Sync from SUSE:SLFO:Kernel:1.0 kernel-livepatch-MICRO-6-0_Update_10 revision 591b82e3dc22a33172efb48473421f15

Makefile

@@ -4,7 +4,7 @@ ccflags-y += -I$(obj)
 
 obj-m := livepatch-@@RPMRELEASE@@.o
 
-livepatch-@@RPMRELEASE@@-y := livepatch_main.o uname_patch/livepatch_uname.o 
+livepatch-@@RPMRELEASE@@-y := livepatch_main.o uname_patch/livepatch_uname.o bsc1248376/livepatch_bsc1248376.o bsc1248673/livepatch_bsc1248673.o bsc1249534/livepatch_bsc1249534.o bsc1248631/livepatch_bsc1248631.o bsc1249207/livepatch_bsc1249207.o bsc1248672/livepatch_bsc1248672.o bsc1249537/bsc1249537_net_tls_tls_strp.o bsc1249537/bsc1249537_net_tls_tls_sw.o 
 
 default:
 	$(MAKE) -C $(KDIR) M=$(CURDIR) modules
@@ -12,3 +12,19 @@ default:
 clean:
 	$(MAKE) -C $(KDIR) M=$(CURDIR) clean
 
+CFLAGS_livepatch_bsc1248376.o += -Werror
+CFLAGS_bsc1248376/livepatch_bsc1248376.o += -Werror
+CFLAGS_livepatch_bsc1248673.o += -Werror
+CFLAGS_bsc1248673/livepatch_bsc1248673.o += -Werror
+CFLAGS_livepatch_bsc1249534.o += -Werror
+CFLAGS_bsc1249534/livepatch_bsc1249534.o += -Werror
+CFLAGS_livepatch_bsc1248631.o += -Werror
+CFLAGS_bsc1248631/livepatch_bsc1248631.o += -Werror
+CFLAGS_livepatch_bsc1249207.o += -Werror
+CFLAGS_bsc1249207/livepatch_bsc1249207.o += -Werror
+CFLAGS_livepatch_bsc1248672.o += -Werror
+CFLAGS_bsc1248672/livepatch_bsc1248672.o += -Werror
+CFLAGS_bsc1249537_net_tls_tls_strp.o += -Werror
+CFLAGS_bsc1249537/bsc1249537_net_tls_tls_strp.o += -Werror
+CFLAGS_bsc1249537_net_tls_tls_sw.o += -Werror
+CFLAGS_bsc1249537/bsc1249537_net_tls_tls_sw.o += -Werror

config.sh

@@ -1 +1,3 @@
-IBS_PROJECT=SUSE:ALP:Source:Standard:Core:1.0:Build
+IBS_PROJECT=SUSE:SLFO:Kernel:1.0:Build
+PATCHINFO_ID=patchinfo.20250806141506275744.90520734224245
+

kernel-livepatch-MICRO-6-0_Update_10.changes

@@ -1,3 +1,137 @@
+-------------------------------------------------------------------
+Fri Nov 21 09:44:53 CET 2025 - nstange@suse.de
+
+- Bump up the version number in spec file
+- commit cc7a8a8
+
+-------------------------------------------------------------------
+Fri Nov 14 16:38:47 CET 2025 - vincenzo.mezzela@suse.com
+
+- Fix for CVE-2025-38616 ("tls: handle data disappearing from under the TLS ULP")
+  Live patch for CVE-2025-38616. Upstream commits:
+- 6db015fc4b5d ("tls: handle data disappearing from under the TLS ULP")
+  KLP: CVE-2025-38616
+  References: bsc#1249537 CVE-2025-38616
+- commit eb23d17
+
+-------------------------------------------------------------------
+Thu Nov 13 11:38:58 CET 2025 - ali.abdallah@suse.de
+
+- Fix for CVE-2025-38500 ("xfrm: interface: fix use-after-free after changing collect_md xfrm interface")
+  Live patch for CVE-2025-38500. Upstream commit:
+- a90b2a1aaacb ("xfrm: interface: fix use-after-free after changing collect_md xfrm interface")
+  KLP: CVE-2025-38500
+  References: bsc#1248672 CVE-2025-38500
+- commit 3958092
+
+-------------------------------------------------------------------
+Thu Oct 30 10:13:10 CET 2025 - nstange@suse.de
+
+- Bump up the version number in spec file
+- commit 8f7269d
+
+-------------------------------------------------------------------
+Wed Oct 29 11:41:55 CET 2025 - ali.abdallah@suse.de
+
+- Fix for CVE-2025-38664 ("ice: Fix a null pointer dereference in ice_copy_and_init_pkg()")
+  Live patch for CVE-2025-38664. Upstream commit:
+- 4ff12d82dac1 ("ice: Fix a null pointer dereference in ice_copy_and_init_pkg()")
+  KLP: CVE-2025-38664
+  References: bsc#1248631 CVE-2025-38664
+- commit 1c1ab21
+
+-------------------------------------------------------------------
+Tue Oct 21 08:58:42 CEST 2025 - ali.abdallah@suse.de
+
+- Fix for CVE-2025-38618 ("vsock: Do not allow binding to VMADDR_PORT_ANY")
+  Live patch for CVE-2025-38618. Upstream commit:
+- aba0c94f61ec ("vsock: Do not allow binding to VMADDR_PORT_ANY")
+  KLP: CVE-2025-38618
+  References: bsc#1249207 CVE-2025-38618
+- commit 8e242ac
+
+-------------------------------------------------------------------
+Fri Oct 17 09:31:14 CEST 2025 - nstange@suse.de
+
+- Bump up the version number in spec file
+- commit 279ea40
+
+-------------------------------------------------------------------
+Wed Oct 15 18:14:08 CEST 2025 - vincenzo.mezzela@suse.com
+
+- Fix for CVE-2025-38678 ("netfilter: nf_tables: reject duplicate device on updates")
+  Live patch for CVE-2025-38678. Upstream commit:
+- cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
+  KLP: CVE-2025-38678
+  References: bsc#1249534 CVE-2025-38678
+- commit c3d6ac9
+
+-------------------------------------------------------------------
+Fri Oct 10 03:58:08 CEST 2025 - lidong.zhong@suse.com
+
+- Fix for CVE-2025-38499 ("clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns")
+  Live patch for CVE-2025-38499. Upstream commit:
+- c28f922c9dce ("clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns")
+  KLP: CVE-2025-38499
+  References: bsc#1248673 CVE-2025-38499
+- commit 0901e87
+
+-------------------------------------------------------------------
+Mon Oct  6 15:00:24 CEST 2025 - vincenzo.mezzela@suse.com
+
+- Fix for CVE-2025-38566 ("sunrpc: fix handling of server side tls alerts")
+  Live patch for CVE-2025-38566. Upstream commit:
+- bee47cb026e7 ("sunrpc: fix handling of server side tls alerts")
+  KLP: CVE-2025-38566
+  References: bsc#1248376 CVE-2025-38566
+- commit f1e26eb
+
+-------------------------------------------------------------------
+Fri Sep 19 12:39:50 CEST 2025 - vincenzo.mezzela@suse.com
+
+- klp_trace.h: add KLPR_TRACE_EVENT_CONDITION macro
+- commit 17e9fce
+
+-------------------------------------------------------------------
+Mon Sep 15 14:46:14 CEST 2025 - nstange@suse.de
+
+- Add IBS _buildenv files + update PATCHINFO_ID after the initial submission
+- commit 07052ed
+
+-------------------------------------------------------------------
+Mon Sep  1 09:41:08 CEST 2025 - nstange@suse.de
+
+- scripts/tar-up.sh: unconditionally enable s390x on SLE default
+  Nowadays, s390x builds should be enabed for all SLE default kernels
+  -- the versions from before the point where s390x coverage got
+  added to the product have gone out of support a long time ago.
+  Remove the conditional s390x enablement logic from tar-up.sh.
+- commit 9bcbefb
+
+-------------------------------------------------------------------
+Mon Aug 18 14:38:37 CEST 2025 - pmladek@suse.com
+
+- kernel-livepatch.spec: Replace kernel-syms with kernel-<flavor>-specific dependencies (bsc#1248108)
+  The commit ead79afe7cbfae ("kernel-livepatch.spec: Update build
+  dependencies for non-default flavors") broke build of livepatches
+  which were built with kernel-syms-rt.
+  The problem is that livepatch packages for already released kernels
+  are built in exactly the same build environment as the initial livepatch.
+  The BS (Build Service) installs the build environment using the given
+  _buildinfo-*.xml and ignores BuildRequires. But the BuildRequires are
+  later checked by rpmbuild tool. It would complain when new dependencies
+  were added.
+  Unfortunately, kernel-syms-rt does not exist on SLE16. This was the main
+  motivation for the above mentioned commit.
+  But the package kernel-syms is empty. Its only purpose is to add other
+  dependencies. Replace it by opencoding the dependencies.
+  Note that the kernel devel files are historically split into various
+  packages, kernel-<flavor>-devel, kernel-devel-<flavor>, and
+  even kernel-devel. But it is enough to require kernel-<flavor>-devel
+  because it requires the other devel files on its own. This seems
+  to be true back to SLE15-SP4 at minimum.
+- commit 7696578
+
 -------------------------------------------------------------------
 Tue Jul  1 13:36:15 CEST 2025 - mbenes@suse.cz
 
@@ -10,6 +144,21 @@ Tue Jul  1 13:36:15 CEST 2025 - mbenes@suse.cz
   time).
 - commit ead79af
 
+-------------------------------------------------------------------
+Fri Jun 27 13:57:01 CEST 2025 - mbenes@suse.cz
+
+- Remove the support for different flavors, take 2
+  There is a support for different kernel flavors from the beginning in
+  our spec file. Originally, there were -default and -xen flavors.
+  However, it is questionable. A live patch is built against a very
+  specific kernel binary. Different flavors of the same kernel source can
+  be easily different also in this respect.
+  Remove it then. The build process is driven by "variant" macro deriving
+  from a branch name. We can stick with that. %klp_module_package defines
+  %flavor based on that. It also keeps %flavors_to_build definition for
+  older releases without this change.
+- commit b9cd481
+
 -------------------------------------------------------------------
 Thu Jun 26 14:51:43 CEST 2025 - mbenes@suse.cz
 
@@ -49,6 +198,17 @@ Wed Jun 18 13:01:24 CEST 2025 - mbenes@suse.cz
   from a branch name. We can stick with that.
 - commit 6254bb4
 
+-------------------------------------------------------------------
+Thu May 15 10:23:31 CEST 2025 - nstange@suse.de
+
+- uname_patch: don't use klp_convert.h wrappers
+  With the removal of klp_convert.h, the uname_patch fails to compile.
+  Replace all invocations of the KLP_SYM_LINKAGE or KLP_SYM() macros
+  formerly defined there in by their expansions for the !USE_KLP_CONVERT
+  case and drop the klp_convert.h #include.
+  Fixes: b2fa29be2 ("Remove old klp-convert support")
+- commit 601b6d1
+
 -------------------------------------------------------------------
 Mon Apr 28 14:31:04 CEST 2025 - mbenes@suse.cz
 
@@ -57,7 +217,7 @@ Mon Apr 28 14:31:04 CEST 2025 - mbenes@suse.cz
   patches. It never happened. Kallsyms was used up until SLE15-SP6 where
   everything was migrated to much lighter klp-convert-mini implementation.
   Remove the old klp-convert support all together now.
-- commit 1731556
+- commit b2fa29b
 
 -------------------------------------------------------------------
 Mon Apr 28 14:00:44 CEST 2025 - mbenes@suse.cz

kernel-livepatch-MICRO-6-0_Update_10.spec

@@ -20,7 +20,7 @@
 %define variant %{nil}
 
 Name:           kernel-livepatch-MICRO-6-0_Update_10
-Version:        1
+Version:        4
 Release:        1
 %define module_num %(echo %version-%release | sed 'y/\./_/')
 License:        GPL-2.0
@@ -36,25 +36,36 @@ Source6:	klp_syscalls.h
 Source7:	klp_trace.h
 Source8:	lp-mod-checks.sh
 # Auto expanded KLP_PATCHES_SOURCES:
-
+Source9:	bsc1248376.tar.bz2
+Source10:	bsc1248631.tar.bz2
+Source11:	bsc1248672.tar.bz2
+Source12:	bsc1248673.tar.bz2
+Source13:	bsc1249207.tar.bz2
+Source14:	bsc1249534.tar.bz2
+Source15:	bsc1249537.tar.bz2
+# Use kernel-<flavor> specific build dependencies instead of kernel-syms (bsc#1248108)
 %if "%variant" != ""
 BuildRequires:  kernel%variant-devel
+%else
+BuildRequires:  kernel-default-devel
 %endif
-BuildRequires:  kernel-syms kernel-livepatch-tools-devel libelf-devel
+BuildRequires:  pesign-obs-integration
+BuildRequires:  kernel-livepatch-tools-devel
+BuildRequires:  libelf-devel
 ExclusiveArch:	x86_64 s390x
 %klp_module_package
 
 %description
 This is a live patch for SUSE Linux Enterprise Server kernel.
 
-Source timestamp: 2025-08-05 10:51:56 +0200
-GIT Revision: d9d1af1b6b8dd7ff9e61226be3d68856d2bf3ae2
+Source timestamp: 2025-11-21 09:44:53 +0100
+GIT Revision: cc7a8a81660adaf54d14965ca8f2f3e25c4f7307
 GIT Branch: MICRO-6-0_Update_10
 
 %prep
 %setup -c
 # Auto expanded KLP_PATCHES_SETUP_SOURCES:
-
+%setup -T -D -a 9 -a 10 -a 11 -a 12 -a 13 -a 14 -a 15
 cp %_sourcedir/livepatch_main.c .
 cp %_sourcedir/shadow.h .
 cp %_sourcedir/Makefile .
@@ -67,22 +78,19 @@ sed -i 's/@@RPMRELEASE@@/%module_num/g' livepatch_main.c
 echo 'livepatch-%module_num' >Module.supported
 set -- *
 
-for flavor in %flavors_to_build; do
-	mkdir -p "obj/$flavor"
-	cp -r "$@" "obj/$flavor"
-	make -C %{kernel_source $flavor} M="$PWD/obj/$flavor" modules
+mkdir -p "obj/%flavor"
+cp -r "$@" "obj/%flavor"
+make -C %{kernel_source %flavor} M="$PWD/obj/%flavor" modules
 
-	for module in $(find "obj/$flavor" -name '*.ko'); do
-	    /bin/sh %_sourcedir/lp-mod-checks.sh "$module"
-	done
+for module in $(find "obj/%flavor" -name '*.ko'); do
+    /bin/sh %_sourcedir/lp-mod-checks.sh "$module"
 done
 
 %install
 export INSTALL_MOD_DIR=livepatch
 export INSTALL_MOD_PATH=%buildroot
-for flavor in %flavors_to_build; do
-	make -C %{kernel_source $flavor} M="$PWD/obj/$flavor" modules_install
-done
+
+make -C %{kernel_source %flavor} M="$PWD/obj/%flavor" modules_install
 
 %changelog
 

klp_trace.h

@@ -38,6 +38,13 @@
 #define KLPR_TRACE_EVENT(name, proto, args) \
 	KLPR_DECLARE_TRACE(name, PARAMS(proto), PARAMS(args))
 
+#define KLPR_TRACE_EVENT_CONDITION(name, proto, args, cond)		\
+	KLPR___DECLARE_TRACE(name, PARAMS(proto), PARAMS(args),		\
+		cpu_online(raw_smp_processor_id()) && PARAMS(cond),	\
+		PARAMS(void *__data, proto),				\
+		PARAMS(__data, args))
+
+
 #elif LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
 
 #define KLPR___DO_TRACE_CALL(name, args)   (*klpe___traceiter_##name)(NULL, args)
@@ -99,6 +106,11 @@
 #define KLPR_TRACE_EVENT(name, proto, args) \
 	KLPR_DECLARE_TRACE(name, PARAMS(proto), PARAMS(args))
 
+#define KLPR_TRACE_EVENT_CONDITION(name, proto, args, cond)		\
+	KLPR___DECLARE_TRACE(name, PARAMS(proto), PARAMS(args),		\
+		cpu_online(raw_smp_processor_id()) && PARAMS(cond),	\
+		PARAMS(void *__data, proto))
+
 #else /* LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) */
 
 #define KLPR___DO_TRACE_CALL(name, args)   __traceiter_##name(NULL, args)
@@ -164,6 +176,11 @@
 #define KLPR_TRACE_EVENT(module, name, proto, args) \
 	KLPR_DECLARE_TRACE(module, name, PARAMS(proto), PARAMS(args))
 
+#define KLPR_TRACE_EVENT_CONDITION(module, name, proto, args, cond)	\
+	KLPR___DECLARE_TRACE(module, name, PARAMS(proto), PARAMS(args),	\
+		cpu_online(raw_smp_processor_id()) && PARAMS(cond),	\
+		PARAMS(void *__data, proto))
+
 #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(5, 12, 0) */
 
 

livepatch_main.c

@@ -25,6 +25,13 @@
 #include "uname_patch/livepatch_uname.h"
 
 /* Auto expanded KLP_PATCHES_INCLUDES: */
+#include "bsc1248376/livepatch_bsc1248376.h"
+#include "bsc1248631/livepatch_bsc1248631.h"
+#include "bsc1248672/livepatch_bsc1248672.h"
+#include "bsc1248673/livepatch_bsc1248673.h"
+#include "bsc1249207/livepatch_bsc1249207.h"
+#include "bsc1249534/livepatch_bsc1249534.h"
+#include "bsc1249537/livepatch_bsc1249537.h"
 
 
 static struct klp_object objs[] = {
@@ -42,6 +49,53 @@ static struct klp_object objs[] = {
 			  .new_func = KLP_SYSCALL_COMPAT_STUB_SYM(klp_newuname),
 			},
 #endif
+			{ .old_name = __stringify(clone_private_mount), .new_func = klpp_clone_private_mount, },
+			{ }
+		}
+	},
+#if IS_ENABLED(CONFIG_ICE)
+	{
+		.name = "ice",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(ice_copy_and_init_pkg), .new_func = klpp_ice_copy_and_init_pkg, },
+			{ }
+		}
+	},
+#endif
+	{
+		.name = "nf_tables",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(nf_tables_newchain), .new_func = klpp_nf_tables_newchain, },
+			{ .old_name = __stringify(nf_tables_newflowtable), .new_func = klpp_nf_tables_newflowtable, },
+			{ }
+		}
+	},
+	{
+		.name = "sunrpc",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(svc_tcp_read_msg), .new_func = klpp_svc_tcp_read_msg, },
+			{ .old_name = __stringify(svc_tcp_recvfrom), .new_func = klpp_svc_tcp_recvfrom, },
+			{ }
+		}
+	},
+	{
+		.name = "tls",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(tls_rx_rec_wait), .new_func = klpp_tls_rx_rec_wait, },
+			{ }
+		}
+	},
+	{
+		.name = "vsock",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(__vsock_bind), .new_func = klpp___vsock_bind, },
+			{ }
+		}
+	},
+	{
+		.name = "xfrm_interface",
+		.funcs = (struct klp_func[]) {
+			{ .old_name = __stringify(xfrmi_changelink), .new_func = klpp_xfrmi_changelink, },
 			{ }
 		}
 	},
@@ -61,13 +115,53 @@ static int __init klp_patch_init(void)
 	pr_info("livepatch: initializing\n");
 
 	/* Auto expanded KLP_PATCHES_INIT_CALLS: */
+	retval = livepatch_bsc1248376_init();
+	if (retval)
+		goto err_bsc1248376;
 
+	retval = livepatch_bsc1248631_init();
+	if (retval)
+		goto err_bsc1248631;
+
+	retval = livepatch_bsc1248672_init();
+	if (retval)
+		goto err_bsc1248672;
+
+	retval = livepatch_bsc1248673_init();
+	if (retval)
+		goto err_bsc1248673;
+
+	retval = livepatch_bsc1249207_init();
+	if (retval)
+		goto err_bsc1249207;
+
+	retval = livepatch_bsc1249534_init();
+	if (retval)
+		goto err_bsc1249534;
+
+	retval = livepatch_bsc1249537_init();
+	if (retval)
+		goto err_bsc1249537;
 
 	retval = klp_enable_patch(&patch);
 	if (!retval)
 		return retval;
 
 	/* Auto expanded KLP_PATCHES_INIT_ERR_HANDLERS: */
+	livepatch_bsc1249537_cleanup();
+err_bsc1249537:
+	livepatch_bsc1249534_cleanup();
+err_bsc1249534:
+	livepatch_bsc1249207_cleanup();
+err_bsc1249207:
+	livepatch_bsc1248673_cleanup();
+err_bsc1248673:
+	livepatch_bsc1248672_cleanup();
+err_bsc1248672:
+	livepatch_bsc1248631_cleanup();
+err_bsc1248631:
+	livepatch_bsc1248376_cleanup();
+err_bsc1248376:
 
 	return retval;
 }
@@ -77,6 +171,13 @@ static void __exit klp_patch_cleanup(void)
 	pr_info("livepatch: removed\n");
 
 	/* Auto expanded KLP_PATCHES_CLEANUP_CALLS: */
+	livepatch_bsc1248376_cleanup();
+	livepatch_bsc1248631_cleanup();
+	livepatch_bsc1248672_cleanup();
+	livepatch_bsc1248673_cleanup();
+	livepatch_bsc1249207_cleanup();
+	livepatch_bsc1249534_cleanup();
+	livepatch_bsc1249537_cleanup();
 
 }
 
@@ -85,4 +186,4 @@ module_exit(klp_patch_cleanup);
 
 MODULE_LICENSE("GPL");
 MODULE_INFO(livepatch, "Y");
-MODULE_INFO(klpgitrev, "d9d1af1b6b8dd7ff9e61226be3d68856d2bf3ae2");
+MODULE_INFO(klpgitrev, "cc7a8a81660adaf54d14965ca8f2f3e25c4f7307");

source-timestamp

@@ -1,3 +1,3 @@
-2025-08-05 10:51:56 +0200
-GIT Revision: d9d1af1b6b8dd7ff9e61226be3d68856d2bf3ae2
+2025-11-21 09:44:53 +0100
+GIT Revision: cc7a8a81660adaf54d14965ca8f2f3e25c4f7307
 GIT Branch: MICRO-6-0_Update_10