Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-22 22:18:52 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-22 22:18:52 +0200
commitb095074a0a1d757e55076f58576eea9ab76bcb21 (patch)
tree9941c4a9b815e8809145be40a6cd668cc1a92b63
parent29f671a11acae8c530b63a0ada7df18b8efa4790 (diff)
parent303186e6fe000e0203b094a54544660c7f3c4f08 (diff)
Merge branch 'users/dkirjanov/SLE15/for-next' into SLE15SLE15
Pull net fixes from Denis Kirjanov
-rw-r--r--patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch37
-rw-r--r--patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch52
-rw-r--r--patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch116
-rw-r--r--patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch70
-rw-r--r--patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch47
-rw-r--r--patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch68
-rw-r--r--patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch99
-rw-r--r--patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch36
-rw-r--r--patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch38
-rw-r--r--patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch45
-rw-r--r--patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch41
-rw-r--r--patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch62
-rw-r--r--patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch65
-rw-r--r--patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch58
-rw-r--r--patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch39
-rw-r--r--patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch79
-rw-r--r--patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch56
-rw-r--r--patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch64
-rw-r--r--patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch46
-rw-r--r--patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch99
-rw-r--r--patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch37
-rw-r--r--series.conf21
22 files changed, 1275 insertions, 0 deletions
diff --git a/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
new file mode 100644
index 0000000000..047cf3ba05
--- /dev/null
+++ b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
@@ -0,0 +1,37 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: fix uninit read in
+ nf_log_proc_dostring
+Patch-mainline: v4.18-rc4
+Git-commit: dffd22aed2aa1e804bccf19b30a421e89ee2ae61
+References: git-fixes
+
+When proc_dostring() is called with a non-zero offset in strict mode, it
+doesn't just write to the ->data buffer, it also reads. Make sure it
+doesn't read uninitialized data.
+
+Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 8bb152a7cca4..91dad1afab05 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -440,6 +440,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ if (write) {
+ struct ctl_table tmp = *table;
+
++ /* proc_dostring() can append to existing strings, so we need to
++ * initialize it as an empty string.
++ */
++ buf[0] = '\0';
+ tmp.data = buf;
+ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ if (r)
+--
+2.12.3
+
diff --git a/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
new file mode 100644
index 0000000000..7a3835aa28
--- /dev/null
+++ b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
@@ -0,0 +1,52 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: don't hold nf_log_mutex during user
+ access
+Patch-mainline: v4.18-rc4
+Git-commit: ce00bf07cc95a57cd20b208e02b3c2604e532ae8
+References: git-fixes
+
+
+The old code would indefinitely block other users of nf_log_mutex if
+a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
+region. Fix it by moving proc_dostring() out of the locked region.
+
+This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
+sleeping function called from invalid context"), which changed this code
+from using rcu_read_lock() to taking nf_log_mutex.
+
+Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 91dad1afab05..cdc744aa5889 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -462,14 +462,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
+ mutex_unlock(&nf_log_mutex);
+ } else {
++ struct ctl_table tmp = *table;
++
++ tmp.data = buf;
+ mutex_lock(&nf_log_mutex);
+ logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
+ if (!logger)
+- table->data = "NONE";
++ strlcpy(buf, "NONE", sizeof(buf));
+ else
+- table->data = logger->name;
+- r = proc_dostring(table, write, buffer, lenp, ppos);
++ strlcpy(buf, logger->name, sizeof(buf));
+ mutex_unlock(&nf_log_mutex);
++ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ }
+
+ return r;
+--
+2.12.3
+
diff --git a/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
new file mode 100644
index 0000000000..b84a27b9a0
--- /dev/null
+++ b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
@@ -0,0 +1,116 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
+Patch-mainline: v4.18-rc8
+Git-commit: 45c180bc29babbedd6b8c01b975780ef44d9d09c
+References: git-fixes
+
+struct xfrm_userpolicy_type has two holes, so we should not
+use C99 style initializer.
+
+KMSAN report:
+
+BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copyout lib/iov_iter.c:140 [inline]
+ _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+ copy_to_iter include/linux/uio.h:106 [inline]
+ skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
+ skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
+ netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
+ sock_recvmsg_nosec net/socket.c:802 [inline]
+ sock_recvmsg+0x1d6/0x230 net/socket.c:809
+ ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
+ __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
+ do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
+ __do_sys_recvmmsg net/socket.c:2485 [inline]
+ __se_sys_recvmmsg net/socket.c:2481 [inline]
+ __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x446ce9
+RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
+RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
+R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
+ __nla_put lib/nlattr.c:569 [inline]
+ nla_put+0x276/0x340 lib/nlattr.c:627
+ copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
+ dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+ xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
+ netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
+ __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Local variable description: ----upt.i@dump_one_policy
+Variable was created at:
+ dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+
+Byte 130 of 137 is uninitialized
+Memory access starts at ffff88019550407f
+
+Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index e2287bc70691..5e8f4f3fbe6b 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1642,9 +1642,11 @@ static inline size_t userpolicy_type_attrsize(void)
+ #ifdef CONFIG_XFRM_SUB_POLICY
+ static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+ {
+- struct xfrm_userpolicy_type upt = {
+- .type = type,
+- };
++ struct xfrm_userpolicy_type upt;
++
++ /* Sadly there are two holes in struct xfrm_userpolicy_type */
++ memset(&upt, 0, sizeof(upt));
++ upt.type = type;
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
new file mode 100644
index 0000000000..1b96095957
--- /dev/null
+++ b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
@@ -0,0 +1,70 @@
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Subject: xfrm: fix missing dst_release() after policy blocking
+ lbcast and multicast
+Patch-mainline: v4.18-rc8
+Git-commit: 8cc88773855f988d6a3bbf102bbd9dd9c828eb81
+References: git-fixes
+
+
+Fix missing dst_release() when local broadcast or multicast traffic is
+xfrm policy blocked.
+
+For IPv4 this results to dst leak: ip_route_output_flow() allocates
+dst_entry via __ip_route_output_key() and passes it to
+xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
+propagated. The dst that was allocated is never released.
+
+IPv4 local broadcast testcase:
+ ping -b 192.168.1.255 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
+
+IPv4 multicast testcase:
+ ping 224.0.0.1 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
+
+For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
+ ip netns add TEST
+ ip netns exec TEST ip link set lo up
+ ip link add dummy0 type dummy
+ ip link set dev dummy0 netns TEST
+ ip netns exec TEST ip addr add fd00::1111 dev dummy0
+ ip netns exec TEST ip link set dummy0 up
+ ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
+ sleep 1
+ ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
+ wait
+ ip netns del TEST
+
+After netns deletion we see:
+[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
+
+Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 736bddd6bf0d..e86a65292879 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2350,6 +2350,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
+ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
+ return make_blackhole(net, dst_orig->ops->family, dst_orig);
+
++ if (IS_ERR(dst))
++ dst_release(dst_orig);
++
+ return dst;
+ }
+ EXPORT_SYMBOL(xfrm_lookup_route);
+--
+2.12.3
+
diff --git a/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
new file mode 100644
index 0000000000..1e08c72521
--- /dev/null
+++ b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
@@ -0,0 +1,47 @@
+From: Jeremy Cline <jcline@redhat.com>
+Subject: net: socket: fix potential spectre v1 gadget in
+ socketcall
+Patch-mainline: v4.18-rc8
+Git-commit: c8e8cd579bb4265651df8223730105341e61a2d1
+References: git-fixes
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 24bb6684bdda..6a0427b79727 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2433,6 +2434,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
+--
+2.12.3
+
diff --git a/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
new file mode 100644
index 0000000000..7e241b76d4
--- /dev/null
+++ b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
@@ -0,0 +1,68 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: refine ring v3 block size test to hold one
+ frame
+Patch-mainline: v4.18
+Git-commit: 4576cd469d980317c4edd9173f8b694aa71ea3a3
+References: git-fixes
+
+TPACKET_V3 stores variable length frames in fixed length blocks.
+Blocks must be able to store a block header, optional private space
+and at least one minimum sized frame.
+
+Frames, even for a zero snaplen packet, store metadata headers and
+optional reserved space.
+
+In the block size bounds check, ensure that the frame of the
+chosen configuration fits. This includes sockaddr_ll and optional
+tp_reserve.
+
+Syzbot was able to construct a ring with insuffient room for the
+sockaddr_ll in the header of a zero-length frame, triggering an
+out-of-bounds write in dev_parse_header.
+
+Convert the comparison to less than, as zero is a valid snap len.
+This matches the test for minimum tp_frame_size immediately below.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index cf7652bb2218..aefda8127760 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4285,6 +4285,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ }
+
+ if (req->tp_block_nr) {
++ unsigned int min_frame_size;
++
+ /* Sanity tests and some calculations */
+ err = -EBUSY;
+ if (unlikely(rb->pg_vec))
+@@ -4307,12 +4309,12 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ goto out;
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
++ min_frame_size = po->tp_hdrlen + po->tp_reserve;
+ if (po->tp_version >= TPACKET_V3 &&
+- req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
++ req->tp_block_size <
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
+ goto out;
+- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+- po->tp_reserve))
++ if (unlikely(req->tp_frame_size < min_frame_size))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
+--
+2.12.3
+
diff --git a/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
new file mode 100644
index 0000000000..c8eb608238
--- /dev/null
+++ b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
@@ -0,0 +1,99 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: fix addrconf_sysctl_addr_gen_mode
+Patch-mainline: v4.19-rc1
+Git-commit: c6dbf7aaa48289d2eeacbef06785c069869ed0c0
+References: git-fixes
+
+
+addrconf_sysctl_addr_gen_mode() has multiple problems. First, it ignores
+the errors returned by proc_dointvec().
+
+addrconf_sysctl_addr_gen_mode() calls proc_dointvec() directly, which
+writes the value to memory, and then checks if it's valid and may return
+EINVAL. If a bad value is given, the value displayed when reading
+net.ipv6.conf.foo.addr_gen_mode next time will be invalid. In case the
+value provided by the user was valid, addrconf_dev_config() won't be
+called since idev->cnf.addr_gen_mode has already been updated.
+
+Fix this in the usual way we deal with values that need to be checked
+after the proc_do*() helper has returned: define a local ctl_table and
+storage, call proc_dointvec() on that temporary area, then check and
+store.
+
+addrconf_sysctl_addr_gen_mode() also writes the new value to the global
+ipv6_devconf_dflt, when we're writing to some netns's default, so that
+new netns will inherit the value that was set by the change occuring in
+any netns. That doesn't make any sense, so let's drop this assignment.
+
+Finally, since addr_gen_mode is a __u32, switch to proc_douintvec().
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 4a21afaacc59..1e72d02dd061 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5790,32 +5790,31 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ loff_t *ppos)
+ {
+ int ret = 0;
+- int new_val;
++ u32 new_val;
+ struct inet6_dev *idev = (struct inet6_dev *)ctl->extra1;
+ struct net *net = (struct net *)ctl->extra2;
++ struct ctl_table tmp = {
++ .data = &new_val,
++ .maxlen = sizeof(new_val),
++ .mode = ctl->mode,
++ };
+
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+- ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
++ new_val = *((u32 *)ctl->data);
+
+- if (write) {
+- new_val = *((int *)ctl->data);
++ ret = proc_douintvec(&tmp, write, buffer, lenp, ppos);
++ if (ret != 0)
++ goto out;
+
++ if (write) {
+ if (check_addr_gen_mode(new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+- /* request for default */
+- if (&net->ipv6.devconf_dflt->addr_gen_mode == ctl->data) {
+- ipv6_devconf_dflt.addr_gen_mode = new_val;
+-
+- /* request for individual net device */
+- } else {
+- if (!idev)
+- goto out;
+-
++ if (idev) {
+ if (check_stable_privacy(idev, net, new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+@@ -5826,6 +5825,8 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ addrconf_dev_config(idev->dev);
+ }
+ }
++
++ *((u32 *)ctl->data) = new_val;
+ }
+
+ out:
+--
+2.12.3
+
diff --git a/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
new file mode 100644
index 0000000000..6ccd45d7b5
--- /dev/null
+++ b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
@@ -0,0 +1,36 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: don't reinitialize ndev->cnf.addr_gen_mode on
+ new inet6_dev
+Patch-mainline: v4.19-rc1
+Git-commit: 70c30d76e580fe4aefe6facdf0f1edb1aa9a0e7a
+References: git-fixes
+
+
+The value has already been copied from this netns's devconf_dflt, it
+shouldn't be reset to the global kernel default.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 1e72d02dd061..8a8bb3eb9b1e 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -395,8 +395,6 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
+
+ if (ndev->cnf.stable_secret.initialized)
+ ndev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+- else
+- ndev->cnf.addr_gen_mode = ipv6_devconf_dflt.addr_gen_mode;
+
+ ndev->cnf.mtu6 = dev->mtu;
+ ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
+--
+2.12.3
+
diff --git a/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
new file mode 100644
index 0000000000..9fd786f94f
--- /dev/null
+++ b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
@@ -0,0 +1,38 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: reserve room for IFLA_INET6_ADDR_GEN_MODE
+Patch-mainline: v4.19-rc1
+Git-commit: bdd72f41333d9f61a22e4c4494e95782e9731fdb
+References: git-fixes
+
+
+inet6_ifla6_size() is called to check how much space is needed by
+inet6_fill_link_af() and inet6_fill_ifinfo(), both of which include
+the IFLA_INET6_ADDR_GEN_MODE attribute. Reserve some room for it.
+
+Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 8a8bb3eb9b1e..bbe616f991e9 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5107,7 +5107,9 @@ static inline size_t inet6_ifla6_size(void)
+ + nla_total_size(DEVCONF_MAX * 4) /* IFLA_INET6_CONF */
+ + nla_total_size(IPSTATS_MIB_MAX * 8) /* IFLA_INET6_STATS */
+ + nla_total_size(ICMP6_MIB_MAX * 8) /* IFLA_INET6_ICMP6STATS */
+- + nla_total_size(sizeof(struct in6_addr)); /* IFLA_INET6_TOKEN */
++ + nla_total_size(sizeof(struct in6_addr)) /* IFLA_INET6_TOKEN */
++ + nla_total_size(1) /* IFLA_INET6_ADDR_GEN_MODE */
++ + 0;
+ }
+
+ static inline size_t inet6_if_nlmsg_size(void)
+--
+2.12.3
+
diff --git a/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
new file mode 100644
index 0000000000..0ace619829
--- /dev/null
+++ b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
@@ -0,0 +1,45 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: propagate net.ipv6.conf.all.addr_gen_mode to
+ devices
+Patch-mainline: v4.19-rc1
+Git-commit: f24c5987dddd28b23443e7b21b55d47549207755
+References: git-fixes
+
+This aligns the addr_gen_mode sysctl with the expected behavior of the
+"all" variant.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index bbe616f991e9..106da7d7052b 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5824,6 +5824,18 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ idev->cnf.addr_gen_mode = new_val;
+ addrconf_dev_config(idev->dev);
+ }
++ } else if (&net->ipv6.devconf_all->addr_gen_mode == ctl->data) {
++ struct net_device *dev;
++
++ net->ipv6.devconf_dflt->addr_gen_mode = new_val;
++ for_each_netdev(net, dev) {
++ idev = __in6_dev_get(dev);
++ if (idev &&
++ idev->cnf.addr_gen_mode != new_val) {
++ idev->cnf.addr_gen_mode = new_val;
++ addrconf_dev_config(idev->dev);
++ }
++ }
+ }
+
+ *((u32 *)ctl->data) = new_val;
+--
+2.12.3
+
diff --git a/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
new file mode 100644
index 0000000000..a0cca58803
--- /dev/null
+++ b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
@@ -0,0 +1,41 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Subject: xfrm: fix 'passing zero to ERR_PTR()' warning
+Patch-mainline: v4.19-rc1
+Git-commit: 934ffce1343f22ed5e2d0bd6da4440f4848074de
+References: git-fixes
+
+
+Fix a static code checker warning:
+
+ net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
+
+xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
+instead of passing zero to ERR_PTR.
+
+Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index e86a65292879..c82c695fa3fd 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1864,7 +1864,10 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
+ /* Try to instantiate a bundle */
+ err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
+ if (err <= 0) {
+- if (err != 0 && err != -EAGAIN)
++ if (err == 0)
++ return NULL;
++
++ if (err != -EAGAIN)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
+ return ERR_PTR(err);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
new file mode 100644
index 0000000000..0fb0103115
--- /dev/null
+++ b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
@@ -0,0 +1,62 @@
+From: Shmulik Ladkani <shmulik@metanetworks.com>
+Subject: ip6_tunnel: collect_md xmit: Use ip_tunnel_key's
+ provided src address
+Patch-mainline: v4.19-rc1
+Git-commit: 3789cabaab1a939eb56edd76bbde2c2e49f081da
+References: git-fixes
+
+
+calculation purposes (flowi6 construction) and for assigning the
+packet's final ipv6h->saddr.
+
+This makes it impossible specifying a desired ipv6 local address in the
+encapsulating header (for example, when using tc action tunnel_key).
+
+This is also not aligned with behavior of ipip (ipv4) in collect_md
+mode, where the key->u.ipv4.src gets used.
+
+Fix, by assigning fl6.saddr with given key->u.ipv6.src.
+In case ipv6.src is not specified, ip6_tnl_xmit uses existing saddr
+selection code.
+
+Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_tunnel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index f626d3e5c8dc..92a0ff707023 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1115,7 +1115,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
+ dst = NULL;
+ goto tx_err_link_failure;
+ }
+- if (t->parms.collect_md &&
++ if (t->parms.collect_md && ipv6_addr_any(&fl6->saddr) &&
+ ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
+ &fl6->daddr, 0, &fl6->saddr))
+ goto tx_err_link_failure;
+@@ -1253,6 +1253,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPIP;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+@@ -1325,6 +1326,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPV6;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+--
+2.12.3
+
diff --git a/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
new file mode 100644
index 0000000000..5afd71b135
--- /dev/null
+++ b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
@@ -0,0 +1,65 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for ip6_mr failure
+Patch-mainline: v4.19-rc3
+Git-commit: afe49de44c27a89e8e9631c44b5ffadf6ace65e2
+References: git-fixes
+
+
+Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+moved the cleanup label for ipmr_fail, but should have changed the
+contents of the cleanup labels as well. Now we can end up cleaning up
+icmpv6 even though it hasn't been initialized (jump to icmp_fail or
+ipmr_fail).
+
+Simply undo things in the reverse order of their initialization.
+
+Example of panic (triggered by faking a failure of icmpv6_init):
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ ? lock_release+0x8a0/0x8a0
+ unregister_pernet_operations+0xd4/0x560
+ ? ops_free_list+0x480/0x480
+ ? down_write+0x91/0x130
+ ? unregister_pernet_subsys+0x15/0x30
+ ? down_read+0x1b0/0x1b0
+ ? up_read+0x110/0x110
+ ? kmem_cache_create_usercopy+0x1b4/0x240
+ unregister_pernet_subsys+0x1d/0x30
+ icmpv6_cleanup+0x1d/0x30
+ inet6_init+0x1b5/0x23f
+
+Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 94b0cf2c2829..45873b1025d4 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1085,11 +1085,11 @@ static int __init inet6_init(void)
+ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+- ip6_mr_cleanup();
++ icmpv6_cleanup();
+ icmp_fail:
+- unregister_pernet_subsys(&inet6_net_ops);
++ ip6_mr_cleanup();
+ ipmr_fail:
+- icmpv6_cleanup();
++ unregister_pernet_subsys(&inet6_net_ops);
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
+--
+2.12.3
+
diff --git a/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
new file mode 100644
index 0000000000..af792c0fe8
--- /dev/null
+++ b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
@@ -0,0 +1,58 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for pingv6 registration
+Patch-mainline: v4.19-rc3
+Git-commit: a03dc36bdca6b614651fedfcd8559cf914d2d21d
+References: git-fixes
+
+
+Commit 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+contains an error in the cleanup path of inet6_init(): when
+proto_register(&pingv6_prot, 1) fails, we try to unregister
+&pingv6_prot. When rawv6_init() fails, we skip unregistering
+&pingv6_prot.
+
+Example of panic (triggered by faking a failure of
+ proto_register(&pingv6_prot, 1)):
+
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ proto_unregister+0xbb/0x550
+ ? trace_preempt_on+0x6f0/0x6f0
+ ? sock_no_shutdown+0x10/0x10
+ inet6_init+0x153/0x1b8
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 45873b1025d4..7f6e15e03ef5 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -911,14 +911,14 @@ static int __init inet6_init(void)
+
+ err = proto_register(&pingv6_prot, 1);
+ if (err)
+- goto out_unregister_ping_proto;
++ goto out_unregister_raw_proto;
+
+ /* We MUST register RAW sockets before we create the ICMP6,
+ * IGMP6, or NDISC control sockets.
+ */
+ err = rawv6_init();
+ if (err)
+- goto out_unregister_raw_proto;
++ goto out_unregister_ping_proto;
+
+ /* Register the family here so that the init calls below will
+ * be able to create sockets. (?? is this dangerous ??)
+--
+2.12.3
+
diff --git a/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
new file mode 100644
index 0000000000..64f8a446a1
--- /dev/null
+++ b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
@@ -0,0 +1,39 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: igmp: fix incorrect unsolicit report count when join
+ group
+Patch-mainline: v4.19-rc3
+Git-commit: 4fb7253e4f9a8f06a986a3b317e2f79d9b43d552
+References: git-fixes
+
+We should not start timer if im->unsolicit_count equal to 0 after decrease.
+Or we will send one more unsolicit report message. i.e. 3 instead of 2 by
+default.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/igmp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index eaec888f3b6c..6afb20af0f93 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -820,10 +820,9 @@ static void igmp_timer_expire(unsigned long data)
+ spin_lock(&im->lock);
+ im->tm_running = 0;
+
+- if (im->unsolicit_count) {
+- im->unsolicit_count--;
++ if (im->unsolicit_count && --im->unsolicit_count)
+ igmp_start_timer(im, unsolicited_report_interval(in_dev));
+- }
++
+ im->reporter = 1;
+ spin_unlock(&im->lock);
+
+--
+2.12.3
+
diff --git a/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
new file mode 100644
index 0000000000..5e4f5e883a
--- /dev/null
+++ b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
@@ -0,0 +1,79 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: release chain in flushing set
+Patch-mainline: v4.19-rc4
+Git-commit: 7acfda539c0b9636a58bfee56abfb3aeee806d96
+References: git-fixes
+
+When element of verdict map is deleted, the delete routine should
+release chain. however, flush element of verdict map routine doesn't
+release chain.
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter c1
+ %nft add map ip filter map1 { type ipv4_addr : verdict \; }
+ %nft add element ip filter map1 { 1 : jump c1 }
+ %nft flush map ip filter map1
+ %nft flush ruleset
+
+splat looks like:
+[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
+[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
+[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
+[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
+[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
+[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
+[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
+[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
+[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
+[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
+[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
+[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
+[ 4895.234841] Call Trace:
+[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables]
+[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
+[ 4895.323824] ? __lock_is_held+0x9d/0x130
+[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40
+[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0
+[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310
+[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
+[ 4895.333299] ? debug_show_all_locks+0x290/0x290
+[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? find_held_lock+0x39/0x1b0
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? memset+0x1f/0x40
+[ 4895.333299] ? nla_parse+0x33/0x260
+[ 4895.333299] ? ns_capable_common+0x6e/0x110
+[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
+[ ... ]
+
+Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 02b79bde519f..4d424069b5d8 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4066,6 +4066,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
+ }
+ set->ndeact++;
+
++ nft_set_elem_deactivate(ctx->net, set, elem);
+ nft_trans_elem_set(trans) = set;
+ nft_trans_elem(trans) = *elem;
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
+--
+2.12.3
+
diff --git a/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
new file mode 100644
index 0000000000..08807b67fd
--- /dev/null
+++ b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
@@ -0,0 +1,56 @@
+From: David Ahern <dsahern@gmail.com>
+Subject: netfilter: bridge: Don't sabotage nf_hook calls from an
+ l3mdev
+Patch-mainline: v4.19-rc7
+Git-commit: a173f066c7cfc031acb8f541708041e009fc9812
+References: git-fixes
+
+
+For starters, the bridge netfilter code registers operations that
+are invoked any time nh_hook is called. Specifically, ip_sabotage_in
+watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
+the stack.
+
+Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
+allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
+NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
+then resets in_prerouting flag to 0 and the packet continues up the
+stack. The packet eventually makes it to the VRF driver and it invokes
+nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
+the vrf device.
+
+Because of the registered operations the call to nf_hook causes
+ip_sabotage_in to be invoked. That function sees the nf_bridge on the
+skb and that in_prerouting is not set. Thinking it is an invalid nested
+call it steals (drops) the packet.
+
+Update ip_sabotage_in to recognize that the bridge or one of its upper
+devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
+allow the packet to go through the nf_hook a second time.
+
+Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
+Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index e13952d3c0b1..0a2771c13276 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -833,7 +833,8 @@ static unsigned int ip_sabotage_in(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev)) {
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
new file mode 100644
index 0000000000..ff30ba6ee7
--- /dev/null
+++ b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
@@ -0,0 +1,64 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Subject: xfrm: Validate address prefix lengths in the xfrm
+ selector
+Patch-mainline: v4.19-rc7
+Git-commit: 07bf7908950a8b14e81aa1807e3c667eab39287a
+References: git-fixes
+
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5e8f4f3fbe6b..aff0fce28555 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -156,10 +156,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1352,10 +1358,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.12.3
+
diff --git a/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
new file mode 100644
index 0000000000..0e43e4edac
--- /dev/null
+++ b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
@@ -0,0 +1,46 @@
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Subject: xfrm6: call kfree_skb when skb is toobig
+Patch-mainline: v4.19-rc7
+Git-commit: 215ab0f021c9fea3c18b75e7d522400ee6a49990
+References: git-fixes
+
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 8ae87d4ec5ff..29dae7f2ff14 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
new file mode 100644
index 0000000000..44631019c5
--- /dev/null
+++ b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
@@ -0,0 +1,99 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset transport header back to network header
+ after all input transforms ahave been applied
+Patch-mainline: v4.19-rc7
+Git-commit: bfc0698bebcb16d19ecfc89574ad4d696955e5d3
+References: git-fixes
+
+A policy may have been set up with multiple transforms (e.g., ESP
+and ipcomp). In this situation, the ingress IPsec processing
+iterates in xfrm_input() and applies each transform in turn,
+processing the nexthdr to find any additional xfrm that may apply.
+
+This patch resets the transport header back to network header
+only after the last transformation so that subsequent xfrms
+can find the correct transport header.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv4/xfrm4_mode_transport.c | 4 +---
+ net/ipv6/xfrm6_input.c | 1 +
+ net/ipv6/xfrm6_mode_transport.c | 4 +---
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index c794a9aa15f5..38018229b9d1 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -66,6 +66,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index 3d36644890bb..1ad2c2c4e250 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 7c5e582b1af8..520e9592d402 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -56,6 +56,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return -1;
+ }
+
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 9ad07a91708e..3c29da5defe6 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+ sizeof(struct ipv6hdr));
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
new file mode 100644
index 0000000000..4f976d99f7
--- /dev/null
+++ b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
@@ -0,0 +1,37 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset crypto_done when iterating over multiple
+ input xfrms
+Patch-mainline: v4.19-rc7
+Git-commit: 782710e333a526780d65918d669cb96646983ba2
+References: git-fixes
+
+
+We only support one offloaded xfrm (we do not have devices that
+can handle more than one offload), so reset crypto_done in
+xfrm_input() when iterating over multiple transforms in xfrm_input,
+so that we can invoke the appropriate x->type->input for the
+non-offloaded transforms
+
+Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 2ad91eb793fc..d212a0308f33 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -441,6 +441,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
+ goto drop;
+ }
++ crypto_done = false;
+ } while (!err);
+
+ err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index c4b9e4befd..c0308a977d 100644
--- a/series.conf
+++ b/series.conf
@@ -17596,6 +17596,8 @@
patches.drivers/iio-buffer-fix-the-function-signature-to-match-imple
patches.suse/0001-btrfs-quota-Set-rescan-progress-to-u64-1-if-we-hit-l.patch
patches.drivers/r8152-napi-hangup-fix-after-disconnect
+ patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
+ patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
patches.drivers/net-mlx5e-Don-t-attempt-to-dereference-the-ppriv-str.patch
patches.suse/net-mlx5-E-Switch-Avoid-setup-attempt-if-not-being-e.patch
patches.suse/net-mlx5e-Avoid-dealing-with-vport-representors-if-n.patch
@@ -17912,12 +17914,15 @@
patches.suse/net-fix-amd-xgbe-flow-control-issue.patch
patches.suse/net-ena-Fix-use-of-uninitialized-DMA-address-bits-fi.patch
patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch
+ patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
+ patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
patches.fixes/esp6-fix-memleak-on-error-path-in-esp6_input.patch
patches.fixes/0001-net-lan78xx-fix-rx-handling-before-first-packet-is-s.patch
patches.drivers/enic-handle-mtu-change-for-vf-properly.patch
patches.suse/ipv4-remove-BUG_ON-from-fib_compute_spec_dst.patch
patches.suse/net-mdio-mux-bcm-iproc-fix-wrong-getter-and-setter-p.patch
patches.fixes/bpf-use-GFP_ATOMIC-instead-of-GFP_KERNEL-in-bpf_pars.patch
+ patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
patches.suse/tcp_bbr-fix-bw-probing-to-raise-in-flight-data-for-v.patch
patches.suse/NET-stmmac-align-DMA-stuff-to-largest-cache-line-len.patch
patches.suse/netlink-Do-not-subscribe-to-non-existent-groups.patch
@@ -17965,6 +17970,7 @@
patches.fixes/nohz-Fix-local_timer_softirq_pending.patch
patches.drivers/gpiolib-acpi-make-sure-we-trigger-edge-events-at-lea.patch
patches.fixes/ip6_tunnel-use-the-right-value-for-ipv4-min-mtu-chec.patch
+ patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
patches.drivers/net-thunderx-check-for-failed-allocation-lmac-dmacs.patch
patches.suse/vsock-split-dwork-to-avoid-reinitializations.patch
patches.suse/dccp-fix-undefined-behavior-with-cwnd-shift-in-ccid2.patch
@@ -18269,6 +18275,10 @@
patches.drivers/net-hns3-Fix-warning-bug-when-doing-lp-selftest.patch
patches.drivers/net-hns3-Fix-get_vector-ops-in-hclgevf_main-module.patch
patches.drivers/net-hns3-Prevent-sending-command-during-global-or-co.patch
+ patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
+ patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
+ patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
+ patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
patches.fixes/Documentation-ip-sysctl.txt-document-addr_gen_mode
patches.drivers/cxgb4-specify-IQTYPE-in-fw_iq_cmd.patch
patches.drivers/be2net-remove-unused-old-AIC-info.patch
@@ -18296,6 +18306,7 @@
patches.drivers/cxgb4-move-Tx-Rx-free-pages-collection-to-common-cod.patch
patches.drivers/ixgbe-Reorder-Tx-Rx-shutdown-to-reduce-time-needed-t.patch
patches.drivers/ixgbe-Refactor-queue-disable-logic-to-take-completio.patch
+ patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
patches.suse/net-ethernet-mvneta-Fix-napi-structure-mixup-on-arma.patch
patches.drivers/qed-remove-redundant-functions-qed_set_gft_event_id_.patch
patches.drivers/qed-remove-redundant-functions-qed_get_cm_pq_idx_rl.patch
@@ -18319,6 +18330,7 @@
patches.drivers/wlcore-Set-rx_status-boottime_ns-field-on-rx.patch
patches.drivers/iwlwifi-pcie-don-t-access-periphery-registers-when-n
patches.fixes/selftests-bpf-fix-a-typo-in-map-in-map-test.patch
+ patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
patches.drivers/ibmvnic-Remove-code-to-request-error-information.patch
patches.drivers/ibmvnic-Update-firmware-error-reporting-with-cause-s.patch
patches.drivers/cxgb4-add-support-to-display-DCB-info.patch
@@ -18924,10 +18936,13 @@
patches.drivers/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch
patches.drivers/net-hns-add-netif_carrier_off-before-change-speed-an.patch
patches.suse/net-sched-act_pedit-fix-dump-of-extended-layered-op.patch
+ patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
+ patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
patches.suse/net-bcmgenet-use-MAC-link-status-for-fixed-phy.patch
patches.suse/nfp-wait-for-posted-reconfigs-when-disabling-the-dev.patch
patches.suse/tcp-do-not-restart-timewait-timer-on-rst-reception.patch
patches.drivers/ibmvnic-Include-missing-return-code-checks-in-reset-.patch
+ patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
patches.drivers/r8169-add-support-for-NCube-8168-network-card.patch
patches.drivers/bnxt_en-Clean-up-unused-functions.patch
patches.drivers/bnxt_en-Do-not-adjust-max_cp_rings-by-the-ones-used-.patch
@@ -19013,6 +19028,7 @@
patches.drivers/net-ena-fix-missing-calls-to-READ_ONCE.patch
patches.drivers/net-ena-fix-incorrect-usage-of-memory-barriers.patch
patches.drivers/qmi_wwan-Support-dynamic-config-on-Quectel-EP06.patch
+ patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
patches.drivers/r8169-Clear-RTL_FLAG_TASK_-_PENDING-when-clearing-RT.patch
patches.suse/rds-fix-two-RCU-related-problems.patch
patches.arch/s390-sles15-15-03-qeth-use-vzalloc-for-QUERY-OAT-buffer.patch
@@ -19244,6 +19260,11 @@
patches.drivers/smsc75xx-Check-for-Wake-on-LAN-modes.patch
patches.drivers/smsc95xx-Check-for-Wake-on-LAN-modes.patch
patches.drivers/qlcnic-fix-Tx-descriptor-corruption-on-82xx-devices.patch
+ patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
+ patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
+ patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+ patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
+ patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
patches.fixes/Bluetooth-SMP-fix-crash-in-unpairing.patch
patches.fixes/Revert-openvswitch-Fix-template-leak-in-error-cases.patch
patches.drivers/declance-Fix-continuation-with-the-adapter-identific.patch