SUSE-SU-2025:01600-1

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2021-47659: drm/plane: Move range check for format_count earlier (bsc#1237839).
• CVE-2022-49044: dm integrity: fix memory corruption when tag_size is less than digest size (bsc#1237840).
• CVE-2022-49055: drm/amdkfd: Check for potential null return of kmalloc_array() (bsc#1237868).
• CVE-2022-49060: net/smc: Fix NULL pointer dereference in smcpnetfind_ib() (bsc#1237845).
• CVE-2022-49086: net: openvswitch: fix leak of nested actions (bsc#1238037).
• CVE-2022-49111: Bluetooth: Fix use after free in hcisendacl (bsc#1237984).
• CVE-2022-49118: scsi: hisi_sas: Free irq vectors in order for v3 HW (bsc#1237979).
• CVE-2022-49121: scsi: pm8001: Fix tag leaks on error (bsc#1237926).
• CVE-2022-49137: drm/amd/amdgpu/amdgpucs: fix refcount leak of a dmafence obj (bsc#1238155).
• CVE-2022-49175: PM: core: keep irq flags in devicepmcheck_callbacks() (bsc#1238099).
• CVE-2022-49176: bfq: fix use-after-free in bfqdispatchrequest (bsc#1238097).
• CVE-2022-49179: block, bfq: do not move oom_bfqq (bsc#1238092).
• CVE-2022-49188: remoteproc: qcomq6v5mss: Fix some leaks in q6v5allocmemory_region (bsc#1238138).
• CVE-2022-49197: af_netlink: Fix shift out of bounds in group mask calculation (bsc#1238455).
• CVE-2022-49205: bpf, sockmap: Fix double uncharge the mem of sk_msg (bsc#1238335).
• CVE-2022-49232: drm/amd/display: Fix a NULL pointer dereference in amdgpudmconnectoraddcommon_modes() (bsc#1238139).
• CVE-2022-49290: mac80211: fix potential double free on mesh join (bsc#1238156).
• CVE-2022-49305: drivers: staging: rtl8192u: Fix deadlock in ieee80211beaconsstop() (bsc#1238645).
• CVE-2022-49325: tcp: add accessors to read/set tp->snd_cwnd (bsc#1238398).
• CVE-2022-49335: drm/amdgpu/cs: make commands with 0 chunks illegal behaviour (bsc#1238377).
• CVE-2022-49351: net: altera: Fix refcount leak in alteratsemdio_create (bsc#1237939).
• CVE-2022-49385: driver: base: fix UAF when driver_attach failed (bsc#1237951).
• CVE-2022-49390: macsec: fix UAF bug for real_dev (bsc#1238233).
• CVE-2022-49411: bfq: Make sure bfqg for which we are queueing requests is online (bsc#1238307).
• CVE-2022-49442: drivers/base/node.c: fix compaction sysfs file leak (bsc#1238243).
• CVE-2022-49465: blk-throttle: Set BIO_THROTTLED when bio has been throttled (bsc#1238919).
• CVE-2022-49478: media: pvrusb2: fix array-index-out-of-bounds in pvr2i2ccore_init (bsc#1238000).
• CVE-2022-49489: drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume (bsc#1238244).
• CVE-2022-49504: scsi: lpfc: Inhibit aborts if external loopback plug is inserted (bsc#1238835).
• CVE-2022-49521: scsi: lpfc: Fix resource leak in lpfcsli4sendseqto_ulp() (bsc#1238938).
• CVE-2022-49525: media: cx25821: Fix the warning when removing the module (bsc#1238022).
• CVE-2022-49534: scsi: lpfc: Protect memory leak for NPIV ports sending PLOGI_RJT (bsc#1238893).
• CVE-2022-49535: scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI (bsc#1238937).
• CVE-2022-49536: scsi: lpfc: Fix SCSI I/O completion and abort handler deadlock (bsc#1238838).
• CVE-2022-49537: scsi: lpfc: Fix call trace observed during I/O with CMF enabled (bsc#1238930).
• CVE-2022-49542: scsi: lpfc: Move cfglogverbose check before calling lpfcdmpdbg() (bsc#1238722).
• CVE-2022-49561: netfilter: conntrack: re-fetch conntrack after insertion (bsc#1238537).
• CVE-2022-49590: igmp: Fix data-races around sysctligmpllm_reports (bsc#1238844).
• CVE-2022-49658: bpf, selftests: Add verifier test case for imm=0,umin=0,umax=1 scalar (bsc#1238803).
• CVE-2022-49668: PM / devfreq: exynos-ppmu: Fix refcount leak in ofgetdevfreq_events (bsc#1237957).
• CVE-2022-49693: drm/msm/mdp4: Fix refcount leak in mdp4modesetinit_intf (bsc#1237954).
• CVE-2022-49725: i40e: Fix call trace in setuptxdescriptors (bsc#1238016).
• CVE-2022-49728: kABI workaround for changeing the variable length type to size_t (bsc#1239111).
• CVE-2022-49730: scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted (bsc#1239070).
• CVE-2022-49749: i2c: designware: use casting of u64 in clock multiplication to avoid overflow (bsc#1240243).
• CVE-2022-49753: dmaengine: Fix double increment of clientcount in dmachan_get() (bsc#1240250).
• CVE-2023-53023: net: nfc: Fix use-after-free in local_cleanup() (bsc#1240309).
• CVE-2023-53032: netfilter: ipset: Fix overflow before widen in the bitmapipcreate() function (bsc#1240270).
• CVE-2024-49994: block: fix integer overflow in BLKSECDISCARD (bsc#1237757).
• CVE-2024-50038: netfilter: xtables: fix typo causing some targets not to load on IPv6 (bsc#1231910).
• CVE-2024-50272: filemap: Fix bounds checking in filemap_read() (bsc#1233461 bsc#1234209).
• CVE-2024-52559: drm/msm/gem: prevent integer overflow in msmioctlgem_submit() (bsc#1238507).
• CVE-2024-54683: netfilter: IDLETIMER: Fix for possible ABBA deadlock (bsc#1235729).
• CVE-2024-56590: skbuff: introduce skbpulldata (bsc#1235038).
• CVE-2024-56641: net/smc: initialize close_work early to avoid warning (bsc#1235526).
• CVE-2024-57924: fs: relax assertions on failure to encode file handles (bsc#1236086).
• CVE-2024-57980: media: uvcvideo: Fix double free in error path (bsc#1237911).
• CVE-2024-57981: usb: xhci: Fix NULL pointer dereference on certain command aborts (bsc#1237912).
• CVE-2024-58005: tpm: Change to kvalloc() in eventlog/acpi.c (bsc#1237873).
• CVE-2024-58009: Bluetooth: L2CAP: handle NULL sock pointer in l2capsockalloc (bsc#1238760).
• CVE-2024-58017: printk: Fix signed integer overflow when defining LOGBUFLEN_MAX (bsc#1237950 bsc#1239112).
• CVE-2024-58063: wifi: rtlwifi: fix memory leaks and invalid access at probe error path (bsc#1238984).
• CVE-2024-58093: PCI/ASPM: Fix link state exit during switch upstream function removal (bsc#1241347).
• CVE-2025-21635: rds: sysctl: rdstcp{rcv,snd}buf: avoid using current->nsproxy (bsc#1236111).
• CVE-2025-21735: NFC: nci: Add bounds checking in ncihcicreate_pipe() (bsc#1238497).
• CVE-2025-21750: wifi: brcmfmac: Check the return value of ofpropertyreadstringindex() (bsc#1238905).
• CVE-2025-21758: ipv6: mcast: add RCU protection to mld_newpack() (bsc#1238737).
• CVE-2025-21768: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels (bsc#1238714).
• CVE-2025-21772: partitions: mac: fix handling of bogus partition table (bsc#1238911).
• CVE-2025-21779: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (bsc#1238768).
• CVE-2025-21806: net: let net.core.dev_weight always be non-zero (bsc#1238746).
• CVE-2025-21862: drop_monitor: fix incorrect initialization order (bsc#1239474).
• CVE-2025-21881: uprobes: Reject the shared zeropage in uprobewriteopcode() (bsc#1240185).
• CVE-2025-21909: wifi: nl80211: reject cooked mode if it is set along with other flags (bsc#1240590).
• CVE-2025-21910: wifi: cfg80211: regulatory: improve invalid hints checking (bsc#1240583).
• CVE-2025-21926: net: gso: fix ownership in _udpgso_segment (bsc#1240712).
• CVE-2025-21927: nvme-tcp: fix potential memory corruption in nvmetcprecv_pdu() (bsc#1240714).
• CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio (bsc#1240709).
• CVE-2025-21941: drm/amd/display: Fix null check for pipectx->planestate in (bsc#1240701).
• CVE-2025-21948: HID: appleir: Fix potential NULL dereference at raw event handle (bsc#1240703).
• CVE-2025-21956: drm/amd/display: Assign normalizedpixclk when color depth = 14 (bsc#1240739).
• CVE-2025-21957: scsi: qla1280: Fix kernel oops when debug level > 2 (bsc#1240742).
• CVE-2025-21963: cifs: Fix integer overflow while processing acdirmax mount option (bsc#1240717).
• CVE-2025-21964: cifs: Fix integer overflow while processing acregmax mount option (bsc#1240740).
• CVE-2025-21976: fbdev: hyperv_fb: Allow graceful removal of framebuffer (bsc#1241145).
• CVE-2025-22004: net: atm: fix use after free in lec_send() (bsc#1240835).
• CVE-2025-22008: regulator: check that dummy regulator has been probed before using it (bsc#1240942).
• CVE-2025-22010: RDMA/hns: Fix soft lockup during bt pages loop (bsc#1240943).
• CVE-2025-22018: atm: Fix NULL pointer dereference (bsc#1241266).
• CVE-2025-22053: net: ibmveth: make vethpoolstore stop hanging (bsc#1241373).
• CVE-2025-22055: net: fix geneve_opt length integer overflow (bsc#1241371).
• CVE-2025-22060: net: mvpp2: Prevent parser TCAM memory corruption (bsc#1241526).
• CVE-2025-22086: RDMA/mlx5: Fix mlx5pollone() cur_qp update flow (bsc#1241458).
• CVE-2025-23131: dlm: prevent NPD when writing a positive value to event_done (bsc#1241601).
• CVE-2025-37785: ext4: fix OOB read when checking dotdot dir (bsc#1241640).

The following non-security bugs were fixed:

• Revert 'ipv6: Fix signed integer overflow in _ip6append_data'
• Revert 'kABI workaround for changeing the variable length type to size_t'
• audit: Send netlink ACK before setting connection in auditd_set (bsc#1231450).
• brcmfmac: of: Use devmkstrdup for boardtype & check for errors (bsc#1238905)
• brcmfmac: of: remove redundant variable len (bsc#1238905)
• cifs: Fix integer overflow while processing actimeo mount option (git-fixes).
• fbdev: hypervfb: Simplify hvfbputmem (git-fixes).
• net: Fix data-races around weightp and devweight[rt]xbias (bsc#1238746)
• remoteproc: qcomq6v5mss: Extract mba/mpss from memory-region (bsc#1238138)
• tpm, tpm_tis: Workaround failed command reception on Infineon devices (bsc#1235870).
• tpm: tis: Double the timeout B to 4s (bsc#1235870).
• wifi: brcmfmac: use strreplace() in brcmfofprobe() (bsc#1238905)
• x86/bhi: Do not set BHIDISS in 32-bit mode (bsc#1242778).
• x86/bpf: Add IBHF call at end of classic BPF (bsc#1242778).
• x86/bpf: Call branch history clearing sequence on exit (bsc#1242778).