. To fix this race, KFD cleanup worker terminate user queues, then flush reset_domain wq to wait for any GPU ongoing reset complete, and then free outstanding BOs.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37854.html
CVE-2025-37854
https://bugzilla.suse.com/1243082
SUSE Bug 1243082

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Prevent integer overflow in AG size calculation The JFS filesystem calculates allocation group (AG) size using 1 << l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB aggregates on 32-bit systems), this 32-bit shift operation causes undefined behavior and improper AG sizing. On 32-bit architectures: - Left-shifting 1 by 32+ bits results in 0 due to integer overflow - This creates invalid AG sizes (0 or garbage values) in sbi->bmap->db_agsize - Subsequent block allocations would reference invalid AG structures - Could lead to: - Filesystem corruption during extend operations - Kernel crashes due to invalid memory accesses - Security vulnerabilities via malformed on-disk structures Fix by casting to s64 before shifting: bmp->db_agsize = (s64)1 << l2agsize; This ensures 64-bit arithmetic even on 32-bit architectures. The cast matches the data type of db_agsize (s64) and follows similar patterns in JFS block calculation code. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37858.html
CVE-2025-37858
https://bugzilla.suse.com/1243049
SUSE Bug 1243049

Описание

In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37859.html
CVE-2025-37859
https://bugzilla.suse.com/1243051
SUSE Bug 1243051

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID (0xFFFF), set by the reset thread, which points to unallocated memory, causing a crash. Add flag 'io_admin_reset_sync' to synchronize access between the reset, I/O, and admin threads. Before a reset, the reset handler sets this flag to block I/O and admin processing threads. If any thread bypasses the initial check, the reset thread waits up to 10 seconds for processing to finish. If the wait exceeds 10 seconds, the controller is marked as unrecoverable.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37861.html
CVE-2025-37861
https://bugzilla.suse.com/1243055
SUSE Bug 1243055

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix null pointer dereference in pidff_find_fields This function triggered a null pointer dereference if used to search for a report that isn't implemented on the device. This happened both for optional and required reports alike. The same logic was applied to pidff_find_special_field and although pidff_init_fields should return an error earlier if one of the required reports is missing, future modifications could change this logic and resurface this possible null pointer dereference again. LKML bug report: https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37862.html
CVE-2025-37862
https://bugzilla.suse.com/1242982
SUSE Bug 1242982

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Russell King reports that on the ZII dev rev B, deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/ This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(), which tries to find an MST entry in &chip->msts associated with the SID, but fails and returns -ENOENT as such. But we know that this chip does not support MST at all, so that is not surprising. The question is why does the guard in mv88e6xxx_mst_put() not exit early: if (!sid) return 0; And the answer seems to be simple: the sid comes from vlan.sid which supposedly was previously populated by mv88e6xxx_vtu_get(). But some chip->info->ops->vtu_getnext() implementations do not populate vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case, later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is just residual stack memory. Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge VLAN mapped to the default MSTI. For some chips, SID 0 is valid and installed by mv88e6xxx_stu_setup(). A chip which does not support the STU would implicitly only support mapping all VLANs to the default MSTI, so although SID 0 is not valid, it would be sufficient, if we were to zero-initialize the vlan structure, to fix the bug, due to the coincidence that a test for vlan.sid == 0 already exists and leads to the same (correct) behavior. Another option which would be sufficient would be to add a test for mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one which already exists in mv88e6xxx_mst_get(). But that placement means the caller will have to dereference vlan.sid, which means it will access uninitialized memory, which is not nice even if it ignores it later. So we end up making both modifications, in order to not rely just on the sid == 0 coincidence, but also to avoid having uninitialized structure fields which might get temporarily accessed.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37865.html
CVE-2025-37865
https://bugzilla.suse.com/1242954
SUSE Bug 1242954

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Silence oversized kvmalloc() warning syzkaller triggered an oversized kvmalloc() warning. Silence it by adding __GFP_NOWARN. syzkaller log: WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180 CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:__kvmalloc_node_noprof+0x175/0x180 RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246 RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002 RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000 R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ib_umem_odp_get+0x1f6/0x390 mlx5_ib_reg_user_mr+0x1e8/0x450 ib_uverbs_reg_mr+0x28b/0x440 ib_uverbs_write+0x7d3/0xa30 vfs_write+0x1ac/0x6c0 ksys_write+0x134/0x170 ? __sanitizer_cov_trace_pc+0x1c/0x50 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37867.html
CVE-2025-37867
https://bugzilla.suse.com/1242948
SUSE Bug 1242948

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix notifier vs folio deadlock User is reporting what smells like notifier vs folio deadlock, where migrate_pages_batch() on core kernel side is holding folio lock(s) and then interacting with the mappings of it, however those mappings are tied to some userptr, which means calling into the notifier callback and grabbing the notifier lock. With perfect timing it looks possible that the pages we pulled from the hmm fault can get sniped by migrate_pages_batch() at the same time that we are holding the notifier lock to mark the pages as accessed/dirty, but at this point we also want to grab the folio locks(s) to mark them as dirty, but if they are contended from notifier/migrate_pages_batch side then we deadlock since folio lock won't be dropped until we drop the notifier lock. Fortunately the mark_page_accessed/dirty is not really needed in the first place it seems and should have already been done by hmm fault, so just remove it. (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37868.html
CVE-2025-37868
https://bugzilla.suse.com/1242966
SUSE Bug 1242966

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Use local fence in error path of xe_migrate_clear The intent of the error path in xe_migrate_clear is to wait on locally generated fence and then return. The code is waiting on m->fence which could be the local fence but this is only stable under the job mutex leading to a possible UAF. Fix code to wait on local fence. (cherry picked from commit 762b7e95362170b3e13a8704f38d5e47eca4ba74)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37869.html
CVE-2025-37869
https://bugzilla.suse.com/1242967
SUSE Bug 1242967

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means: 1) sc_count in nfsd_break_one_deleg will not be decremented to 0; 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37871.html
CVE-2025-37871
https://bugzilla.suse.com/1242949
SUSE Bug 1242949

Описание

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix missing ring index trim on error path Commit under Fixes converted tx_prod to be free running but missed masking it on the Tx error path. This crashes on error conditions, for example when DMA mapping fails.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37873.html
CVE-2025-37873
https://bugzilla.suse.com/1242961
SUSE Bug 1242961

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ngbe: fix memory leak in ngbe_probe() error path When ngbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent error paths after ngbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx->mac_table. Also change the label to which execution jumps when ngbe_sw_init() fails, because otherwise, it could lead to a double free for rss_key, when the mac_table allocation fails in wx_sw_init().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37874.html
CVE-2025-37874
https://bugzilla.suse.com/1242940
SUSE Bug 1242940

Описание

In the Linux kernel, the following vulnerability has been resolved: igc: fix PTM cycle trigger logic Writing to clear the PTM status 'valid' bit while the PTM cycle is triggered results in unreliable PTM operation. To fix this, clear the PTM 'trigger' and status after each PTM transaction. The issue can be reproduced with the following: $ sudo phc2sys -R 1000 -O 0 -i tsn0 -m Note: 1000 Hz (-R 1000) is unrealistically large, but provides a way to quickly reproduce the issue. PHC2SYS exits with: "ioctl PTP_OFFSET_PRECISE: Connection timed out" when the PTM transaction fails This patch also fixes a hang in igc_probe() when loading the igc driver in the kdump kernel on systems supporting PTM. The igc driver running in the base kernel enables PTM trigger in igc_probe(). Therefore the driver is always in PTM trigger mode, except in brief periods when manually triggering a PTM cycle. When a crash occurs, the NIC is reset while PTM trigger is enabled. Due to a hardware problem, the NIC is subsequently in a bad busmaster state and doesn't handle register reads/writes. When running igc_probe() in the kdump kernel, the first register access to a NIC register hangs driver probing and ultimately breaks kdump. With this patch, igc has PTM trigger disabled most of the time, and the trigger is only enabled for very brief (10 - 100 us) periods when manually triggering a PTM cycle. Chances that a crash occurs during a PTM trigger are not 0, but extremely reduced.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37875.html
CVE-2025-37875
https://bugzilla.suse.com/1242959
SUSE Bug 1242959

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37881.html
CVE-2025-37881
https://bugzilla.suse.com/1242973
SUSE Bug 1242973

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. Fix the following deadlock: CPU A _free_event() perf_kprobe_destroy() mutex_lock(&event_mutex) perf_trace_event_unreg() synchronize_rcu_tasks_trace() There are several paths where _free_event() grabs event_mutex and calls sync_rcu_tasks_trace. Above is one such case. CPU B bpf_prog_test_run_syscall() rcu_read_lock_trace() bpf_prog_run_pin_on_cpu() bpf_prog_load() bpf_tracing_func_proto() trace_set_clr_event() mutex_lock(&event_mutex) Delegate trace_set_clr_event() to workqueue to avoid such lock dependency.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37884.html
CVE-2025-37884
https://bugzilla.suse.com/1243060
SUSE Bug 1243060

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() Add NULL check for mlx5_get_flow_namespace() returns in mlx5_create_inner_ttc_table() and mlx5_create_ttc_table() to prevent NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37888.html
CVE-2025-37888
https://bugzilla.suse.com/1242964
SUSE Bug 1242964

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Consistently treat platform_max as control value This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min"), and makes some additional related updates. There are two ways the platform_max could be interpreted; the maximum register value, or the maximum value the control can be set to. The patch moved from treating the value as a control value to a register one. When the patch was applied it was technically correct as snd_soc_limit_volume() also used the register interpretation. However, even then most of the other usages treated platform_max as a control value, and snd_soc_limit_volume() has since been updated to also do so in commit fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume"). That patch however, missed updating snd_soc_put_volsw() back to the control interpretation, and fixing snd_soc_info_volsw_range(). The control interpretation makes more sense as limiting is typically done from the machine driver, so it is appropriate to use the customer facing representation rather than the internal codec representation. Update all the code to consistently use this interpretation of platform_max. Finally, also add some comments to the soc_mixer_control struct to hopefully avoid further patches switching between the two approaches.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37889.html
CVE-2025-37889
https://bugzilla.suse.com/1242945
SUSE Bug 1242945

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37890.html
CVE-2025-37890
https://bugzilla.suse.com/1243330
SUSE Bug 1243330
https://bugzilla.suse.com/1245791
SUSE Bug 1245791

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer overflow, and may corrupt the memory when a longer SysEx message is received. The fix is simply to extend the buffer size to 6 to fit with the SysEx UMP message.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37891.html
CVE-2025-37891
https://bugzilla.suse.com/1243589
SUSE Bug 1243589

Описание

In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37892.html
CVE-2025-37892
https://bugzilla.suse.com/1243536
SUSE Bug 1243536

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it was held. There is also no need to hold mac->lock for plfxlc_mac_release() itself, as mac data is not affected, except for mac->flags, which is modified atomically. This bug leads to the following warning: ================================================================ WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0 Modules linked in: CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: usb_hub_wq hub_event RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106 Call Trace: <TASK> probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694 usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165 usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238 usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785 driver_probe_device+0x50/0x420 drivers/base/dd.c:815 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429 __device_attach+0x359/0x570 drivers/base/dd.c:1015 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489 device_add+0xb48/0xfd0 drivers/base/core.c:3696 usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620 hub_port_connect drivers/usb/core/hub.c:5477 [inline] hub_port_connect_change drivers/usb/core/hub.c:5617 [inline] port_event drivers/usb/core/hub.c:5773 [inline] hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> ================================================================ Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37897.html
CVE-2025-37897
https://bugzilla.suse.com/1243534
SUSE Bug 1243534

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_from_user(), fix them first in the current header.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37900.html
CVE-2025-37900
https://bugzilla.suse.com/1243560
SUSE Bug 1243560

Описание

In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is currently missing the check. This is causing crashes when setting up interrupts for non-wake GPIOs: root@rb1:~# gpiomon -c gpiochip1 10 irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1 Unable to handle kernel paging request at virtual address ffff8000a1dc3820 Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT) pc : mpm_set_type+0x80/0xcc lr : mpm_set_type+0x5c/0xcc Call trace: mpm_set_type+0x80/0xcc (P) qcom_mpm_set_type+0x64/0x158 irq_chip_set_type_parent+0x20/0x38 msm_gpio_irq_set_type+0x50/0x530 __irq_set_trigger+0x60/0x184 __setup_irq+0x304/0x6bc request_threaded_irq+0xc8/0x19c edge_detector_setup+0x260/0x364 linereq_create+0x420/0x5a8 gpio_ioctl+0x2d4/0x6c0 Fix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that MPM is removed entirely from the hierarchy for non-wake GPIOs.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37901.html
CVE-2025-37901
https://bugzilla.suse.com/1243559
SUSE Bug 1243559

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10 [ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events event_property_validate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dump_stack_lvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virt_addr_valid+0x243/0x450 [ 66.776510] ? kasan_complete_mode_report_info+0x66/0x1c0 [ 66.776515] kasan_report+0xeb/0x1c0 [ 66.776518] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asan_report_load4_noabort+0x14/0x20 [ 66.777124] event_property_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lock_acquire+0x6b40/0x6b40 [ 66.777347] ? enable_assr+0x250/0x250 [amdgpu] [ 66.777571] process_one_work+0x86b/0x1510 [ 66.777575] ? pwq_dec_nr_in_flight+0xcf0/0xcf0 [ 66.777578] ? assign_work+0x16b/0x280 [ 66.777580] ? lock_is_held_type+0xa3/0x130 [ 66.777583] worker_thread+0x5c0/0xfa0 [ 66.777587] ? process_one_work+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777594] ? trace_hardirqs_on+0x4f/0x60 [ 66.777597] ? _raw_spin_unlock_irq+0x27/0x60 [ 66.777599] ? calculate_sigpending+0x77/0xa0 [ 66.777602] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777605] ret_from_fork+0x40/0x90 [ 66.777607] ? kthread_is_per_cpu+0xd0/0xd0 [ 66.777609] ret_from_fork_asm+0x11/0x20 [ 66.777614] </TASK> [ 66.777643] Allocated by task 10: [ 66.777646] kasan_save_stack+0x39/0x60 [ 66.777649] kasan_save_track+0x14/0x40 [ 66.777652] kasan_save_alloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloc_cache_noprof+0x1c8/0x4b0 [ 66.777661] dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu] [ 66.777880] drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper] [ 66.777892] drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper] [ 66.777901] drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper] [ 66.777909] drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper] [ 66.777917] process_one_work+0x86b/0x1510 [ 66.777919] worker_thread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] ret_from_fork+0x40/0x90 [ 66.777927] ret_from_fork_asm+0x11/0x20 [ 66.777932] Freed by task 1713: [ 66.777935] kasan_save_stack+0x39/0x60 [ 66.777938] kasan_save_track+0x14/0x40 [ 66.777940] kasan_save_free_info+0x3b/0x60 [ 66.777944] __kasan_slab_free+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu] [ 66.778179] drm_connector_free+0x7d/0xb0 [ 66.778184] drm_mode_object_put.part.0+0xee/0x160 [ 66.778188] drm_mode_object_put+0x37/0x50 [ 66.778191] drm_atomic_state_default_clear+0x220/0xd60 [ 66.778194] __drm_atomic_state_free+0x16e/0x2a0 [ 66.778197] drm_mode_atomic_ioctl+0x15ed/0x2ba0 [ 66.778200] drm_ioctl_kernel+0x17a/0x310 [ 66.778203] drm_ioctl+0x584/0xd10 [ 66.778206] amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64_sys_ioctl+0x139/0x1a0 [ 66.778378] x64_sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37903.html
CVE-2025-37903
https://bugzilla.suse.com/1243562
SUSE Bug 1243562

Описание

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_private dev->p populated by the drivers subsystem core. KMemleak detects this situation since loading/unloding some SCMI driver causes related devices to be created/destroyed without calling any device_release method. unreferenced object 0xffff00000f583800 (size 512): comm "insmod", pid 227, jiffies 4294912190 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 60 36 1d 8a 00 80 ff ff ........`6...... backtrace (crc 114e2eed): kmemleak_alloc+0xbc/0xd8 __kmalloc_cache_noprof+0x2dc/0x398 device_add+0x954/0x12d0 device_register+0x28/0x40 __scmi_device_create.part.0+0x1bc/0x380 scmi_device_create+0x2d0/0x390 scmi_create_protocol_devices+0x74/0xf8 scmi_device_request_notifier+0x1f8/0x2a8 notifier_call_chain+0x110/0x3b0 blocking_notifier_call_chain+0x70/0xb0 scmi_driver_register+0x350/0x7f0 0xffff80000a3b3038 do_one_initcall+0x12c/0x730 do_init_module+0x1dc/0x640 load_module+0x4b20/0x5b70 init_module_from_file+0xec/0x158 $ ./scripts/faddr2line ./vmlinux device_add+0x954/0x12d0 device_add+0x954/0x12d0: kmalloc_noprof at include/linux/slab.h:901 (inlined by) kzalloc_noprof at include/linux/slab.h:1037 (inlined by) device_private_init at drivers/base/core.c:3510 (inlined by) device_add at drivers/base/core.c:3561 Balance device refcount by issuing a put_device() on devices found via device_find_child().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37905.html
CVE-2025-37905
https://bugzilla.suse.com/1243456
SUSE Bug 1243456

Описание

In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37909.html
CVE-2025-37909
https://bugzilla.suse.com/1243467
SUSE Bug 1243467

Описание

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfence-#45): __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] ethtool_get_dump_data+0xdc/0x1a0 __dev_ethtool+0xa1e/0x1af0 dev_ethtool+0xa8/0x170 dev_ioctl+0x1b5/0x580 sock_do_ioctl+0xab/0xf0 sock_ioctl+0x1ce/0x2e0 __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x5c/0xf0 entry_SYSCALL_64_after_hwframe+0x78/0x80 ... This happens when copying the coredump segment list in bnxt_hwrm_dbg_dma_data() with the HWRM_DBG_COREDUMP_LIST FW command. The info->dest_buf buffer is allocated based on the number of coredump segments returned by the FW. The segment list is then DMA'ed by the FW and the length of the DMA is returned by FW. The driver then copies this DMA'ed segment list to info->dest_buf. In some cases, this DMA length may exceed the info->dest_buf length and cause the above BUG condition. Fix it by capping the copy length to not exceed the length of info->dest_buf. The extra DMA data contains no useful information. This code path is shared for the HWRM_DBG_COREDUMP_LIST and the HWRM_DBG_COREDUMP_RETRIEVE FW commands. The buffering is different for these 2 FW commands. To simplify the logic, we need to move the line to adjust the buffer length for HWRM_DBG_COREDUMP_RETRIEVE up, so that the new check to cap the copy length will work for both commands.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37911.html
CVE-2025-37911
https://bugzilla.suse.com/1243469
SUSE Bug 1243469

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer values"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37912.html
CVE-2025-37912
https://bugzilla.suse.com/1243470
SUSE Bug 1243470

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37913.html
CVE-2025-37913
https://bugzilla.suse.com/1243471
SUSE Bug 1243471

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37914.html
CVE-2025-37914
https://bugzilla.suse.com/1243472
SUSE Bug 1243472

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: drr: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before adding to the list to cover for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37915.html
CVE-2025-37915
https://bugzilla.suse.com/1243473
SUSE Bug 1243473

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ```

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37917.html
CVE-2025-37917
https://bugzilla.suse.com/1243475
SUSE Bug 1243475

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() A NULL pointer dereference can occur in skb_dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). [ 93.672166] Bluetooth: hci0: ACL memdump size(589824) [ 93.672475] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 93.672517] Workqueue: hci0 hci_devcd_rx [bluetooth] [ 93.672598] RIP: 0010:skb_dequeue+0x50/0x80 The issue stems from handle_dump_pkt_qca() returning 0 even when a dump packet is successfully processed. This is because it incorrectly forwards the return value of hci_devcd_init() (which returns 0 on success). As a result, the caller (btusb_recv_acl_qca() or btusb_recv_evt_qca()) assumes the packet was not handled and passes it to hci_recv_frame(), leading to premature kfree() of the skb. Later, hci_devcd_rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. Fix this by: 1. Making handle_dump_pkt_qca() return 0 on success and negative errno on failure, consistent with kernel conventions. 2. Splitting dump packet detection into separate functions for ACL and event packets for better structure and readability. This ensures dump packets are properly identified and consumed, avoiding double handling and preventing NULL pointer access.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37918.html
CVE-2025-37918
https://bugzilla.suse.com/1243476
SUSE Bug 1243476

Описание

In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1] being generated by the lockdep annotation that was added by commit ebe642067455 ("vxlan: Create wrappers for FDB lookup"). Reproducer: # ip link add vx0 up type vxlan dstport 4789 external vnifilter local 192.0.2.1 # bridge vni add vni 10010 remote 198.51.100.1 dev vx0 # bridge vni del vni 10010 dev vx0 Fix by acquiring the hash lock before the deletion and releasing it afterwards. Blame the original commit that introduced the issue rather than the one that exposed it. [1] WARNING: CPU: 3 PID: 392 at drivers/net/vxlan/vxlan_core.c:417 vxlan_find_mac+0x17f/0x1a0 [...] RIP: 0010:vxlan_find_mac+0x17f/0x1a0 [...] Call Trace: <TASK> __vxlan_fdb_delete+0xbe/0x560 vxlan_vni_delete_group+0x2ba/0x940 vxlan_vni_del.isra.0+0x15f/0x580 vxlan_process_vni_filter+0x38b/0x7b0 vxlan_vnifilter_process+0x3bb/0x510 rtnetlink_rcv_msg+0x2f7/0xb70 netlink_rcv_skb+0x131/0x360 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 __sys_sendmsg+0x121/0x1b0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37921.html
CVE-2025-37921
https://bugzilla.suse.com/1243480
SUSE Bug 1243480

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: ================================================================== BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260 CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106 trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 .... ================================================================== It has been reported that trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Therefore, to prevent this, we should use the smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37923.html
CVE-2025-37923
https://bugzilla.suse.com/1243551
SUSE Bug 1243551

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: reject on-disk inodes of an unsupported type Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:clear_inode+0x168/0x190 Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093 RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38 R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000 R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80 FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? clear_inode+0x168/0x190 ? do_error_trap+0x1dc/0x2c0 ? clear_inode+0x168/0x190 ? __pfx_do_error_trap+0x10/0x10 ? report_bug+0x3cd/0x500 ? handle_invalid_op+0x34/0x40 ? clear_inode+0x168/0x190 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? clear_inode+0x57/0x190 ? clear_inode+0x167/0x190 ? clear_inode+0x168/0x190 ? clear_inode+0x167/0x190 jfs_evict_inode+0xb5/0x440 ? __pfx_jfs_evict_inode+0x10/0x10 evict+0x4ea/0x9b0 ? __pfx_evict+0x10/0x10 ? iput+0x713/0xa50 txUpdateMap+0x931/0xb10 ? __pfx_txUpdateMap+0x10/0x10 jfs_lazycommit+0x49a/0xb80 ? _raw_spin_unlock_irqrestore+0x8f/0x140 ? lockdep_hardirqs_on+0x99/0x150 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_default_wake_function+0x10/0x10 ? __kthread_parkme+0x169/0x1d0 ? __pfx_jfs_lazycommit+0x10/0x10 kthread+0x2f2/0x390 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4d/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This happens when 'clear_inode()' makes an attempt to finalize an underlying JFS inode of unknown type. According to JFS layout description from https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to 15 are reserved for future extensions and should not be encountered on a valid filesystem. So add an extra check for valid inode type in 'copy_from_dinode()'.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37925.html
CVE-2025-37925
https://bugzilla.suse.com/1241654
SUSE Bug 1241654

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid string is 4 and the length of the uid string is 260, the length of str will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer which size is 256. The same applies to the hid string with length 13 and uid string with length 250. Check the length of hid and uid strings separately to prevent buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37927.html
CVE-2025-37927
https://bugzilla.suse.com/1243620
SUSE Bug 1243620

Описание

In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled. [ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421 [ 129.444723][ T934] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 934, name: kworker/1:4 [ 129.444740][ T934] preempt_count: 201, expected: 0 [ 129.444756][ T934] RCU nest depth: 0, expected: 0 [ 129.444781][ T934] Preemption disabled at: [ 129.444789][ T934] [<ffffffd816231900>] shrink_work+0x21c/0x248 [ 129.445167][ T934] kernel BUG at kernel/sched/walt/walt_debug.c:16! [ 129.445183][ T934] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 129.445204][ T934] Skip md ftrace buffer dump for: 0x1609e0 [ 129.447348][ T934] CPU: 1 PID: 934 Comm: kworker/1:4 Tainted: G W OE 6.6.56-android15-8-o-g6f82312b30b9-debug #1 1400000003000000474e5500b3187743670464e8 [ 129.447362][ T934] Hardware name: Qualcomm Technologies, Inc. Parrot QRD, Alpha-M (DT) [ 129.447373][ T934] Workqueue: dm_bufio_cache shrink_work [ 129.447394][ T934] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 129.447406][ T934] pc : android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug] [ 129.447435][ T934] lr : __traceiter_android_rvh_schedule_bug+0x44/0x6c [ 129.447451][ T934] sp : ffffffc0843dbc90 [ 129.447459][ T934] x29: ffffffc0843dbc90 x28: ffffffffffffffff x27: 0000000000000c8b [ 129.447479][ T934] x26: 0000000000000040 x25: ffffff804b3d6260 x24: ffffffd816232b68 [ 129.447497][ T934] x23: ffffff805171c5b4 x22: 0000000000000000 x21: ffffffd816231900 [ 129.447517][ T934] x20: ffffff80306ba898 x19: 0000000000000000 x18: ffffffc084159030 [ 129.447535][ T934] x17: 00000000d2b5dd1f x16: 00000000d2b5dd1f x15: ffffffd816720358 [ 129.447554][ T934] x14: 0000000000000004 x13: ffffff89ef978000 x12: 0000000000000003 [ 129.447572][ T934] x11: ffffffd817a823c4 x10: 0000000000000202 x9 : 7e779c5735de9400 [ 129.447591][ T934] x8 : ffffffd81560d004 x7 : 205b5d3938373434 x6 : ffffffd8167397c8 [ 129.447610][ T934] x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffffffc0843db9e0 [ 129.447629][ T934] x2 : 0000000000002f15 x1 : 0000000000000000 x0 : 0000000000000000 [ 129.447647][ T934] Call trace: [ 129.447655][ T934] android_rvh_schedule_bug+0x0/0x8 [sched_walt_debug 1400000003000000474e550080cce8a8a78606b6] [ 129.447681][ T934] __might_resched+0x190/0x1a8 [ 129.447694][ T934] shrink_work+0x180/0x248 [ 129.447706][ T934] process_one_work+0x260/0x624 [ 129.447718][ T934] worker_thread+0x28c/0x454 [ 129.447729][ T934] kthread+0x118/0x158 [ 129.447742][ T934] ret_from_fork+0x10/0x20 [ 129.447761][ T934] Code: ???????? ???????? ???????? d2b5dd1f (d4210000) [ 129.447772][ T934] ---[ end trace 0000000000000000 ]--- dm_bufio_lock will call spin_lock_bh when try_verify_in_tasklet is enabled, and __scan will be called in atomic context.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37928.html
CVE-2025-37928
https://bugzilla.suse.com/1243621
SUSE Bug 1243621

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the workaround to be effective. Unfortunately, the new arrays omitted the sentinel entry and so is_midr_in_range_list() will walk off the end when it doesn't find a match. With UBSAN enabled, this leads to a crash during boot when is_midr_in_range_list() is inlined (which was more common prior to c8c2647e69be ("arm64: Make _midr_in_range_list() an exported function")): | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : spectre_bhb_loop_affected+0x28/0x30 | lr : is_spectre_bhb_affected+0x170/0x190 | [...] | Call trace: | spectre_bhb_loop_affected+0x28/0x30 | update_cpu_capabilities+0xc0/0x184 | init_cpu_features+0x188/0x1a4 | cpuinfo_store_boot_cpu+0x4c/0x60 | smp_prepare_boot_cpu+0x38/0x54 | start_kernel+0x8c/0x478 | __primary_switched+0xc8/0xd4 | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020) | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: aarch64 BRK: Fatal exception Add the missing sentinel entries.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37929.html
CVE-2025-37929
https://bugzilla.suse.com/1243624
SUSE Bug 1243624

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fence remains in the pending list for a while, until it gets removed by nouveau_fence_update(). Should nouveau_fence_context_kill() run in the meantime, this would be a bug because the function would attempt to set an error code on an already signaled fence. Have nouveau_fence_context_kill() check for a fence being signaled.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37930.html
CVE-2025-37930
https://bugzilla.suse.com/1243625
SUSE Bug 1243625

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37931.html
CVE-2025-37931
https://bugzilla.suse.com/1243626
SUSE Bug 1243626

Описание

In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qlen_notify() always deactivates the HTB class and in fact could trigger a warning if it is already deactivated. Therefore, it is not idempotent and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37932.html
CVE-2025-37932
https://bugzilla.suse.com/1243627
SUSE Bug 1243627

Описание

In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix host hang issue during device reboot When the host loses heartbeat messages from the device, the driver calls the device-specific ndo_stop function, which frees the resources. If the driver is unloaded in this scenario, it calls ndo_stop again, attempting to free resources that have already been freed, leading to a host hang issue. To resolve this, dev_close should be called instead of the device-specific stop function.dev_close internally calls ndo_stop to stop the network interface and performs additional cleanup tasks. During the driver unload process, if the device is already down, ndo_stop is not called.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37933.html
CVE-2025-37933
https://bugzilla.suse.com/1243628
SUSE Bug 1243628

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Actually check if the passed pointers are valid, before writing to them. This also fixes a USBAN warning: UBSAN: invalid-load in ../sound/soc/fsl/imx-card.c:687:25 load of value 255 is not a valid value for type '_Bool' This is because playback_only is uninitialized and is not written to, as the playback-only property is absent.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37934.html
CVE-2025-37934
https://bugzilla.suse.com/1243548
SUSE Bug 1243548

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. When generating the MSR_IA32_PEBS_ENABLE value that will be loaded on VM-Entry to a KVM guest, mask the value with the vCPU's desired PEBS_ENABLE value. Consulting only the host kernel's host vs. guest masks results in running the guest with PEBS enabled even when the guest doesn't want to use PEBS. Because KVM uses perf events to proxy the guest virtual PMU, simply looking at exclude_host can't differentiate between events created by host userspace, and events created by KVM on behalf of the guest. Running the guest with PEBS unexpectedly enabled typically manifests as crashes due to a near-infinite stream of #PFs. E.g. if the guest hasn't written MSR_IA32_DS_AREA, the CPU will hit page faults on address '0' when trying to record PEBS events. The issue is most easily reproduced by running `perf kvm top` from before commit 7b100989b4f6 ("perf evlist: Remove __evlist__add_default") (after which, `perf kvm top` effectively stopped using PEBS). The userspace side of perf creates a guest-only PEBS event, which intel_guest_get_msrs() misconstrues a guest-*owned* PEBS event. Arguably, this is a userspace bug, as enabling PEBS on guest-only events simply cannot work, and userspace can kill VMs in many other ways (there is no danger to the host). However, even if this is considered to be bad userspace behavior, there's zero downside to perf/KVM restricting PEBS to guest-owned events. Note, commit 854250329c02 ("KVM: x86/pmu: Disable guest PEBS temporarily in two rare situations") fixed the case where host userspace is profiling KVM *and* userspace, but missed the case where userspace is profiling only KVM.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37936.html
CVE-2025-37936
https://bugzilla.suse.com/1243537
SUSE Bug 1243537

Описание

In the Linux kernel, the following vulnerability has been resolved: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37937.html
CVE-2025-37937
https://bugzilla.suse.com/1243540
SUSE Bug 1243540

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered and that same data is freed before the event is read, then the kernel can crash by reading freed memory. The verifier runs at boot up (or module load) and scans the print formats of the events and checks their arguments to make sure that dereferenced pointers are safe. If the format uses "%*p.." the verifier will ignore it, and that could be dangerous. Cover this case as well. Also add to the sample code a use case of "%*pbl".

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37938.html
CVE-2025-37938
https://bugzilla.suse.com/1243544
SUSE Bug 1243544

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi In certain cases, hardware might provide packets with a length greater than the maximum native Wi-Fi header length. This can lead to accessing and modifying fields in the header within the ath12k_dp_rx_h_undecap_nwifi function for DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and potentially resulting in invalid data access and memory corruption. Add a sanity check before processing the SKB to prevent invalid data access in the undecap native Wi-Fi function for the DP_RX_DECAP_TYPE_NATIVE_WIFI decap type. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37943.html
CVE-2025-37943
https://bugzilla.suse.com/1243509
SUSE Bug 1243509

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry to fetch the next entry from the destination ring. This is incorrect because ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination rings. This leads to invalid entry fetches, causing potential data corruption or crashes due to accessing incorrect memory locations. This happens because the source ring and destination ring have different handling mechanisms and using the wrong function results in incorrect pointer arithmetic and ring management. To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures that the correct function is used for fetching entries from the destination ring, preventing invalid memory accesses. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37944.html
CVE-2025-37944
https://bugzilla.suse.com/1243530
SUSE Bug 1243530

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd91016d16 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed b ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37945.html
CVE-2025-37945
https://bugzilla.suse.com/1243538
SUSE Bug 1243538

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs With commit bcb5d6c76903 ("s390/pci: introduce lock to synchronize state of zpci_dev's") the code to ignore power off of a PF that has child VFs was changed from a direct return to a goto to the unlock and pci_dev_put() section. The change however left the existing pci_dev_put() untouched resulting in a doubple put. This can subsequently cause a use after free if the struct pci_dev is released in an unexpected state. Fix this by removing the extra pci_dev_put().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37946.html
CVE-2025-37946
https://bugzilla.suse.com/1243506
SUSE Bug 1243506

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs A malicious BPF program may manipulate the branch history to influence what the hardware speculates will happen next. On exit from a BPF program, emit the BHB mititgation sequence. This is only applied for 'classic' cBPF programs that are loaded by seccomp.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37948.html
CVE-2025-37948
https://bugzilla.suse.com/1243649
SUSE Bug 1243649

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. However, when `timedout_job()` is called, the job in question is removed from the pending list, which means it won't be automatically freed through `free_job()`. Consequently, when we skip the reset and keep the job running, the job won't be freed when it finally completes. This situation leads to a memory leak, as exposed in [1] and [2]. Similarly to commit 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still active"), this patch ensures the job is put back on the pending list when extending the timeout.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37951.html
CVE-2025-37951
https://bugzilla.suse.com/1243659
SUSE Bug 1243659

Описание

In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37953.html
CVE-2025-37953
https://bugzilla.suse.com/1243543
SUSE Bug 1243543

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: Avoid race in open_cached_dir with lease breaks A pre-existing valid cfid returned from find_or_create_cached_dir might race with a lease break, meaning open_cached_dir doesn't consider it valid, and thinks it's newly-constructed. This leaks a dentry reference if the allocation occurs before the queued lease break work runs. Avoid the race by extending holding the cfid_list_lock across find_or_create_cached_dir and when the result is checked.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37954.html
CVE-2025-37954
https://bugzilla.suse.com/1243664
SUSE Bug 1243664

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37959.html
CVE-2025-37959
https://bugzilla.suse.com/1243517
SUSE Bug 1243517

Описание

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can prevent to connect the route. Fix it by changing the argument to ret_saddr. [1] BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147 __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4167 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline] __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323 ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136 ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118 ip_local_out net/ipv4/ip_output.c:127 [inline] ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501 udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195 udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483 inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x267/0x380 net/socket.c:727 ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620 __sys_sendmmsg+0x41d/0x880 net/socket.c:2702 __compat_sys_sendmmsg net/compat.c:360 [inline] __do_compat_sys_sendmmsg net/compat.c:367 [inline] __se_compat_sys_sendmmsg net/compat.c:364 [inline] __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364 ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369 entry_SYSENTER_compat_after_hwframe+0x84/0x8e CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef) Hardware name: Google Google Compute Engi ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37961.html
CVE-2025-37961
https://bugzilla.suse.com/1243523
SUSE Bug 1243523

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged users can also load the same program via eBPF, making the mitigation pointless.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37963.html
CVE-2025-37963
https://bugzilla.suse.com/1243660
SUSE Bug 1243660

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] "BUG: sleeping function called from invalid context" error. after: "drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which shouldn't be used in atomic contexts. The allocation is needed only for using another helper function get_scaler_data_for_plane(). [How] Modify helpers to pass a pointer to scaler_data within existing context, eliminating the need for dynamic memory allocation/deallocation and copying. (cherry picked from commit bd3e84bc98f81b44f2c43936bdadc3241d654259)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37965.html
CVE-2025-37965
https://bugzilla.suse.com/1244174
SUSE Bug 1244174

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock scenario where ucsi_displayport_remove_partner holds con->mutex waiting for dp_altmode_work to complete while dp_altmode_work attempts to acquire it.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37967.html
CVE-2025-37967
https://bugzilla.suse.com/1243572
SUSE Bug 1243572

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37968.html
CVE-2025-37968
https://bugzilla.suse.com/1243571
SUSE Bug 1243571

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37969.html
CVE-2025-37969
https://bugzilla.suse.com/1243574
SUSE Bug 1243574

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37970.html
CVE-2025-37970
https://bugzilla.suse.com/1243575
SUSE Bug 1243575

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37972.html
CVE-2025-37972
https://bugzilla.suse.com/1243573
SUSE Bug 1243573

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Currently during the multi-link element defragmentation process, the multi-link element length added to the total IEs length when calculating the length of remaining IEs after the multi-link element in cfg80211_defrag_mle(). This could lead to out-of-bounds access if the multi-link element or its corresponding fragment elements are the last elements in the IEs buffer. To address this issue, correctly calculate the remaining IEs length by deducting the multi-link element end offset from total IEs end offset.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37973.html
CVE-2025-37973
https://bugzilla.suse.com/1244172
SUSE Bug 1244172

Описание

In the Linux kernel, the following vulnerability has been resolved: block: integrity: Do not call set_page_dirty_lock() Placing multiple protection information buffers inside the same page can lead to oopses because set_page_dirty_lock() can't be called from interrupt context. Since a protection information buffer is not backed by a file there is no point in setting its page dirty, there is nothing to synchronize. Drop the call to set_page_dirty_lock() and remove the last argument to bio_integrity_unpin_bvec().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37978.html
CVE-2025-37978
https://bugzilla.suse.com/1243516
SUSE Bug 1243516

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix sc7280 lpass potential buffer overflow Case values introduced in commit 5f78e1fb7a3e ("ASoC: qcom: Add driver support for audioreach solution") cause out of bounds access in arrays of sc7280 driver data (e.g. in case of RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()). Redefine LPASS_MAX_PORTS to consider the maximum possible port id for q6dsp as sc7280 driver utilizes some of those values. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37979.html
CVE-2025-37979
https://bugzilla.suse.com/1243545
SUSE Bug 1243545

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix resource leak in blk_register_queue() error path When registering a queue fails after blk_mq_sysfs_register() is successful but the function later encounters an error, we need to clean up the blk_mq_sysfs resources. Add the missing blk_mq_sysfs_unregister() call in the error path to properly clean up these resources and prevent a memory leak.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37980.html
CVE-2025-37980
https://bugzilla.suse.com/1243522
SUSE Bug 1243522

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Use is_kdump_kernel() to check for kdump The smartpqi driver checks the reset_devices variable to determine whether special adjustments need to be made for kdump. This has the effect that after a regular kexec reboot, some driver parameters such as max_transfer_size are much lower than usual. More importantly, kexec reboot tests have revealed memory corruption caused by the driver log being written to system memory after a kexec. Fix this by testing is_kdump_kernel() rather than reset_devices where appropriate.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37981.html
CVE-2025-37981
https://bugzilla.suse.com/1243514
SUSE Bug 1243514

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: fix memory leak in wl1251_tx_work The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37982.html
CVE-2025-37982
https://bugzilla.suse.com/1243524
SUSE Bug 1243524

Описание

In the Linux kernel, the following vulnerability has been resolved: qibfs: fix _another_ leak failure to allocate inode => leaked dentry... this one had been there since the initial merge; to be fair, if we are that far OOM, the odds of failing at that particular allocation are low...

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37983.html
CVE-2025-37983
https://bugzilla.suse.com/1243567
SUSE Bug 1243567

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: wdm: close race between wdm_open and wdm_wwan_port_stop Clearing WDM_WWAN_IN_USE must be the last action or we can open a chardev whose URBs are still poisoned

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37985.html
CVE-2025-37985
https://bugzilla.suse.com/1243529
SUSE Bug 1243529

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Invalidate USB device pointers on partner unregistration To avoid using invalid USB device pointers after a Type-C partner disconnects, this patch clears the pointers upon partner unregistration. This ensures a clean state for future connections.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37986.html
CVE-2025-37986
https://bugzilla.suse.com/1243515
SUSE Bug 1243515

Описание

In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent possible adminq overflow/stuck condition The pds_core's adminq is protected by the adminq_lock, which prevents more than 1 command to be posted onto it at any one time. This makes it so the client drivers cannot simultaneously post adminq commands. However, the completions happen in a different context, which means multiple adminq commands can be posted sequentially and all waiting on completion. On the FW side, the backing adminq request queue is only 16 entries long and the retry mechanism and/or overflow/stuck prevention is lacking. This can cause the adminq to get stuck, so commands are no longer processed and completions are no longer sent by the FW. As an initial fix, prevent more than 16 outstanding adminq commands so there's no way to cause the adminq from getting stuck. This works because the backing adminq request queue will never have more than 16 pending adminq commands, so it will never overflow. This is done by reducing the adminq depth to 16.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37987.html
CVE-2025-37987
https://bugzilla.suse.com/1243542
SUSE Bug 1243542

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: leds: fix memory leak A network restart test on a router led to an out-of-memory condition, which was traced to a memory leak in the PHY LED trigger code. The root cause is misuse of the devm API. The registration function (phy_led_triggers_register) is called from phy_attach_direct, not phy_probe, and the unregister function (phy_led_triggers_unregister) is called from phy_detach, not phy_remove. This means the register and unregister functions can be called multiple times for the same PHY device, but devm-allocated memory is not freed until the driver is unbound. This also prevents kmemleak from detecting the leak, as the devm API internally stores the allocated pointer. Fix this by replacing devm_kzalloc/devm_kcalloc with standard kzalloc/kcalloc, and add the corresponding kfree calls in the unregister path.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37989.html
CVE-2025-37989
https://bugzilla.suse.com/1243511
SUSE Bug 1243511

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl_cmd() fails and the 'state.state' and the 'state.bytes' are uninitialized. Improve the error message to report more detailed error information.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37990.html
CVE-2025-37990
https://bugzilla.suse.com/1243528
SUSE Bug 1243528

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37992.html
CVE-2025-37992
https://bugzilla.suse.com/1243698
SUSE Bug 1243698

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37994.html
CVE-2025-37994
https://bugzilla.suse.com/1243823
SUSE Bug 1243823

Описание

In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37995.html
CVE-2025-37995
https://bugzilla.suse.com/1243827
SUSE Bug 1243827

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage collector and adding new elements when a hash type of set is defined with timeouts.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37997.html
CVE-2025-37997
https://bugzilla.suse.com/1243832
SUSE Bug 1243832
https://bugzilla.suse.com/1245774
SUSE Bug 1245774

Описание

In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-37998.html
CVE-2025-37998
https://bugzilla.suse.com/1243836
SUSE Bug 1243836

Описание

In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38000.html
CVE-2025-38000
https://bugzilla.suse.com/1244277
SUSE Bug 1244277
https://bugzilla.suse.com/1245775
SUSE Bug 1245775

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38001.html
CVE-2025-38001
https://bugzilla.suse.com/1244234
SUSE Bug 1244234
https://bugzilla.suse.com/1244235
SUSE Bug 1244235

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38003.html
CVE-2025-38003
https://bugzilla.suse.com/1244275
SUSE Bug 1244275

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38004.html
CVE-2025-38004
https://bugzilla.suse.com/1244274
SUSE Bug 1244274

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tainted 6.12.9-arm64 #28 [ 4.144867] Hardware name: pp-v12 (DT) [ 4.148648] Workqueue: events udma_check_tx_completion [ 4.153841] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 4.160834] pc : udma_start.isra.0+0x34/0x238 [ 4.165227] lr : udma_start.isra.0+0x30/0x238 [ 4.169618] sp : ffffffc083cabcf0 [ 4.172963] x29: ffffffc083cabcf0 x28: 0000000000000000 x27: ffffff800001b005 [ 4.180167] x26: ffffffc0812f0000 x25: 0000000000000000 x24: 0000000000000000 [ 4.187370] x23: 0000000000000001 x22: 00000000e21eabe9 x21: ffffff8000fa0670 [ 4.194571] x20: ffffff8001b6bf00 x19: ffffff8000fa0430 x18: ffffffc083b95030 [ 4.201773] x17: 0000000000000000 x16: 00000000f0000000 x15: 0000000000000048 [ 4.208976] x14: 0000000000000048 x13: 0000000000000000 x12: 0000000000000001 [ 4.216179] x11: ffffffc08151a240 x10: 0000000000003ea1 x9 : ffffffc08046ab68 [ 4.223381] x8 : ffffffc083cabac0 x7 : ffffffc081df3718 x6 : 0000000000029fc8 [ 4.230583] x5 : ffffffc0817ee6d8 x4 : 0000000000000bc0 x3 : 0000000000000000 [ 4.237784] x2 : 0000000000000000 x1 : 00000000001fffff x0 : 0000000000000000 [ 4.244986] Call trace: [ 4.247463] udma_start.isra.0+0x34/0x238 [ 4.251509] udma_check_tx_completion+0xd0/0xdc [ 4.256076] process_one_work+0x244/0x3fc [ 4.260129] process_scheduled_works+0x6c/0x74 [ 4.264610] worker_thread+0x150/0x1dc [ 4.268398] kthread+0xd8/0xe8 [ 4.271492] ret_from_fork+0x10/0x20 [ 4.275107] irq event stamp: 220 [ 4.278363] hardirqs last enabled at (219): [<ffffffc080a27c7c>] _raw_spin_unlock_irq+0x38/0x50 [ 4.287183] hardirqs last disabled at (220): [<ffffffc080a1c154>] el1_dbg+0x24/0x50 [ 4.294879] softirqs last enabled at (182): [<ffffffc080037e68>] handle_softirqs+0x1c0/0x3cc [ 4.303437] softirqs last disabled at (177): [<ffffffc080010170>] __do_softirq+0x1c/0x28 [ 4.311559] ---[ end trace 0000000000000000 ]--- This commit adds the missing locking.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38005.html
CVE-2025-38005
https://bugzilla.suse.com/1244727
SUSE Bug 1244727

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38007.html
CVE-2025-38007
https://bugzilla.suse.com/1244938
SUSE Bug 1244938

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: disable napi on driver removal A warning on driver removal started occurring after commit 9dd05df8403b ("net: warn if NAPI instance wasn't shut down"). Disable tx napi before deleting it in mt76_dma_cleanup(). WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100 CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy) Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024 RIP: 0010:__netif_napi_del_locked+0xf0/0x100 Call Trace: <TASK> mt76_dma_cleanup+0x54/0x2f0 [mt76] mt7921_pci_remove+0xd5/0x190 [mt7921e] pci_device_remove+0x47/0xc0 device_release_driver_internal+0x19e/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x6d/0xf0 pci_unregister_driver+0x2e/0xb0 __do_sys_delete_module.isra.0+0x197/0x2e0 do_syscall_64+0x7b/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Tested with mt7921e but the same pattern can be actually applied to other mt76 drivers calling mt76_dma_cleanup() during removal. Tx napi is enabled in their *_dma_init() functions and only toggled off and on again inside their suspend/resume/reset paths. So it should be okay to disable tx napi in such a generic way. Found by Linux Verification Center (linuxtesting.org).

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38009.html
CVE-2025-38009
https://bugzilla.suse.com/1244995
SUSE Bug 1244995

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking The current implementation uses bias_pad_enable as a reference count to manage the shared bias pad for all UTMI PHYs. However, during system suspension with connected USB devices, multiple power-down requests for the UTMI pad result in a mismatch in the reference count, which in turn produces warnings such as: [ 237.762967] WARNING: CPU: 10 PID: 1618 at tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763103] Call trace: [ 237.763104] tegra186_utmi_pad_power_down+0x160/0x170 [ 237.763107] tegra186_utmi_phy_power_off+0x10/0x30 [ 237.763110] phy_power_off+0x48/0x100 [ 237.763113] tegra_xusb_enter_elpg+0x204/0x500 [ 237.763119] tegra_xusb_suspend+0x48/0x140 [ 237.763122] platform_pm_suspend+0x2c/0xb0 [ 237.763125] dpm_run_callback.isra.0+0x20/0xa0 [ 237.763127] __device_suspend+0x118/0x330 [ 237.763129] dpm_suspend+0x10c/0x1f0 [ 237.763130] dpm_suspend_start+0x88/0xb0 [ 237.763132] suspend_devices_and_enter+0x120/0x500 [ 237.763135] pm_suspend+0x1ec/0x270 The root cause was traced back to the dynamic power-down changes introduced in commit a30951d31b25 ("xhci: tegra: USB2 pad power controls"), where the UTMI pad was being powered down without verifying its current state. This unbalanced behavior led to discrepancies in the reference count. To rectify this issue, this patch replaces the single reference counter with a bitmask, renamed to utmi_pad_enabled. Each bit in the mask corresponds to one of the four USB2 PHYs, allowing us to track each pad's enablement status individually. With this change: - The bias pad is powered on only when the mask is clear. - Each UTMI pad is powered on or down based on its corresponding bit in the mask, preventing redundant operations. - The overall power state of the shared bias pad is maintained correctly during suspend/resume cycles. The mutex used to prevent race conditions during UTMI pad enable/disable operations has been moved from the tegra186_utmi_bias_pad_power_on/off functions to the parent functions tegra186_utmi_pad_power_on/down. This change ensures that there are no race conditions when updating the bitmask.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38010.html
CVE-2025-38010
https://bugzilla.suse.com/1244996
SUSE Bug 1244996

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: csa unmap use uninterruptible lock After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 (cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38011.html
CVE-2025-38011
https://bugzilla.suse.com/1244729
SUSE Bug 1244729

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38013.html
CVE-2025-38013
https://bugzilla.suse.com/1244731
SUSE Bug 1244731

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper The idxd_cleanup() helper cleans up perfmon, interrupts, internals and so on. Refactor remove call with the idxd_cleanup() helper to avoid code duplication. Note, this also fixes the missing put_device() for idxd groups, enginces and wqs.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38014.html
CVE-2025-38014
https://bugzilla.suse.com/1244732
SUSE Bug 1244732
https://bugzilla.suse.com/1244733
SUSE Bug 1244733

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs during idxd_alloc(). To fix it, free the allocated memory in the reverse order of allocation before exiting the function in case of an error.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38015.html
CVE-2025-38015
https://bugzilla.suse.com/1244789
SUSE Bug 1244789

Описание

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will try to continue handling the partial record on the next call but we dettached the rcvq from the frag list. Alternative fix would be to reset full_len. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028 Call trace: tls_strp_check_rcv+0x128/0x27c tls_strp_data_ready+0x34/0x44 tls_data_ready+0x3c/0x1f0 tcp_data_ready+0x9c/0xe4 tcp_data_queue+0xf6c/0x12d0 tcp_rcv_established+0x52c/0x798

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38018.html
CVE-2025-38018
https://bugzilla.suse.com/1244999
SUSE Bug 1244999

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add offloads result in a null pointer dereference, as the uplink representor does not support MACsec offload even though the feature bit remains set. Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). Kernel log: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x128/0x1dd0 Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? __mutex_lock+0x128/0x1dd0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mutex_lock_io_nested+0x1ae0/0x1ae0 ? lock_acquire+0x1c2/0x530 ? macsec_upd_offload+0x145/0x380 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? kasan_save_stack+0x30/0x40 ? kasan_save_stack+0x20/0x40 ? kasan_save_track+0x10/0x30 ? __kasan_kmalloc+0x77/0x90 ? __kmalloc_noprof+0x249/0x6b0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] macsec_update_offload+0x26c/0x820 ? macsec_set_mac_address+0x4b0/0x4b0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? _raw_spin_unlock_irqrestore+0x47/0x50 macsec_upd_offload+0x2c8/0x380 ? macsec_update_offload+0x820/0x820 ? __nla_parse+0x22/0x30 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 genl_family_rcv_msg_doit+0x1cc/0x2a0 ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 ? cap_capable+0xd4/0x330 genl_rcv_msg+0x3ea/0x670 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? lockdep_set_lock_cmp_fn+0x190/0x190 ? macsec_update_offload+0x820/0x820 netlink_rcv_skb+0x12b/0x390 ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 ? netlink_ack+0xd80/0xd80 ? rwsem_down_read_slowpath+0xf90/0xf90 ? netlink_deliver_tap+0xcd/0xac0 ? netlink_deliver_tap+0x155/0xac0 ? _copy_from_iter+0x1bb/0x12c0 genl_rcv+0x24/0x40 netlink_unicast+0x440/0x700 ? netlink_attachskb+0x760/0x760 ? lock_acquire+0x1c2/0x530 ? __might_fault+0xbb/0x170 netlink_sendmsg+0x749/0xc10 ? netlink_unicast+0x700/0x700 ? __might_fault+0xbb/0x170 ? netlink_unicast+0x700/0x700 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x53f/0x760 ? import_iovec+0x7/0x10 ? kernel_sendmsg+0x30/0x30 ? __copy_msghdr+0x3c0/0x3c0 ? filter_irq_stacks+0x90/0x90 ? stack_depot_save_flags+0x28/0xa30 ___sys_sen ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38020.html
CVE-2025-38020
https://bugzilla.suse.com/1245001
SUSE Bug 1245001

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent().

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38022.html
CVE-2025-38022
https://bugzilla.suse.com/1245003
SUSE Bug 1245003

Описание

In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38023.html
CVE-2025-38023
https://bugzilla.suse.com/1245004
SUSE Bug 1245004

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x610 mm/kasan/report.c:489 kasan_report+0xb5/0xe0 mm/kasan/report.c:602 rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 vfs_write fs/read_write.c:677 [inline] vfs_write+0x26a/0xcc0 fs/read_write.c:659 ksys_write+0x1b8/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f In the function rxe_create_cq, when rxe_cq_from_init fails, the function rxe_cleanup will be called to handle the allocated resources. In fact, some memory resources have already been freed in the function rxe_cq_from_init. Thus, this problem will occur. The solution is to let rxe_cleanup do all the work.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38024.html
CVE-2025-38024
https://bugzilla.suse.com/1245025
SUSE Bug 1245025

Описание

In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a struct devm_of_regulator_matches which will be de-allocated using devm_of_regulator_put_matches(). struct devm_of_regulator_matches is populated with the stack allocated matches array. If the device fails to probe, devm_of_regulator_put_matches() will be called and will try to call of_node_put() on that stack pointer, generating the following dmesg entries: max20086 6-0028: Failed to read DEVICE_ID reg: -121 kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet kobject_put() is being called. Followed by a stack trace matching the call flow described above. Switch to allocating the matches array using devm_kcalloc() to avoid accessing the stack pointer long after it's out of scope. This also has the advantage of allowing multiple max20086 to probe without overriding the data stored inside the global of_regulator_match.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38027.html
CVE-2025-38027
https://bugzilla.suse.com/1245042
SUSE Bug 1245042

Описание

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38031.html
CVE-2025-38031
https://bugzilla.suse.com/1245046
SUSE Bug 1245046

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5:0 preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 0 hardirqs last enabled at (0): [<00000000>] 0x0 hardirqs last disabled at (0): [<c01588f0>] copy_process+0x1c4c/0x7bec softirqs last enabled at (0): [<c0158944>] copy_process+0x1ca0/0x7bec softirqs last disabled at (0): [<00000000>] 0x0 CPU: 0 UID: 0 PID: 27 Comm: kworker/u5:0 Not tainted 6.13.0-rc7+ #74 Hardware name: Atmel SAMA5 Workqueue: hci0 hci_power_on [bluetooth] Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x44/0x70 dump_stack_lvl from __might_resched+0x38c/0x598 __might_resched from disable_irq+0x1c/0x48 disable_irq from mctrl_gpio_disable_ms+0x74/0xc0 mctrl_gpio_disable_ms from atmel_disable_ms.part.0+0x80/0x1f4 atmel_disable_ms.part.0 from atmel_set_termios+0x764/0x11e8 atmel_set_termios from uart_change_line_settings+0x15c/0x994 uart_change_line_settings from uart_set_termios+0x2b0/0x668 uart_set_termios from tty_set_termios+0x600/0x8ec tty_set_termios from ttyport_set_flow_control+0x188/0x1e0 ttyport_set_flow_control from wilc_setup+0xd0/0x524 [hci_wilc] wilc_setup [hci_wilc] from hci_dev_open_sync+0x330/0x203c [bluetooth] hci_dev_open_sync [bluetooth] from hci_dev_do_open+0x40/0xb0 [bluetooth] hci_dev_do_open [bluetooth] from hci_power_on+0x12c/0x664 [bluetooth] hci_power_on [bluetooth] from process_one_work+0x998/0x1a38 process_one_work from worker_thread+0x6e0/0xfb4 worker_thread from kthread+0x3d4/0x484 kthread from ret_from_fork+0x14/0x28 This warning is emitted when trying to toggle, at the highest level, some flow control (with serdev_device_set_flow_control) in a device driver. At the lowest level, the atmel_serial driver is using serial_mctrl_gpio lib to enable/disable the corresponding IRQs accordingly. The warning emitted by CONFIG_DEBUG_ATOMIC_SLEEP is due to disable_irq (called in mctrl_gpio_disable_ms) being possibly called in some atomic context (some tty drivers perform modem lines configuration in regions protected by port lock). Split mctrl_gpio_disable_ms into two differents APIs, a non-blocking one and a blocking one. Replace mctrl_gpio_disable_ms calls with the relevant version depending on whether the call is protected by some port lock.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38040.html
CVE-2025-38040
https://bugzilla.suse.com/1245078
SUSE Bug 1245078

Описание

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38043.html
CVE-2025-38043
https://bugzilla.suse.com/1245081
SUSE Bug 1245081

Описание

In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38044.html
CVE-2025-38044
https://bugzilla.suse.com/1245082
SUSE Bug 1245082

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly. Now we implemented the dump split and do the FW reset only in the middle of the dump (rather than the FW killing itself on error.) As a result, some of the actions taken when applying the config will now crash the device, so we need to fix the order.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38045.html
CVE-2025-38045
https://bugzilla.suse.com/1245083
SUSE Bug 1245083

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb header length is compared with the hardware supported value received from the device control plane. The value is stored in the adapter structure and to access it, vport pointer is used. During reset all the vports are released and the vport pointer that the netdev private structure points to is NULL. To avoid null-ptr-deref, store the max header length value in netdev private structure. This also helps to cache the value and avoid accessing adapter pointer in hot path. BUG: kernel NULL pointer dereference, address: 0000000000000068 ... RIP: 0010:idpf_features_check+0x6d/0xe0 [idpf] Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x154/0x520 ? exc_page_fault+0x76/0x190 ? asm_exc_page_fault+0x26/0x30 ? idpf_features_check+0x6d/0xe0 [idpf] netif_skb_features+0x88/0x310 validate_xmit_skb+0x2a/0x2b0 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x19d/0x3a0 __dev_queue_xmit+0xb74/0xe70 ...

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38053.html
CVE-2025-38053
https://bugzilla.suse.com/1244746
SUSE Bug 1244746

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 <NMI> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? exc_page_fault+0x7e/0x1b0 ? asm_exc_page_fault+0x26/0x30 ? intel_pmu_pebs_event_update_no_drain+0x40/0x60 ? intel_pmu_pebs_event_update_no_drain+0x32/0x60 intel_pmu_drain_pebs_icl+0x333/0x350 handle_pmi_common+0x272/0x3c0 intel_pmu_handle_irq+0x10a/0x2e0 perf_event_nmi_handler+0x2a/0x50 That happens because intel_pmu_pebs_event_update_no_drain() assumes all the pebs_enabled bits represent counter indexes, which is not always the case. In this particular case, bits 60 and 61 are set for PEBS-via-PT purposes. The behaviour of PEBS-via-PT with sample frequency is questionable because although a PMI is generated (PEBS_PMI_AFTER_EACH_RECORD), the period is not adjusted anyway. Putting that aside, fix intel_pmu_pebs_event_update_no_drain() by passing the mask of counter bits instead of 'size'. Note, prior to the Fixes commit, 'size' would be limited to the maximum counter index, so the issue was not hit.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38055.html
CVE-2025-38055
https://bugzilla.suse.com/1244747
SUSE Bug 1244747

Описание

In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38057.html
CVE-2025-38057
https://bugzilla.suse.com/1244862
SUSE Bug 1244862

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs] scrub_simple_mirror+0x175/0x290 [btrfs] scrub_stripe+0x5f7/0x6f0 [btrfs] scrub_chunk+0x9a/0x150 [btrfs] scrub_enumerate_chunks+0x333/0x660 [btrfs] btrfs_scrub_dev+0x23e/0x600 [btrfs] btrfs_ioctl+0x1dcf/0x2f80 [btrfs] __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e [CAUSE] Mount option "rescue=idatacsums" will completely skip loading the csum tree, so that any data read will not find any data csum thus we will ignore data checksum verification. Normally call sites utilizing csum tree will check the fs state flag NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all. This results in scrub to call btrfs_search_slot() on a NULL pointer and triggered above crash. [FIX] Check both extent and csum tree root before doing any tree search.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38059.html
CVE-2025-38059
https://bugzilla.suse.com/1244759
SUSE Bug 1244759

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->cur_state->loop_entry should always be NULL after pop_stack(). See the selftest in the next commit for an example of the program that is not safe yet is accepted by verifier w/o this fix. This change has some verification performance impact for selftests: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ---------------------------------- ---------------------------- --------- --------- -------------- ---------- ---------- ------------- arena_htab.bpf.o arena_htab_llvm 717 426 -291 (-40.59%) 57 37 -20 (-35.09%) arena_htab_asm.bpf.o arena_htab_asm 597 445 -152 (-25.46%) 47 37 -10 (-21.28%) arena_list.bpf.o arena_list_del 309 279 -30 (-9.71%) 23 14 -9 (-39.13%) iters.bpf.o iter_subprog_check_stacksafe 155 141 -14 (-9.03%) 15 14 -1 (-6.67%) iters.bpf.o iter_subprog_iters 1094 1003 -91 (-8.32%) 88 83 -5 (-5.68%) iters.bpf.o loop_state_deps2 479 725 +246 (+51.36%) 46 63 +17 (+36.96%) kmem_cache_iter.bpf.o open_coded_iter 63 59 -4 (-6.35%) 7 6 -1 (-14.29%) verifier_bits_iter.bpf.o max_words 92 84 -8 (-8.70%) 8 7 -1 (-12.50%) verifier_iterating_callbacks.bpf.o cond_break2 113 107 -6 (-5.31%) 12 12 +0 (+0.00%) And significant negative impact for sched_ext: File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) ----------------- ---------------------- --------- --------- -------------------- ---------- ---------- ------------------ bpf.bpf.o lavd_init 7039 14723 +7684 (+109.16%) 490 1139 +649 (+132.45%) bpf.bpf.o layered_dispatch 11485 10548 -937 (-8.16%) 848 762 -86 (-10.14%) bpf.bpf.o layered_dump 7422 1000001 +992579 (+13373.47%) 681 31178 +30497 (+4478.27%) bpf.bpf.o layered_enqueue 16854 71127 +54273 (+322.02%) 1611 6450 +4839 (+300.37%) bpf.bpf.o p2dq_dispatch 665 791 +126 (+18.95%) 68 78 +10 (+14.71%) bpf.bpf.o p2dq_init 2343 2980 +637 (+27.19%) 201 237 +36 (+17.91%) bpf.bpf.o refresh_layer_cpumasks 16487 674760 +658273 (+3992.68%) 1770 65370 +63600 (+3593.22%) bpf.bpf.o rusty_select_cpu 1937 40872 +38935 (+2010.07%) 177 3210 +3033 (+1713.56%) scx_central.bpf.o central_dispatch 636 2687 +2051 (+322.48%) 63 227 +164 (+260.32%) scx_nest.bpf.o nest_init 636 815 +179 (+28.14%) 60 73 +13 (+21.67%) scx_qmap.bpf.o qmap_dispatch ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38060.html
CVE-2025-38060
https://bugzilla.suse.com/1245155
SUSE Bug 1245155
https://bugzilla.suse.com/1245156
SUSE Bug 1245156

Описание

In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38065.html
CVE-2025-38065
https://bugzilla.suse.com/1244906
SUSE Bug 1244906
https://bugzilla.suse.com/1244907
SUSE Bug 1244907

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38068.html
CVE-2025-38068
https://bugzilla.suse.com/1245210
SUSE Bug 1245210

Описание

In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is assigned to zero LSA size (CXL pmem driver): drivers/cxl/pmem.c: .config_size = mds->lsa_size, 3) max_xfer is set to zero (nvdimm driver): drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size); 4) A subsequent DIV_ROUND_UP() causes a division by zero: drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */ drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer, drivers/nvdimm/label.c- config_size); Fix this by checking the config size parameter by extending an existing check.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38072.html
CVE-2025-38072
https://bugzilla.suse.com/1244743
SUSE Bug 1244743

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38077.html
CVE-2025-38077
https://bugzilla.suse.com/1244736
SUSE Bug 1244736

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform it inside the buffer access lock, so that it won't be changed during the operation.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38078.html
CVE-2025-38078
https://bugzilla.suse.com/1244737
SUSE Bug 1244737

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38079.html
CVE-2025-38079
https://bugzilla.suse.com/1245217
SUSE Bug 1245217
https://bugzilla.suse.com/1245218
SUSE Bug 1245218

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38080.html
CVE-2025-38080
https://bugzilla.suse.com/1244738
SUSE Bug 1244738

Описание

In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38081.html
CVE-2025-38081
https://bugzilla.suse.com/1244739
SUSE Bug 1244739

Описание

In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38083.html
CVE-2025-38083
https://bugzilla.suse.com/1245183
SUSE Bug 1245183
https://bugzilla.suse.com/1245350
SUSE Bug 1245350

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV RLCG Register Access is a way for virtual functions to safely access GPU registers in a virtualized environment., including TLB flushes and register reads. When multiple threads or VFs try to access the same registers simultaneously, it can lead to race conditions. By using the RLCG interface, the driver can serialize access to the registers. This means that only one thread can access the registers at a time, preventing conflicts and ensuring that operations are performed correctly. Additionally, when a low-priority task holds a mutex that a high-priority task needs, ie., If a thread holding a spinlock tries to acquire a mutex, it can lead to priority inversion. register access in amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being called, which attempts to acquire the mutex. This function is invoked from amdgpu_sriov_wreg, which in turn is called from gmc_v11_0_flush_gpu_tlb. The [ BUG: Invalid wait context ] indicates that a thread is trying to acquire a mutex while it is in a context that does not allow it to sleep (like holding a spinlock). Fixes the below: [ 253.013423] ============================= [ 253.013434] [ BUG: Invalid wait context ] [ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE [ 253.013464] ----------------------------- [ 253.013475] kworker/0:1/10 is trying to lock: [ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.013815] other info that might help us debug this: [ 253.013827] context-{4:4} [ 253.013835] 3 locks held by kworker/0:1/10: [ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 [ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 [ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] [ 253.014154] stack backtrace: [ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 [ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 [ 253.014224] Workqueue: events work_for_cpu_fn [ 253.014241] Call Trace: [ 253.014250] <TASK> [ 253.014260] dump_stack_lvl+0x9b/0xf0 [ 253.014275] dump_stack+0x10/0x20 [ 253.014287] __lock_acquire+0xa47/0x2810 [ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014321] lock_acquire+0xd1/0x300 [ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014562] ? __lock_acquire+0xa6b/0x2810 [ 253.014578] __mutex_lock+0x85/0xe20 [ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014782] ? sched_clock_noinstr+0x9/0x10 [ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014808] ? local_clock_noinstr+0xe/0xc0 [ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.015029] mutex_lock_nested+0x1b/0x30 [ 253.015044] ? mutex_lock_nested+0x1b/0x30 [ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] [ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] [ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] [ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] [ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] [ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] [ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] [ 253.0170 ---truncated---

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38104.html
CVE-2025-38104
https://bugzilla.suse.com/1241635
SUSE Bug 1241635

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr The function mtk_dp_wait_hpd_asserted() may be called before the `mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach(). Specifically it can be called via this callpath: - mtk_edp_wait_hpd_asserted - [panel probe] - dp_aux_ep_probe Using "drm" level prints anywhere in this callpath causes a NULL pointer dereference. Change the error message directly in mtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the error messages in mtk_dp_parse_capabilities(), which is called by mtk_dp_wait_hpd_asserted(). While touching these prints, also add the error code to them to make future debugging easier.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-38240.html
CVE-2025-38240
https://bugzilla.suse.com/1241457
SUSE Bug 1241457

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds read in ea_get() During the "size_check" label in ea_get(), the code checks if the extended attribute list (xattr) size matches ea_size. If not, it logs "ea_get: invalid extended attribute" and calls print_hex_dump(). Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds INT_MAX (2,147,483,647). Then ea_size is clamped: int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper limit is treated as an int, causing an overflow above 2^31 - 1. This leads "size" to wrap around and become negative (-184549328). The "size" is then passed to print_hex_dump() (called "len" in print_hex_dump()), it is passed as type size_t (an unsigned type), this is then stored inside a variable called "int remaining", which is then assigned to "int linelen" which is then passed to hex_dump_to_buffer(). In print_hex_dump() the for loop, iterates through 0 to len-1, where len is 18446744073525002176, calling hex_dump_to_buffer() on each iteration: for (i = 0; i < len; i += rowsize) { linelen = min(remaining, rowsize); remaining -= rowsize; hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, linebuf, sizeof(linebuf), ascii); ... } The expected stopping condition (i < len) is effectively broken since len is corrupted and very large. This eventually leads to the "ptr+i" being passed to hex_dump_to_buffer() to get closer to the end of the actual bounds of "ptr", eventually an out of bounds access is done in hex_dump_to_buffer() in the following for loop: for (j = 0; j < len; j++) { if (linebuflen < lx + 2) goto overflow2; ch = ptr[j]; ... } To fix this we should validate "EALIST_SIZE(ea_buf->xattr)" before it is utilised.

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-39735.html
CVE-2025-39735
https://bugzilla.suse.com/1241625
SUSE Bug 1241625
https://bugzilla.suse.com/1241699
SUSE Bug 1241699

Описание

In the Linux kernel, the following vulnerability has been resolved: objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() If speed_hz < AMD_SPI_MIN_HZ, amd_set_spi_freq() iterates over the entire amd_spi_freq array without breaking out early, causing 'i' to go beyond the array bounds. Fix that by stopping the loop when it gets to the last entry, so the low speed_hz value gets clamped up to AMD_SPI_MIN_HZ. Fixes the following warning with an UBSAN kernel: drivers/spi/spi-amd.o: error: objtool: amd_set_spi_freq() falls through to next function amd_spi_set_opcode()

Затронутые продукты

SUSE Linux Enterprise High Availability Extension 15 SP7:cluster-md-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:dlm-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:gfs2-kmp-default-6.4.0-150700.53.6.1

SUSE Linux Enterprise High Availability Extension 15 SP7:ocfs2-kmp-default-6.4.0-150700.53.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-40014.html
CVE-2025-40014
https://bugzilla.suse.com/1241644
SUSE Bug 1241644

SUSE-SU-2025:02307-1

Описание

Список пакетов

SUSE Linux Enterprise High Availability Extension 15 SP7

SUSE Linux Enterprise Live Patching 15 SP7

SUSE Linux Enterprise Module for Basesystem 15 SP7

SUSE Linux Enterprise Module for Development Tools 15 SP7

SUSE Linux Enterprise Module for Legacy 15 SP7

SUSE Linux Enterprise Workstation Extension 15 SP7

Ссылки

Уязвимость: CVE-2023-52888

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2023-53146

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-26762

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-26831

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-41085

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-43869

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-49568

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-50034

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-50106

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-50293

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-56541

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-56613

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-56699

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-57982

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-57987

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-57988

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-57995

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2024-58004

Описание