Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-10-15 19:44:12 +0200
committerTakashi Iwai <tiwai@suse.de>2018-10-15 19:44:12 +0200
commit50956854442caffdd65c520f61bb39244e67d28b (patch)
tree83747c0c846f9594a4a9b311468ea52683c23713
parent026dc742e0c70ee89a66d2d24253c5f93a3b6c84 (diff)
parentb947702a9242939ed065cb5e788807174bd53da3 (diff)
Merge branch 'users/rgoldwyn/SLE15/for-next' into SLE15
Pull ovl and other fs fixes Goldwyn Rodrigues
-rw-r--r--blacklist.conf4
-rw-r--r--patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch88
-rw-r--r--patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch66
-rw-r--r--patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch61
-rw-r--r--patches.fixes/ovl-fix-format-of-setxattr-debug.patch34
-rw-r--r--patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch73
-rw-r--r--patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch62
-rw-r--r--series.conf6
8 files changed, 394 insertions, 0 deletions
diff --git a/blacklist.conf b/blacklist.conf
index bdf24300ee..9380956862 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -518,3 +518,7 @@ c4ff91dd40e2253ab6dd028011469c2c694e1e19 # drm/amd/pp: initialize result to befo
9c60583c0b0fd6f3a5b61fda3eb604ce218b9d25 # breaks KABI
7a68d9fb851012829c29e770621905529bd9490b # breaks KABI
81e0403b26d94360abd1f6a57311337973bc82cd # useless without patch breaking kABI
+babcbbc7c4e2fa7fa76417ece7c57083bee971f1 # needs read_word_at_a_time 7f1e541fc8d57
+c6718543463dbb78486ad259f884cb800df802b5 # for stacked ovl file operations
+8cf9ee5061037accf61775f438ad7513576d4413 # for stacked ovl file operations
+452061fd4521b2bf3225fc391dbe536e5f9c05e2 # depends of redirect_follow feature
diff --git a/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch b/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
new file mode 100644
index 0000000000..75c930c7c8
--- /dev/null
+++ b/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
@@ -0,0 +1,88 @@
+From 7f3ebcf2b1395e0248e56146041e1e5625fd2f23 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Fri Jul 6 05:25:00 2018 +0000
+Subject: [PATCH] apparmor: Check buffer bounds when mapping permissions mask
+Git-commit: 7f3ebcf2b1395e0248e56146041e1e5625fd2f23
+References: git-fixes
+Patch-mainline: v4.19-rc1
+
+Don't read past the end of the buffer containing permissions
+characters or write past the end of the destination string.
+
+Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
+
+Fixes: e53cfe6c7caa ("apparmor: rework perm mapping to a slightly broader set")
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ security/apparmor/file.c | 3 ++-
+ security/apparmor/include/perms.h | 3 ++-
+ security/apparmor/lib.c | 17 +++++++++++++----
+ 3 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -46,7 +46,8 @@ static void audit_file_mask(struct audit
+ {
+ char str[10];
+
+- aa_perm_mask_to_str(str, aa_file_perm_chrs, map_mask_to_chr_mask(mask));
++ aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
++ map_mask_to_chr_mask(mask));
+ audit_log_string(ab, str);
+ }
+
+--- a/security/apparmor/include/perms.h
++++ b/security/apparmor/include/perms.h
+@@ -137,7 +137,8 @@ extern struct aa_perms allperms;
+ xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
+
+
+-void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
++void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
++ u32 mask);
+ void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
+ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
+ u32 chrsmask, const char **names, u32 namesmask);
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -198,15 +198,24 @@ const char *aa_file_perm_names[] = {
+ /**
+ * aa_perm_mask_to_str - convert a perm mask to its short string
+ * @str: character buffer to store string in (at least 10 characters)
++ * @str_size: size of the @str buffer
++ * @chrs: NUL-terminated character buffer of permission characters
+ * @mask: permission mask to convert
+ */
+-void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
++void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
+ {
+ unsigned int i, perm = 1;
++ size_t num_chrs = strlen(chrs);
++
++ for (i = 0; i < num_chrs; perm <<= 1, i++) {
++ if (mask & perm) {
++ /* Ensure that one byte is left for NUL-termination */
++ if (WARN_ON_ONCE(str_size <= 1))
++ break;
+
+- for (i = 0; i < 32; perm <<= 1, i++) {
+- if (mask & perm)
+ *str++ = chrs[i];
++ str_size--;
++ }
+ }
+ *str = '\0';
+ }
+@@ -235,7 +244,7 @@ void aa_audit_perm_mask(struct audit_buf
+
+ audit_log_format(ab, "\"");
+ if ((mask & chrsmask) && chrs) {
+- aa_perm_mask_to_str(str, chrs, mask & chrsmask);
++ aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
+ mask &= ~chrsmask;
+ audit_log_format(ab, "%s", str);
+ if (mask & namesmask)
diff --git a/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch b/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
new file mode 100644
index 0000000000..13b80b0a36
--- /dev/null
+++ b/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
@@ -0,0 +1,66 @@
+From baf10564fbb66ea222cae66fbff11c444590ffd9 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun May 20 16:46:23 2018 -0400
+Subject: [PATCH] aio: fix io_destroy(2) vs. lookup_ioctx() race
+Git-commit: baf10564fbb66ea222cae66fbff11c444590ffd9
+References: git-fixes
+Patch-mainline: v4.17-rc7
+
+kill_ioctx() used to have an explicit RCU delay between removing the
+reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
+At some point that delay had been removed, on the theory that
+percpu_ref_kill() itself contained an RCU delay. Unfortunately, that was
+the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
+by lookup_ioctx(). As the result, we could get ctx freed right under
+lookup_ioctx(). Tejun has fixed that in a6d7cff472e ("fs/aio: Add explicit
+RCU grace period when freeing kioctx"); however, that fix is not enough.
+
+Suppose io_destroy() from one thread races with e.g. io_setup() from another;
+CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
+has picked it (under rcu_read_lock()). Then CPU1 proceeds to drop the
+refcount, getting it to 0 and triggering a call of free_ioctx_users(),
+which proceeds to drop the secondary refcount and once that reaches zero
+calls free_ioctx_reqs(). That does
+ INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
+ queue_rcu_work(system_wq, &ctx->free_rwork);
+and schedules freeing the whole thing after RCU delay.
+
+In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
+refcount from 0 to 1 and returned the reference to io_setup().
+
+Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
+freed until after percpu_ref_get(). Sure, we'd increment the counter before
+ctx can be freed. Now we are out of rcu_read_lock() and there's nothing to
+stop freeing of the whole thing. Unfortunately, CPU2 assumes that since it
+has grabbed the reference, ctx is *NOT* going away until it gets around to
+dropping that reference.
+
+The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
+It's not costlier than what we currently do in normal case, it's safe to
+call since freeing *is* delayed and it closes the race window - either
+lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
+won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
+fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
+the object in question at all.
+
+Cc: stable@kernel.org
+Fixes: a6d7cff472e "fs/aio: Add explicit RCU grace period when freeing kioctx"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 88d7927..8061d97 100644
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1078,8 +1078,8 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
+
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+- percpu_ref_get(&ctx->users);
+- ret = ctx;
++ if (percpu_ref_tryget_live(&ctx->users))
++ ret = ctx;
+ }
+ out:
+ rcu_read_unlock();
diff --git a/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch b/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
new file mode 100644
index 0000000000..173cf3670b
--- /dev/null
+++ b/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
@@ -0,0 +1,61 @@
+From e8d4bfe3a71537284a90561f77c85dea6c154369 Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu@mykernel.net>
+Date: Wed Nov 29 10:01:32 2017 +0800
+Subject: [PATCH] ovl: Sync upper dirty data when syncing overlayfs
+Git-commit: e8d4bfe3a71537284a90561f77c85dea6c154369
+References: git-fixes
+Patch-mainline: v4.15-rc4
+
+When executing filesystem sync or umount on overlayfs,
+dirty data does not get synced as expected on upper filesystem.
+This patch fixes sync filesystem method to keep data consistency
+for overlayfs.
+
+Signed-off-by: Chengguang Xu <cgxu@mykernel.net>
+Fixes: e593b2bf513d ("ovl: properly implement sync_filesystem()")
+Cc: <stable@vger.kernel.org> #4.11
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/overlayfs/super.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -183,6 +183,7 @@ static void ovl_put_super(struct super_b
+ kfree(ufs);
+ }
+
++/* Sync real dirty inodes in upper filesystem (if it exists) */
+ static int ovl_sync_fs(struct super_block *sb, int wait)
+ {
+ struct ovl_fs *ufs = sb->s_fs_info;
+@@ -191,14 +192,24 @@ static int ovl_sync_fs(struct super_bloc
+
+ if (!ufs->upper_mnt)
+ return 0;
+- upper_sb = ufs->upper_mnt->mnt_sb;
+- if (!upper_sb->s_op->sync_fs)
++ /*
++ * If this is a sync(2) call or an emergency sync, all the super blocks
++ * will be iterated, including upper_sb, so no need to do anything.
++ *
++ * If this is a syncfs(2) call, then we do need to call
++ * sync_filesystem() on upper_sb, but enough if we do it when being
++ * called with wait == 1.
++ */
++ if (!wait)
+ return 0;
+
+ /* real inodes have already been synced by sync_filesystem(ovl_sb) */
++ upper_sb = ufs->upper_mnt->mnt_sb;
++
+ down_read(&upper_sb->s_umount);
+- ret = upper_sb->s_op->sync_fs(upper_sb, wait);
++ ret = sync_filesystem(upper_sb);
+ up_read(&upper_sb->s_umount);
++
+ return ret;
+ }
+
diff --git a/patches.fixes/ovl-fix-format-of-setxattr-debug.patch b/patches.fixes/ovl-fix-format-of-setxattr-debug.patch
new file mode 100644
index 0000000000..a72cc9c48f
--- /dev/null
+++ b/patches.fixes/ovl-fix-format-of-setxattr-debug.patch
@@ -0,0 +1,34 @@
+From 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu Oct 4 14:49:10 2018 +0200
+Subject: [PATCH] ovl: fix format of setxattr debug
+Git-commit: 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Format has a typo: it was meant to be "%.*s", not "%*s". But at some point
+callers grew nonprintable values as well, so use "%*pE" instead with a
+maximized length.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3a1e819b4e80 ("ovl: store file handle of lower inode on copy up")
+Cc: <stable@vger.kernel.org> # v4.12
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
+index f61839e..a3c0d95 100644
+
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -152,8 +152,8 @@ static inline int ovl_do_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+ {
+ int err = vfs_setxattr(dentry, name, value, size, flags);
+- pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n",
+- dentry, name, (int) size, (char *) value, flags, err);
++ pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, 0x%x) = %i\n",
++ dentry, name, min((int)size, 48), value, size, flags, err);
+ return err;
+ }
+
diff --git a/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 0000000000..11036df88c
--- /dev/null
+++ b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,73 @@
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri Oct 5 15:51:58 2018 -0700
+Subject: [PATCH] proc: restrict kernel stack dumps to root
+Git-commit: f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU. That means that
+the stack can change under the stack walker. The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers. This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents. See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails. Therefore, I believe
+that this change is unlikely to break things. In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -428,6 +428,20 @@ static int proc_pid_stack(struct seq_fil
+ int err;
+ int i;
+
++ /*
++ * The ability to racily run the kernel stack unwinder on a running task
++ * and then observe the unwinder output is scary; while it is useful for
++ * debugging kernel issues, it can also allow an attacker to leak kernel
++ * stack contents.
++ * Doing this in a manner that is at least safe from races would require
++ * some work to ensure that the remote task can not be scheduled; and
++ * even then, this would still expose the unwinder as local attack
++ * surface.
++ * Therefore, this interface is restricted to root.
++ */
++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++ return -EACCES;
++
+ entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
diff --git a/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch b/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
new file mode 100644
index 0000000000..f287440baf
--- /dev/null
+++ b/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
@@ -0,0 +1,62 @@
+From ffc4c92227db5699493e43eb140b4cb5904c30ff Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue Sep 18 00:36:36 2018 -0400
+Subject: [PATCH] sysfs: Do not return POSIX ACL xattrs via listxattr
+Git-commit: ffc4c92227db5699493e43eb140b4cb5904c30ff
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Commit 786534b92f3c introduced a regression that caused listxattr to
+return the POSIX ACL attribute names even though sysfs doesn't support
+POSIX ACLs. This happens because simple_xattr_list checks for NULL
+i_acl / i_default_acl, but inode_init_always initializes those fields
+to ACL_NOT_CACHED ((void *)-1). For example:
+ $ getfattr -m- -d /sys
+ /sys: system.posix_acl_access: Operation not supported
+ /sys: system.posix_acl_default: Operation not supported
+Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs.
+
+Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs")
+Reported-by: Marc Aurèle La France <tsi@tuyoix.net>
+Tested-by: Marc Aurèle La France <tsi@tuyoix.net>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/xattr.c b/fs/xattr.c
+index daa7325..0d6a6a4 100644
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -948,17 +948,19 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
+ int err = 0;
+
+ #ifdef CONFIG_FS_POSIX_ACL
+- if (inode->i_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_ACCESS);
+- if (err)
+- return err;
+- }
+- if (inode->i_default_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_DEFAULT);
+- if (err)
+- return err;
++ if (IS_POSIXACL(inode)) {
++ if (inode->i_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_ACCESS);
++ if (err)
++ return err;
++ }
++ if (inode->i_default_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_DEFAULT);
++ if (err)
++ return err;
++ }
+ }
+ #endif
+
diff --git a/series.conf b/series.conf
index c799a72232..60750a43e1 100644
--- a/series.conf
+++ b/series.conf
@@ -10584,6 +10584,7 @@
patches.arch/0003-arm64-mm-Fix-false-positives-in-set_pte_at-access-di.patch
patches.suse/0005-arm64-Define-cputype-macros-for-Falkor-CPU.patch
patches.arch/0001-arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch
+ patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
patches.fixes/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch
patches.drivers/scsi-lpfc-Use-after-free-in-lpfc_rq_buf_free.patch
patches.drivers/libfc-fix-ELS-request-handling.patch
@@ -15567,6 +15568,7 @@
patches.fixes/affs_lookup-close-a-race-with-affs_remove_link.patch
patches.fixes/befs_lookup-use-d_splice_alias.patch
patches.fixes/ext2-fix-a-block-leak.patch
+ patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
patches.drivers/scsi-zfcp-fix-infinite-iteration-on-erp-ready-list.patch
patches.fixes/scsi-core-clean-up-generated-file-scsi_devinfo_tbl.c.patch
patches.drivers/scsi-sg-allocate-with-_gfp_zero-in-sg_build_indirect.patch
@@ -17604,6 +17606,7 @@
patches.arch/powerpc-topology-Get-topology-for-shared-processors-.patch
patches.arch/KVM-PPC-Book3S-Fix-guest-DMA-when-guest-partially-ba.patch
patches.arch/powerpc-mce-Fix-SLB-rebolting-during-MCE-recovery-pa.patch
+ patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
patches.apparmor/apparmor-Fully-initialize-aa_perms-struct-when-answe.patch
patches.apparmor/apparmor-Fix-failure-to-audit-context-info-in-build_.patch
patches.apparmor/apparmor-fix-an-error-code-in-__aa_create_ns.patch
@@ -17836,6 +17839,7 @@
patches.drivers/Input-elantech-enable-middle-button-of-touchpad-on-T.patch
patches.arch/x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch
patches.drivers/soc-fsl-qe-Fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch
+ patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
patches.drivers/qed-Fix-shmem-structure-inconsistency-between-driver.patch
patches.drivers/cfg80211-reg-Init-wiphy_idx-in-regulatory_hint_core.patch
patches.drivers/mac80211-fix-pending-queue-hang-due-to-TX_DROP.patch
@@ -17851,6 +17855,7 @@
patches.suse/ipv4-fix-use-after-free-in-ip_cmsg_recv_dstaddr.patch
patches.drivers/0001-drm-i915-Handle-incomplete-Z_FINISH-for-compressed-e.patch
patches.arch/ARM-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+ patches.fixes/ovl-fix-format-of-setxattr-debug.patch
patches.fixes/crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmet.patch
patches.drivers/crypto-mxs-dcp-Fix-wait-logic-on-chan-threads.patch
patches.drivers/crypto-qat-Fix-KASAN-stack-out-of-bounds-bug-in-adf_.patch
@@ -17862,6 +17867,7 @@
patches.arch/x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression
patches.fixes/PM-core-Clear-the-direct_complete-flag-on-errors.patch
patches.drivers/gpiolib-Free-the-last-requested-descriptor.patch
+ patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
patches.fixes/mac80211-fix-setting-IEEE80211_KEY_FLAG_RX_MGMT-for-.patch
patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch
patches.arch/powerpc-numa-Skip-onlining-a-offline-node-in-kdump-p.patch