SUSE-SU-2025:02322-1

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468).
• CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552).
• CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821).
• CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822).
• CVE-2024-26808: netfilter: nftchainfilter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634).
• CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfcworkerwake_up() (bsc#1225820).
• CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095).
• CVE-2024-36978: net: sched: schmultiq: fix possible OOB write in multiqtune() (bsc#1226514).
• CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
• CVE-2024-53057: net/sched: stop qdisctreereducebacklog on TCH_ROOT (bsc#1233551).
• CVE-2024-53125: bpf: synclinkedregs() must preserve subreg_def (bsc#1234156).
• CVE-2024-53141: netfilter: ipset: add missing range check in bitmapipuadt (bsc#1234381).
• CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637).
• CVE-2024-57947: netfilter: nfsetpipapo: fix initial map fill (bsc#1236333).
• CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159).
• CVE-2025-21702: pfifotailenqueue: Drop new packet when sch->limit == 0 (bsc#1237312).
• CVE-2025-21703: netem: Update sch->q.qlen before qdisctreereduce_backlog() (bsc#1237313).
• CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876).
• CVE-2025-23141: KVM: x86: Acquire SRCU in KVMGETMP_STATE to protect guest memory accesses (bsc#1242782).
• CVE-2025-37752: netsched: schsfq: move the limit validation (bsc#1242504).
• CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417).
• CVE-2025-37823: netsched: hfsc: Fix a potential UAF in hfscdequeue() too (bsc#1242924).
• CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330).
• CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832).
• CVE-2025-38000: schhfsc: Fix qlen accounting bug when using peek in hfscenqueue() (bsc#1244277).
• CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234).
• CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732).
• CVE-2025-38083: netsched: prio: fix a race in priotune() (bsc#1245183).

The following non-security bugs were fixed:

• Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• Fix reference in 'netsched: schsfq: use a temporary work area for validating configuration' (bsc#1242504)
• MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build')
• MyBS: Do not build kernel-obs-qa with limitpackages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limitpackages also on multibuild')
• MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed.
• Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
• Test the correct macro to detect RT kernel build Fixes: 470cd1a41502 ('kernel-binary: Support livepatch_rt with merged RT branch')
• Use gcc-13 for build on SLE16 (jsc#PED-10028).
• add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE.
• bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)')
• check-for-config-changes: Fix flag name typo
• doc/README.SUSE: Point to the updated version of LKMPG
• hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431).
• kernel-binary: Support livepatch_rt with merged RT branch
• kernel-obs-qa: Use srchash for dependency as well
• kernel-source: Also replace bin/env
• kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env'
• kernel-source: Do not use multiple -r in sed parameters
• kernel-source: Remove log.sh from sources
• mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
• mm/hugetlb: fix hugepmdunshare() vs GUP-fast race (bsc#1245431).
• mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431).
• netsched: schfifo: implement lockless _fifodump() (bsc#1237312)
• netsched: schsfq: use a temporary work area for validating configuration (bsc#1232504)
• packaging: Patch Makefile to pre-select gcc version (jsc#PED-12251).
• packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790).
• powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790).
• rpm/check-for-config-changes: Add GCCASMFLAGOUTPUTBROKEN
• rpm/check-for-config-changes: Add GCCASMFLAGOUTPUTBROKEN Both spellings are actually used
• rpm/check-for-config-changes: add LDCAN to IGNOREDCONFIGSRE
• rpm/check-for-config-changes: add more to IGNOREDCONFIGSRE Useful when someone tries (needs) to build the kernel with clang.
• rpm/check-for-config-changes: ignore DRMMSMVALIDATEXML This option is dynamically enabled to build-test different configurations. This makes runoldconfig.sh complain sporadically for arm64.
• rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038).
• rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sleversion was obsoleted for SLE16. It has to be combined with suseversion check.
• rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038). OrderWithRequires was introduced in rpm 4.9 (ie. SLE12+) to allow a package to inform the order of installation of other package without hard requiring that package. This means our kernel-binary packages no longer need to hard require perl-Bootloader or dracut, resolving the long-commented issue there. This is also needed for udev & systemd-boot to ensure those packages are installed before being called by dracut (boo#1228659)
• rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454)
• rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303)
• rpm/package-descriptions: Add rt and rt_debug descriptions
• rpm/release-projects: Update the ALP projects again (bsc#1231293).
• rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570)
• rpm: Stop using iskotdqa macro This macro is set by bs-upload-kernel, and a conditional in each spec file is used to determine when to build the spec file. This logic should not really be in the spec file. Previously this was done with package links and package meta for the individula links. However, the use of package links is rejected for packages in git based release projects (nothing to do with git actually, new policy). An alternative to package links is multibuild. However, for multibuild packages package meta cannot be used to set which spec file gets built. Use prjcon buildflags instead, and remove this conditional. Depends on bs-upload-kernel adding the build flag.
• scsi: storvsc: Do not report the host packet status as the hv status (git-fixes).
• scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455).
• wifi: cfg80211: Add my certificate (bsc#1243001).
• wifi: cfg80211: fix certs build to not depend on file order (bsc#1243001).