SUSE-SU-2025:02537-1

The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2021-47557: net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1207361 bsc#1225468).
• CVE-2021-47595: net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1207361 bsc#1226552).
• CVE-2023-52924: netfilter: nf_tables: do not skip expired elements during walk (bsc#1236821).
• CVE-2023-52925: netfilter: nf_tables: do not fail inserts if duplicate has expired (bsc#1236822).
• CVE-2024-26808: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain (bsc#1222634).
• CVE-2024-26924: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1225820).
• CVE-2024-27397: kabi: place tstamp needed for nftables set in a hole (bsc#1224095).
• CVE-2024-36978: net: sched: sch_multiq: fix possible OOB write in multiq_tune() (bsc#1226514).
• CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
• CVE-2024-53057: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT (bsc#1233551).
• CVE-2024-53125: bpf: sync_linked_regs() must preserve subreg_def (bsc#1234156).
• CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1234381).
• CVE-2024-56770: sch/netem: fix use after free in netem_dequeue (bsc#1235637).
• CVE-2024-57947: netfilter: nf_set_pipapo: fix initial map fill (bsc#1236333).
• CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159).
• CVE-2025-21702: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (bsc#1237312).
• CVE-2025-21703: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (bsc#1237313).
• CVE-2025-21756: vsock: Orphan socket after transport release (bsc#1238876).
• CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses (bsc#1242782).
• CVE-2025-37752: net_sched: sch_sfq: move the limit validation (bsc#1242504).
• CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling (bsc#1242417).
• CVE-2025-37823: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (bsc#1242924).
• CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (bsc#1243330).
• CVE-2025-37997: netfilter: ipset: fix region locking in hash types (bsc#1243832).
• CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (bsc#1244277).
• CVE-2025-38001: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (bsc#1244234).
• CVE-2025-38014: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper (bsc#1244732).
• CVE-2025-38083: net_sched: prio: fix a race in prio_tune() (bsc#1245183).

The following non-security bugs were fixed:

• Fix conditional for selecting gcc-13 Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• Fix reference in 'net_sched: sch_sfq: use a temporary work area for validating configuration' (bsc#1242504)
• MyBS: Correctly generate build flags for non-multibuild package limit (bsc# 1244241) Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build')
• MyBS: Do not build kernel-obs-qa with limit_packages Fixes: 58e3f8c34b2b ('bs-upload-kernel: Pass limit_packages also on multibuild')
• MyBS: Simplify qa_expr generation Start with a 0 which makes the expression valid even if there are no QA repositories (currently does not happen). Then separator is always needed.
• Require zstd in kernel-default-devel when module compression is zstd To use ksym-provides tool modules need to be uncompressed. Without zstd at least kernel-default-base does not have provides. Link: https://github.com/openSUSE/rpm-config-SUSE/pull/82
• Use gcc-13 for build on SLE16 (jsc#PED-10028).
• add nf_tables for iptables non-legacy network handling This is needed for example by docker on the Alpine Linux distribution, but can also be used on openSUSE.
• bs-upload-kernel: Pass limit_packages also on multibuild Fixes: 0999112774fc ('MyBS: Use buildflags to set which package to build') Fixes: 747f601d4156 ('bs-upload-kernel, MyBS, Buildresults: Support multibuild (JSC-SLE#5501, boo#1211226, bsc#1218184)')
• check-for-config-changes: Fix flag name typo
• doc/README.SUSE: Point to the updated version of LKMPG
• hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431).
• kernel-binary: Support livepatch_rt with merged RT branch
• kernel-obs-qa: Use srchash for dependency as well
• kernel-source: Also replace bin/env
• kernel-source: Also update the search to match bin/env Fixes: dc2037cd8f94 ('kernel-source: Also replace bin/env'
• kernel-source: Remove log.sh from sources
• mkspec: Exclude rt flavor from kernel-syms dependencies (bsc#1244337).
• mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (bsc#1245431).
• mm/hugetlb: unshare page tables during VMA split, not before (bsc#1245431).
• net_sched: sch_fifo: implement lockless __fifo_dump() (bsc#1237312)
• net_sched: sch_sfq: use a temporary work area for validating configuration (bsc#1232504)
• packaging: Patch Makefile to pre-select gcc version (jsc#PED-12251).
• packaging: Turn gcc version into config.sh variable Fixes: 51dacec21eb1 ('Use gcc-13 for build on SLE16 (jsc#PED-10028).')
• powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap (bsc#1244309 ltc#213790).
• powerpc/vas: Return -EINVAL if the offset is non-zero in mmap() (bsc#1244309 ltc#213790).
• rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN
• rpm/check-for-config-changes: Add GCC_ASM_FLAG_OUTPUT_BROKEN Both spellings are actually used
• rpm/check-for-config-changes: add LD_CAN_ to IGNORED_CONFIGS_RE
• rpm/check-for-config-changes: add more to IGNORED_CONFIGS_RE Useful when someone tries (needs) to build the kernel with clang.
• rpm/check-for-config-changes: ignore DRM_MSM_VALIDATE_XML This option is dynamically enabled to build-test different configurations. This makes run_oldconfig.sh complain sporadically for arm64.
• rpm/kernel-binary.spec.in: Also order against update-bootloader (boo#1228659, boo#1240785, boo#1241038).
• rpm/kernel-binary.spec.in: Fix missing 20-kernel-default-extra.conf (bsc#1239986) sle_version was obsoleted for SLE16. It has to be combined with suse_version check.
• rpm/kernel-binary.spec.in: Use OrderWithRequires (boo#1228659 boo#1241038).
• rpm/kernel-binary.spec.in: fix KMPs build on 6.13+ (bsc#1234454)
• rpm/kernel-docs.spec.in: Workaround for reproducible builds (bsc#1238303)
• rpm/package-descriptions: Add rt and rt_debug descriptions
• rpm/release-projects: Update the ALP projects again (bsc#1231293).
• rpm/split-modules: Fix optional splitting with usrmerge (bsc#1238570)
• rpm: Stop using is_kotd_qa macro
• scsi: storvsc: Do not report the host packet status as the hv status (git-fixes).
• scsi: storvsc: Increase the timeouts to storvsc_timeout (bsc#1245455).
• wifi: cfg80211: Add my certificate (bsc#1243001).
• wifi: cfg80211: fix certs build to not depend on file order (bsc#1243001).