Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-24 15:41:02 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-24 15:41:02 +0200
commit53d54bd254bf3a3dcae8a16d42da051faa12b7d3 (patch)
tree8ad1cb7141c24b12f70ac702731e3e5bc1dc7f8b
parent1a64be3d4ec7f40f4fd339608040f81949d9fb42 (diff)
parent86f6537e45f2783c56c113f8f9c33b321530b9ad (diff)
Merge branch 'users/dkirjanov/SLE15/for-next' into SLE15SLE15
Pull net fixes from Denis Kirjanov
-rw-r--r--patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch93
-rw-r--r--patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch69
-rw-r--r--patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch67
-rw-r--r--patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch71
-rw-r--r--patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch58
-rw-r--r--patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch57
-rw-r--r--patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch39
-rw-r--r--patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch56
-rw-r--r--patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch41
-rw-r--r--patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch154
-rw-r--r--patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch42
-rw-r--r--series.conf11
12 files changed, 758 insertions, 0 deletions
diff --git a/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch b/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
new file mode 100644
index 0000000000..e5d9aa2124
--- /dev/null
+++ b/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
@@ -0,0 +1,93 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: make skb_partial_csum_set() more robust against
+ overflows
+Patch-mainline: v4.19-rc8
+Git-commit: 52b5d6f5dcf0e5201392f7d417148ccb537dbf6f
+References: git-fixes
+
+
+syzbot managed to crash in skb_checksum_help() [1] :
+
+ BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));
+
+Root cause is the following check in skb_partial_csum_set()
+
+ if (unlikely(start > skb_headlen(skb)) ||
+ unlikely((int)start + off > skb_headlen(skb) - 2))
+ return false;
+
+If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
+and the check fails to detect that ((int)start + off) is off the limit,
+since the compare is unsigned.
+
+When we fix that, then the first condition (start > skb_headlen(skb))
+becomes obsolete.
+
+Then we should also check that (skb_headroom(skb) + start) wont
+overflow 16bit field.
+
+[1]
+kernel BUG at net/core/dev.c:2880!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
+Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
+RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
+RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
+RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
+RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
+R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
+FS: 00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
+ validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
+ __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
+ packet_snd net/packet/af_packet.c:2928 [inline]
+ packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953
+
+Fixes: 5ff8dda3035d ("net: Ensure partial checksum offset is inside the skb head")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index bc663ccf6ba3..51906f8a8272 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3994,14 +3994,16 @@ EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
+ */
+ bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off)
+ {
+- if (unlikely(start > skb_headlen(skb)) ||
+- unlikely((int)start + off > skb_headlen(skb) - 2)) {
+- net_warn_ratelimited("bad partial csum: csum=%u/%u len=%u\n",
+- start, off, skb_headlen(skb));
++ u32 csum_end = (u32)start + (u32)off + sizeof(__sum16);
++ u32 csum_start = skb_headroom(skb) + (u32)start;
++
++ if (unlikely(csum_start > U16_MAX || csum_end > skb_headlen(skb))) {
++ net_warn_ratelimited("bad partial csum: csum=%u/%u headroom=%u headlen=%u\n",
++ start, off, skb_headroom(skb), skb_headlen(skb));
+ return false;
+ }
+ skb->ip_summed = CHECKSUM_PARTIAL;
+- skb->csum_start = skb_headroom(skb) + start;
++ skb->csum_start = csum_start;
+ skb->csum_offset = off;
+ skb_set_transport_header(skb, start);
+ return true;
+--
+2.12.3
+
diff --git a/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch b/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
new file mode 100644
index 0000000000..6ec5c0a762
--- /dev/null
+++ b/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
@@ -0,0 +1,69 @@
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Subject: ip_gre: fix parsing gre header in ipgre_err
+Patch-mainline: v4.20-rc1
+Git-commit: b0350d51f001e6edc13ee4f253b98b50b05dd401
+References: git-fixes
+
+gre_parse_header stops parsing when csum_err is encountered, which means
+tpi->key is undefined and ip_tunnel_lookup will return NULL improperly.
+
+This patch introduce a NULL pointer as csum_err parameter. Even when
+csum_err is encountered, it won't return error and continue parsing gre
+header as expected.
+
+Fixes: 9f57c67c379d ("gre: Remove support for sharing GRE protocol hook.")
+Reported-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/gre_demux.c | 7 ++++---
+ net/ipv4/ip_gre.c | 9 +++------
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
+index b798862b6be5..7efe740c06eb 100644
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -86,13 +86,14 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+
+ options = (__be32 *)(greh + 1);
+ if (greh->flags & GRE_CSUM) {
+- if (skb_checksum_simple_validate(skb)) {
++ if (!skb_checksum_simple_validate(skb)) {
++ skb_checksum_try_convert(skb, IPPROTO_GRE, 0,
++ null_compute_pseudo);
++ } else if (csum_err) {
+ *csum_err = true;
+ return -EINVAL;
+ }
+
+- skb_checksum_try_convert(skb, IPPROTO_GRE, 0,
+- null_compute_pseudo);
+ options++;
+ }
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 4bbf248761ac..9a5a31bd71a1 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -224,13 +224,10 @@ static void gre_err(struct sk_buff *skb, u32 info)
+ const int type = icmp_hdr(skb)->type;
+ const int code = icmp_hdr(skb)->code;
+ struct tnl_ptk_info tpi;
+- bool csum_err = false;
+
+- if (gre_parse_header(skb, &tpi, &csum_err, htons(ETH_P_IP),
+- iph->ihl * 4) < 0) {
+- if (!csum_err) /* ignore csum errors. */
+- return;
+- }
++ if (gre_parse_header(skb, &tpi, NULL, htons(ETH_P_IP),
++ iph->ihl * 4) < 0)
++ return;
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+ ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+--
+2.12.3
+
diff --git a/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch b/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
new file mode 100644
index 0000000000..da8900d4b9
--- /dev/null
+++ b/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
@@ -0,0 +1,67 @@
+From: Stefan Nuernberger <snu@amazon.com>
+Subject: net/ipv4: defensive cipso option parsing
+Patch-mainline: v4.20-rc1
+Git-commit: 076ed3da0c9b2f88d9157dbe7044a45641ae369e
+References: git-fixes
+
+commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
+a possible infinite loop in the IP option parsing of CIPSO. The fix
+assumes that ip_options_compile filtered out all zero length options and
+that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
+While this assumption currently holds true, add explicit checks for zero
+length and invalid length options to be safe for the future. Even though
+ip_options_compile should have validated the options, the introduction of
+new one-byte options can still confuse this code without the additional
+checks.
+
+Signed-off-by: Stefan Nuernberger <snu@amazon.com>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Simon Veith <sveith@amazon.de>
+Cc: stable@vger.kernel.org
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/cipso_ipv4.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index dcfaf9db1378..71bcab94c5c7 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1513,7 +1513,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
+- * to the start of the CIPSO option on success, NULL if one if not found.
++ * to the start of the CIPSO option on success, NULL if one is not found.
+ *
+ */
+ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+@@ -1523,10 +1523,8 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+ int optlen;
+ int taglen;
+
+- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
+ switch (optptr[0]) {
+- case IPOPT_CIPSO:
+- return optptr;
+ case IPOPT_END:
+ return NULL;
+ case IPOPT_NOOP:
+@@ -1535,6 +1533,11 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+ default:
+ taglen = optptr[1];
+ }
++ if (!taglen || taglen > optlen)
++ return NULL;
++ if (optptr[0] == IPOPT_CIPSO)
++ return optptr;
++
+ optlen -= taglen;
+ optptr += taglen;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch b/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
new file mode 100644
index 0000000000..5695da740a
--- /dev/null
+++ b/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
@@ -0,0 +1,71 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Subject: netfilter: nft_compat: do not dump private area
+Patch-mainline: v4.20-rc1
+Git-commit: d701d8117200399d85e63a737d2e4e897932f3b6
+References: git-fixes
+
+
+Zero pad private area, otherwise we expose private kernel pointer to
+userspace. This patch also zeroes the tail area after the ->matchsize
+and ->targetsize that results from XT_ALIGN().
+
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Reported-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nft_compat.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index d80aabe8287c..1a107a93427c 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -290,6 +290,24 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+ module_put(target->me);
+ }
+
++static int nft_extension_dump_info(struct sk_buff *skb, int attr,
++ const void *info,
++ unsigned int size, unsigned int user_size)
++{
++ unsigned int info_size, aligned_size = XT_ALIGN(size);
++ struct nlattr *nla;
++
++ nla = nla_reserve(skb, attr, aligned_size);
++ if (!nla)
++ return -1;
++
++ info_size = user_size ? : size;
++ memcpy(nla_data(nla), info, info_size);
++ memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
++
++ return 0;
++}
++
+ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
+ {
+ const struct xt_target *target = expr->ops->data;
+@@ -297,7 +315,8 @@ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
+
+ if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
+ nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
+- nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
++ nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
++ target->targetsize, target->usersize))
+ goto nla_put_failure;
+
+ return 0;
+@@ -532,7 +551,8 @@ static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
+
+ if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
+ nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
+- nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
++ nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
++ match->matchsize, match->usersize))
+ goto nla_put_failure;
+
+ return 0;
+--
+2.12.3
+
diff --git a/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch b/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
new file mode 100644
index 0000000000..106f37e1d8
--- /dev/null
+++ b/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
@@ -0,0 +1,58 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Subject: net: don't keep lonely packets forever in the gro hash
+Patch-mainline: v4.20-rc4
+Git-commit: 605108acfe6233b72e2f803aa1cb59a2af3001ca
+References: git-fixes
+
+
+Eric noted that with UDP GRO and NAPI timeout, we could keep a single
+UDP packet inside the GRO hash forever, if the related NAPI instance
+calls napi_gro_complete() at an higher frequency than the NAPI timeout.
+Willem noted that even TCP packets could be trapped there, till the
+next retransmission.
+This patch tries to address the issue, flushing the old packets -
+those with a NAPI_GRO_CB age before the current jiffy - before scheduling
+the NAPI timeout. The rationale is that such a timeout should be
+well below a jiffy and we are not flushing packets eligible for sane GRO.
+
+v1 -> v2:
+ - clarified the commit message and comment
+
+RFC -> v1:
+ - added 'Fixes tags', cleaned-up the wording.
+
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: 3b47d30396ba ("net: gro: add a per device gro flush timer")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index f259eb1b21b8..f2d613200be4 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5262,11 +5262,14 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
+ if (work_done)
+ timeout = n->dev->gro_flush_timeout;
+
++ /* When the NAPI instance uses a timeout and keeps postponing
++ * it, we need to bound somehow the time packets are kept in
++ * the GRO layer
++ */
++ napi_gro_flush(n, !!timeout);
+ if (timeout)
+ hrtimer_start(&n->timer, ns_to_ktime(timeout),
+ HRTIMER_MODE_REL_PINNED);
+- else
+- napi_gro_flush(n, false);
+ }
+ if (unlikely(!list_empty(&n->poll_list))) {
+ /* If n->poll_list is not empty, we need to mask irqs */
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
new file mode 100644
index 0000000000..fbe7dfa828
--- /dev/null
+++ b/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
@@ -0,0 +1,57 @@
+From: Xin Long <lucien.xin@gmail.com>
+Subject: ipvs: call ip_vs_dst_notifier earlier than
+ ipv6_dev_notf
+Patch-mainline: v4.20-rc5
+Git-commit: 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b
+References: git-fixes
+
+ip_vs_dst_event is supposed to clean up all dst used in ipvs'
+destinations when a net dev is going down. But it works only
+when the dst's dev is the same as the dev from the event.
+
+Now with the same priority but late registration,
+ip_vs_dst_notifier is always called later than ipv6_dev_notf
+where the dst's dev is set to lo for NETDEV_DOWN event.
+
+As the dst's dev lo is not the same as the dev from the event
+in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
+Also as these dst have to wait for dest_trash_timer to clean
+them up. It would cause some non-permanent kernel warnings:
+
+ unregister_netdevice: waiting for br0 to become free. Usage count = 3
+
+To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
+by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
+
+Note that for ipv4 route fib_netdev_notifier doesn't set dst's
+dev to lo in NETDEV_DOWN event, so this fix is only needed when
+IP_VS_IPV6 is defined.
+
+Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index da439e2dadc1..208fb8132439 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -4023,6 +4023,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
+
+ static struct notifier_block ip_vs_dst_notifier = {
+ .notifier_call = ip_vs_dst_event,
++#ifdef CONFIG_IP_VS_IPV6
++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5,
++#endif
+ };
+
+ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
+--
+2.12.3
+
diff --git a/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch b/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
new file mode 100644
index 0000000000..8b14a6670b
--- /dev/null
+++ b/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
@@ -0,0 +1,39 @@
+From: Pan Bian <bianpan2016@163.com>
+Subject: netfilter: ipset: do not call ipset_nest_end after
+ nla_nest_cancel
+Patch-mainline: v4.20
+Git-commit: 708abf74dd87f8640871b814faa195fb5970b0e3
+References: git-fixes
+
+
+In the error handling block, nla_nest_cancel(skb, atd) is called to
+cancel the nest operation. But then, ipset_nest_end(skb, atd) is
+unexpected called to end the nest operation. This patch calls the
+ipset_nest_end only on the branch that nla_nest_cancel is not called.
+
+Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipset/ip_set_list_set.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
+index 178d4eba013b..ca168ca3f238 100644
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -537,8 +537,8 @@ list_set_list(const struct ip_set *set,
+ ret = -EMSGSIZE;
+ } else {
+ cb->args[IPSET_CB_ARG0] = i;
++ ipset_nest_end(skb, atd);
+ }
+- ipset_nest_end(skb, atd);
+ out:
+ rcu_read_unlock();
+ return ret;
+--
+2.12.3
+
diff --git a/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch b/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
new file mode 100644
index 0000000000..4bb5b4ac71
--- /dev/null
+++ b/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
@@ -0,0 +1,56 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: fix leaking object reference
+ count
+Patch-mainline: v5.0-rc3
+Git-commit: b91d9036883793122cf6575ca4dfbfbdd201a83d
+References: git-fixes
+
+There is no code that decreases the reference count of stateful objects
+in error path of the nft_add_set_elem(). this causes a leak of reference
+count of stateful objects.
+
+Test commands:
+ $nft add table ip filter
+ $nft add counter ip filter c1
+ $nft add map ip filter m1 { type ipv4_addr : counter \;}
+ $nft add element ip filter m1 { 1 : c1 }
+ $nft add element ip filter m1 { 1 : c1 }
+ $nft delete element ip filter m1 { 1 }
+ $nft delete counter ip filter c1
+
+Result:
+ Error: Could not process rule: Device or resource busy
+ delete counter ip filter c1
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+At the second 'nft add element ip filter m1 { 1 : c1 }', the reference
+count of the 'c1' is increased then it tries to insert into the 'm1'. but
+the 'm1' already has same element so it returns -EEXIST.
+But it doesn't decrease the reference count of the 'c1' in the error path.
+Due to a leak of the reference count of the 'c1', the 'c1' can't be
+removed by 'nft delete counter ip filter c1'.
+
+Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4d424069b5d8..defe11c00aaa 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3869,6 +3869,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ err5:
+ kfree(trans);
+ err4:
++ if (obj)
++ obj->use--;
+ kfree(elem.priv);
+ err3:
+ if (nla[NFTA_SET_ELEM_DATA] != NULL)
+--
+2.12.3
+
diff --git a/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch b/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
new file mode 100644
index 0000000000..531e8430b6
--- /dev/null
+++ b/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
@@ -0,0 +1,41 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: ipv6: invert flowlabel sharing check in process and
+ user mode
+Patch-mainline: v5.1
+Git-commit: 95c169251bf734aa555a1e8043e4d88ec97a04ec
+References: git-fixes
+
+
+A request for a flowlabel fails in process or user exclusive mode must
+fail if the caller pid or uid does not match. Invert the test.
+
+Previously, the test was unsafe wrt PID recycling, but indeed tested
+for inequality: fl1->owner != fl->owner
+
+Fixes: 4f82f45730c68 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_flowlabel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
+index 15535ee327c5..d8cb9acfe1a5 100644
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -634,9 +634,9 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
+ if (fl1->share == IPV6_FL_S_EXCL ||
+ fl1->share != fl->share ||
+ ((fl1->share == IPV6_FL_S_PROCESS) &&
+- (fl1->owner.pid == fl->owner.pid)) ||
++ (fl1->owner.pid != fl->owner.pid)) ||
+ ((fl1->share == IPV6_FL_S_USER) &&
+- uid_eq(fl1->owner.uid, fl->owner.uid)))
++ !uid_eq(fl1->owner.uid, fl->owner.uid)))
+ goto release;
+
+ err = -ENOMEM;
+--
+2.12.3
+
diff --git a/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch b/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
new file mode 100644
index 0000000000..9452245e32
--- /dev/null
+++ b/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
@@ -0,0 +1,154 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: ipv6/flowlabel: wait rcu grace period before put_pid()
+Patch-mainline: v5.1
+Git-commit: 6c0afef5fb0c27758f4d52b2210c61b6bd8b4470
+References: git-fixes
+
+
+syzbot was able to catch a use-after-free read in pid_nr_ns() [1]
+
+ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid
+but fl_free() releases fl->owner.pid before rcu grace period is started.
+
+[1]
+
+BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407
+Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087
+
+CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
+ kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
+ pid_nr_ns+0x128/0x140 kernel/pid.c:407
+ ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794
+ seq_read+0xad3/0x1130 fs/seq_file.c:268
+ proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227
+ do_loop_readv_writev fs/read_write.c:701 [inline]
+ do_loop_readv_writev fs/read_write.c:688 [inline]
+ do_iter_read+0x4a9/0x660 fs/read_write.c:922
+ vfs_readv+0xf0/0x160 fs/read_write.c:984
+ kernel_readv fs/splice.c:358 [inline]
+ default_file_splice_read+0x475/0x890 fs/splice.c:413
+ do_splice_to+0x12a/0x190 fs/splice.c:876
+ splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953
+ do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
+ do_sendfile+0x597/0xd00 fs/read_write.c:1443
+ __do_sys_sendfile64 fs/read_write.c:1498 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1490 [inline]
+ __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458da9
+Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9
+RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007
+RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4
+R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff
+
+Allocated by task 17543:
+ save_stack+0x45/0xd0 mm/kasan/common.c:75
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc mm/kasan/common.c:497 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
+ kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
+ slab_post_alloc_hook mm/slab.h:437 [inline]
+ slab_alloc mm/slab.c:3393 [inline]
+ kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
+ alloc_pid+0x55/0x8f0 kernel/pid.c:168
+ copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932
+ copy_process kernel/fork.c:1709 [inline]
+ _do_fork+0x257/0xfd0 kernel/fork.c:2226
+ __do_sys_clone kernel/fork.c:2333 [inline]
+ __se_sys_clone kernel/fork.c:2327 [inline]
+ __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 7789:
+ save_stack+0x45/0xd0 mm/kasan/common.c:75
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
+ __cache_free mm/slab.c:3499 [inline]
+ kmem_cache_free+0x86/0x260 mm/slab.c:3765
+ put_pid.part.0+0x111/0x150 kernel/pid.c:111
+ put_pid+0x20/0x30 kernel/pid.c:105
+ fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102
+ ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+
+The buggy address belongs to the object at ffff888094012a00
+ which belongs to the cache pid_2 of size 88
+The buggy address is located 4 bytes inside of
+ 88-byte region [ffff888094012a00, ffff888094012a58)
+The buggy address belongs to the page:
+page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980
+flags: 0x1fffc0000000200(slab)
+raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080
+raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+>ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ^
+ ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+
+Fixes: 4f82f45730c6 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_flowlabel.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
+index d8cb9acfe1a5..6fa2bc236d9e 100644
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
+ return fl;
+ }
+
++static void fl_free_rcu(struct rcu_head *head)
++{
++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
++
++ if (fl->share == IPV6_FL_S_PROCESS)
++ put_pid(fl->owner.pid);
++ kfree(fl->opt);
++ kfree(fl);
++}
++
+
+ static void fl_free(struct ip6_flowlabel *fl)
+ {
+- if (fl) {
+- if (fl->share == IPV6_FL_S_PROCESS)
+- put_pid(fl->owner.pid);
+- kfree(fl->opt);
+- kfree_rcu(fl, rcu);
+- }
++ if (fl)
++ call_rcu(&fl->rcu, fl_free_rcu);
+ }
+
+ static void fl_release(struct ip6_flowlabel *fl)
+--
+2.12.3
+
diff --git a/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch b/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
new file mode 100644
index 0000000000..a73be7f839
--- /dev/null
+++ b/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
@@ -0,0 +1,42 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ebtables: CONFIG_COMPAT: reject trailing
+ data after last rule
+Patch-mainline: v5.2
+Git-commit: 680f6af5337c98d116e4f127cea7845339dba8da
+References: git-fixes
+
+
+If userspace provides a rule blob with trailing data after last target,
+we trigger a splat, then convert ruleset to 64bit format (with trailing
+data), then pass that to do_replace_finish() which then returns -EINVAL.
+
+Erroring out right away avoids the splat plus unneeded translation and
+error unwind.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index d7418e1d70e8..8c66d0eb5f65 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2203,7 +2203,9 @@ static int compat_copy_entries(unsigned char *data, unsigned int size_user,
+ if (ret < 0)
+ return ret;
+
+- WARN_ON(size_remaining);
++ if (size_remaining)
++ return -EINVAL;
++
+ return state->buf_kern_offset;
+ }
+
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 672115aef3..f761be0440 100644
--- a/series.conf
+++ b/series.conf
@@ -19363,6 +19363,7 @@
patches.drivers/net-ena-fix-rare-bug-when-failed-restart-resume-is-f.patch
patches.drivers/net-ena-fix-NULL-dereference-due-to-untimely-napi-in.patch
patches.drivers/net-ena-fix-auto-casting-to-boolean.patch
+ patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
patches.suse/net-ipv4-don-t-let-PMTU-updates-increase-route-MTU.patch
patches.drivers/qmi_wwan-Added-support-for-Gemalto-s-Cinterion-ALASx.patch
patches.suse/net-dsa-bcm_sf2-Fix-unbind-ordering.patch
@@ -19492,7 +19493,9 @@
patches.drivers/cxgb4-remove-redundant-assignment-to-vlan_cmd.dropno.patch
patches.fixes/0001-cxgb4-add-per-rx-queue-counter-for-packet-errors.patch
patches.drivers/cxgb4-update-supported-DCB-version.patch
+ patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
patches.arch/s390-sles15sp1-00-16-12-s390-qeth-invoke-softirqs-after-napi_schedule.patch
+ patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
patches.drivers/net-ibm-fix-return-type-of-ndo_start_xmit-function.patch
patches.drivers/net-hns3-Add-support-for-hns3_nic_netdev_ops.ndo_do_.patch
patches.drivers/net-hns3-Set-STATE_DOWN-bit-of-hdev-state-when-stopp.patch
@@ -19564,6 +19567,7 @@
patches.drivers/Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM43430.patch
patches.drivers/net-ena-fix-compilation-error-in-xtensa-architecture.patch
patches.fixes/llc-do-not-use-sk_eat_skb.patch
+ patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
patches.arch/signal-properly-deliver-sigsegv-from-x86-uprobes
patches.suse/signal-Always-deliver-the-kernel-s-SIGKILL-and-SIGST.patch
patches.fixes/selinux-Add-__GFP_NOWARN-to-allocation-at-str_read.patch
@@ -20128,6 +20132,7 @@
patches.drivers/net-thunderx-set-xdp_prog-to-NULL-if-bpf_prog_add-fa.patch
patches.drivers/ibmvnic-Fix-RX-queue-buffer-cleanup.patch
patches.drivers/ibmvnic-Update-driver-queues-after-change-in-ring-si.patch
+ patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
patches.drivers/virtio-net-fail-XDP-set-if-guest-csum-is-negotiated.patch
patches.fixes/team-no-need-to-do-team_notify_peers-or-team_mcast_r.patch
patches.drivers/net-thunderx-set-tso_hdrs-pointer-to-NULL-in-nicvf_f.patch
@@ -20151,6 +20156,7 @@
patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch
patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
+ patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch
patches.fixes/ixgbe-recognize-1000BaseLX-SFP-modules-as-1Gbps.patch
patches.fixes/udf-Allow-mounting-volumes-with-incorrect-identifica.patch
@@ -20402,6 +20408,7 @@
patches.drivers/bnx2x-Clear-fip-MAC-when-fcoe-offload-support-is-dis.patch
patches.drivers/bnx2x-Remove-configured-vlans-as-part-of-unload-sequ.patch
patches.drivers/bnx2x-Send-update-svid-ramrod-with-retry-poll-flags-.patch
+ patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
patches.drivers/i40e-fix-mac-filter-delete-when-setting-mac-address.patch
patches.suse/vhost-make-sure-used-idx-is-seen-before-log-in-vhost.patch
patches.drivers/qed-Fix-command-number-mismatch-between-driver-and-t.patch
@@ -20908,6 +20915,7 @@
patches.fixes/blockdev-Fix-livelocks-on-loop-device.patch
patches.drivers/scsi-qedi-add-ep_state-for-login-completion-on-un-reachable-targets
patches.fixes/acpi-nfit-fix-race-accessing-memdev-in-nfit_get_smbios_id.patch
+ patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
patches.suse/net-ipv4-Fix-memory-leak-in-network-namespace-disman.patch
patches.fixes/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_s.patch
patches.fixes/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enabl.patch
@@ -21914,6 +21922,8 @@
patches.drivers/USB-yurex-Fix-protection-fault-after-device-removal.patch
patches.drivers/USB-w1-ds2490-Fix-bug-caused-by-improper-use-of-alts.patch
patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch
+ patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
+ patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
patches.suse/packet-validate-msg_namelen-in-send-directly.patch
patches.drivers/ALSA-hda-realtek-Add-new-Dell-platform-for-headset-m.patch
patches.drivers/ALSA-hda-realtek-Fixed-Dell-AIO-speaker-noise.patch
@@ -22083,6 +22093,7 @@
patches.drivers/iommu-vt-d-make-kernel-parameter-igfx_off-work-with-viommu
patches.drivers/net-ibmvnic-Update-MAC-address-settings-after-adapte.patch
patches.drivers/net-ibmvnic-Update-carrier-state-after-link-state-ch.patch
+ patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
patches.arch/x86-msr-index-cleanup-bit-defines.patch
patches.arch/x86-speculation-consolidate-cpu-whitelists.patch
patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch