From: Greg Kroah-Hartman Date: Mon, 15 Oct 2012 23:45:38 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.47~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c9b09106ab37a51c2bd758b774db2de018f1cf7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch netfilter-limit-hashlimit-avoid-duplicated-inline.patch netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch netfilter-xt_limit-have-r-cost-0-case-work.patch --- diff --git a/queue-3.4/ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch b/queue-3.4/ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch new file mode 100644 index 00000000000..863c3373e74 --- /dev/null +++ b/queue-3.4/ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch @@ -0,0 +1,111 @@ +From 9e33ce453f8ac8452649802bee1f410319408f4b Mon Sep 17 00:00:00 2001 +From: Lin Ming +Date: Sat, 7 Jul 2012 18:26:10 +0800 +Subject: ipvs: fix oops on NAT reply in br_nf context + +From: Lin Ming + +commit 9e33ce453f8ac8452649802bee1f410319408f4b upstream. + +IPVS should not reset skb->nf_bridge in FORWARD hook +by calling nf_reset for NAT replies. It triggers oops in +br_nf_forward_finish. + +[ 579.781508] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 +[ 579.781669] IP: [] br_nf_forward_finish+0x58/0x112 +[ 579.781792] PGD 218f9067 PUD 0 +[ 579.781865] Oops: 0000 [#1] SMP +[ 579.781945] CPU 0 +[ 579.781983] Modules linked in: +[ 579.782047] +[ 579.782080] +[ 579.782114] Pid: 4644, comm: qemu Tainted: G W 3.5.0-rc5-00006-g95e69f9 #282 Hewlett-Packard /30E8 +[ 579.782300] RIP: 0010:[] [] br_nf_forward_finish+0x58/0x112 +[ 579.782455] RSP: 0018:ffff88007b003a98 EFLAGS: 00010287 +[ 579.782541] RAX: 0000000000000008 RBX: ffff8800762ead00 RCX: 000000000001670a +[ 579.782653] RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff8800762ead00 +[ 579.782845] RBP: ffff88007b003ac8 R08: 0000000000016630 R09: ffff88007b003a90 +[ 579.782957] R10: ffff88007b0038e8 R11: ffff88002da37540 R12: ffff88002da01a02 +[ 579.783066] R13: ffff88002da01a80 R14: ffff88002d83c000 R15: ffff88002d82a000 +[ 579.783177] FS: 0000000000000000(0000) GS:ffff88007b000000(0063) knlGS:00000000f62d1b70 +[ 579.783306] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b +[ 579.783395] CR2: 0000000000000004 CR3: 00000000218fe000 CR4: 00000000000027f0 +[ 579.783505] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 579.783684] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 579.783795] Process qemu (pid: 4644, threadinfo ffff880021b20000, task ffff880021aba760) +[ 579.783919] Stack: +[ 579.783959] ffff88007693cedc ffff8800762ead00 ffff88002da01a02 ffff8800762ead00 +[ 579.784110] ffff88002da01a02 ffff88002da01a80 ffff88007b003b18 ffffffff817b26c7 +[ 579.784260] ffff880080000000 ffffffff81ef59f0 ffff8800762ead00 ffffffff81ef58b0 +[ 579.784477] Call Trace: +[ 579.784523] +[ 579.784562] +[ 579.784603] [] br_nf_forward_ip+0x275/0x2c8 +[ 579.784707] [] nf_iterate+0x47/0x7d +[ 579.784797] [] ? br_dev_queue_push_xmit+0xae/0xae +[ 579.784906] [] nf_hook_slow+0x6d/0x102 +[ 579.784995] [] ? br_dev_queue_push_xmit+0xae/0xae +[ 579.785175] [] ? _raw_write_unlock_bh+0x19/0x1b +[ 579.785179] [] __br_forward+0x97/0xa2 +[ 579.785179] [] br_handle_frame_finish+0x1a6/0x257 +[ 579.785179] [] br_nf_pre_routing_finish+0x26d/0x2cb +[ 579.785179] [] br_nf_pre_routing+0x55d/0x5c1 +[ 579.785179] [] nf_iterate+0x47/0x7d +[ 579.785179] [] ? br_handle_local_finish+0x44/0x44 +[ 579.785179] [] nf_hook_slow+0x6d/0x102 +[ 579.785179] [] ? br_handle_local_finish+0x44/0x44 +[ 579.785179] [] ? sky2_poll+0xb35/0xb54 +[ 579.785179] [] br_handle_frame+0x213/0x229 +[ 579.785179] [] ? br_handle_frame_finish+0x257/0x257 +[ 579.785179] [] __netif_receive_skb+0x2b4/0x3f1 +[ 579.785179] [] process_backlog+0x99/0x1e2 +[ 579.785179] [] net_rx_action+0xdf/0x242 +[ 579.785179] [] __do_softirq+0xc1/0x1e0 +[ 579.785179] [] ? trace_hardirqs_off_thunk+0x3a/0x6c +[ 579.785179] [] call_softirq+0x1c/0x30 + +The steps to reproduce as follow, + +1. On Host1, setup brige br0(192.168.1.106) +2. Boot a kvm guest(192.168.1.105) on Host1 and start httpd +3. Start IPVS service on Host1 + ipvsadm -A -t 192.168.1.106:80 -s rr + ipvsadm -a -t 192.168.1.106:80 -r 192.168.1.105:80 -m +4. Run apache benchmark on Host2(192.168.1.101) + ab -n 1000 http://192.168.1.106/ + +ip_vs_reply4 + ip_vs_out + handle_response + ip_vs_notrack + nf_reset() + { + skb->nf_bridge = NULL; + } + +Actually, IPVS wants in this case just to replace nfct +with untracked version. So replace the nf_reset(skb) call +in ip_vs_notrack() with a nf_conntrack_put(skb->nfct) call. + +Signed-off-by: Lin Ming +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/ip_vs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -1356,7 +1356,7 @@ static inline void ip_vs_notrack(struct + struct nf_conn *ct = nf_ct_get(skb, &ctinfo); + + if (!ct || !nf_ct_is_untracked(ct)) { +- nf_reset(skb); ++ nf_conntrack_put(skb->nfct); + skb->nfct = &nf_ct_untracked_get()->ct_general; + skb->nfctinfo = IP_CT_NEW; + nf_conntrack_get(skb->nfct); diff --git a/queue-3.4/netfilter-limit-hashlimit-avoid-duplicated-inline.patch b/queue-3.4/netfilter-limit-hashlimit-avoid-duplicated-inline.patch new file mode 100644 index 00000000000..7f964b8018a --- /dev/null +++ b/queue-3.4/netfilter-limit-hashlimit-avoid-duplicated-inline.patch @@ -0,0 +1,81 @@ +From 7a909ac70f6b0823d9f23a43f19598d4b57ac901 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 7 May 2012 10:51:43 +0000 +Subject: netfilter: limit, hashlimit: avoid duplicated inline + +From: Florian Westphal + +commit 7a909ac70f6b0823d9f23a43f19598d4b57ac901 upstream. + +credit_cap can be set to credit, which avoids inlining user2credits +twice. Also, remove inline keyword and let compiler decide. + +old: + 684 192 0 876 36c net/netfilter/xt_limit.o + 4927 344 32 5303 14b7 net/netfilter/xt_hashlimit.o +now: + 668 192 0 860 35c net/netfilter/xt_limit.o + 4793 344 32 5169 1431 net/netfilter/xt_hashlimit.o + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_hashlimit.c | 8 +++----- + net/netfilter/xt_limit.c | 5 ++--- + 2 files changed, 5 insertions(+), 8 deletions(-) + +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -389,8 +389,7 @@ static void htable_put(struct xt_hashlim + #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ) + + /* Precision saver. */ +-static inline u_int32_t +-user2credits(u_int32_t user) ++static u32 user2credits(u32 user) + { + /* If multiplying would overflow... */ + if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY)) +@@ -400,7 +399,7 @@ user2credits(u_int32_t user) + return (user * HZ * CREDITS_PER_JIFFY) / XT_HASHLIMIT_SCALE; + } + +-static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now) ++static void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now) + { + dh->rateinfo.credit += (now - dh->rateinfo.prev) * CREDITS_PER_JIFFY; + if (dh->rateinfo.credit > dh->rateinfo.credit_cap) +@@ -535,8 +534,7 @@ hashlimit_mt(const struct sk_buff *skb, + dh->rateinfo.prev = jiffies; + dh->rateinfo.credit = user2credits(hinfo->cfg.avg * + hinfo->cfg.burst); +- dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * +- hinfo->cfg.burst); ++ dh->rateinfo.credit_cap = dh->rateinfo.credit; + dh->rateinfo.cost = user2credits(hinfo->cfg.avg); + } else { + /* update expiration timeout */ +--- a/net/netfilter/xt_limit.c ++++ b/net/netfilter/xt_limit.c +@@ -88,8 +88,7 @@ limit_mt(const struct sk_buff *skb, stru + } + + /* Precision saver. */ +-static u_int32_t +-user2credits(u_int32_t user) ++static u32 user2credits(u32 user) + { + /* If multiplying would overflow... */ + if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY)) +@@ -123,7 +122,7 @@ static int limit_mt_check(const struct x + 128. */ + priv->prev = jiffies; + priv->credit = user2credits(r->avg * r->burst); /* Credits full. */ +- r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ ++ r->credit_cap = priv->credit; /* Credits full. */ + r->cost = user2credits(r->avg); + } + return 0; diff --git a/queue-3.4/netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch b/queue-3.4/netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch new file mode 100644 index 00000000000..2b8922dd8ed --- /dev/null +++ b/queue-3.4/netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch @@ -0,0 +1,122 @@ +From 2614f86490122bf51eb7c12ec73927f1900f4e7d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 16 Aug 2012 02:25:24 +0200 +Subject: netfilter: nf_ct_expect: fix possible access to uninitialized timer + +From: Pablo Neira Ayuso + +commit 2614f86490122bf51eb7c12ec73927f1900f4e7d upstream. + +In __nf_ct_expect_check, the function refresh_timer returns 1 +if a matching expectation is found and its timer is successfully +refreshed. This results in nf_ct_expect_related returning 0. +Note that at this point: + +- the passed expectation is not inserted in the expectation table + and its timer was not initialized, since we have refreshed one + matching/existing expectation. + +- nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation + timer is in some undefined state just after the allocation, + until it is appropriately initialized. + +This can be a problem for the SIP helper during the expectation +addition: + + ... + if (nf_ct_expect_related(rtp_exp) == 0) { + if (nf_ct_expect_related(rtcp_exp) != 0) + nf_ct_unexpect_related(rtp_exp); + ... + +Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh +case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp) +returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does: + + spin_lock_bh(&nf_conntrack_lock); + if (del_timer(&exp->timeout)) { + nf_ct_unlink_expect(exp); + nf_ct_expect_put(exp); + } + spin_unlock_bh(&nf_conntrack_lock); + +Note that del_timer always returns false if the timer has been +initialized. However, the timer was not initialized since setup_timer +was not called, therefore, the expectation timer remains in some +undefined state. If I'm not missing anything, this may lead to the +removal an unexistent expectation. + +To fix this, the optimization that allows refreshing an expectation +is removed. Now nf_conntrack_expect_related looks more consistent +to me since it always add the expectation in case that it returns +success. + +Thanks to Patrick McHardy for participating in the discussion of +this patch. + +I think this may be the source of the problem described by: +http://marc.info/?l=netfilter-devel&m=134073514719421&w=2 + +Reported-by: Rafal Fitt +Acked-by: Patrick McHardy +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_expect.c | 29 ++++++----------------------- + 1 file changed, 6 insertions(+), 23 deletions(-) + +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -361,23 +361,6 @@ static void evict_oldest_expect(struct n + } + } + +-static inline int refresh_timer(struct nf_conntrack_expect *i) +-{ +- struct nf_conn_help *master_help = nfct_help(i->master); +- const struct nf_conntrack_expect_policy *p; +- +- if (!del_timer(&i->timeout)) +- return 0; +- +- p = &rcu_dereference_protected( +- master_help->helper, +- lockdep_is_held(&nf_conntrack_lock) +- )->expect_policy[i->class]; +- i->timeout.expires = jiffies + p->timeout * HZ; +- add_timer(&i->timeout); +- return 1; +-} +- + static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) + { + const struct nf_conntrack_expect_policy *p; +@@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(s + struct nf_conn_help *master_help = nfct_help(master); + struct nf_conntrack_helper *helper; + struct net *net = nf_ct_exp_net(expect); +- struct hlist_node *n; ++ struct hlist_node *n, *next; + unsigned int h; + int ret = 1; + +@@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(s + goto out; + } + h = nf_ct_expect_dst_hash(&expect->tuple); +- hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) { ++ hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) { + if (expect_matches(i, expect)) { +- /* Refresh timer: if it's dying, ignore.. */ +- if (refresh_timer(i)) { +- ret = 0; +- goto out; ++ if (del_timer(&i->timeout)) { ++ nf_ct_unlink_expect(i); ++ nf_ct_expect_put(i); ++ break; + } + } else if (expect_clash(i, expect)) { + ret = -EBUSY; diff --git a/queue-3.4/netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch b/queue-3.4/netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch new file mode 100644 index 00000000000..5facea87863 --- /dev/null +++ b/queue-3.4/netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch @@ -0,0 +1,51 @@ +From 3f509c689a07a4aa989b426893d8491a7ffcc410 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 29 Aug 2012 15:24:09 +0000 +Subject: netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation + +From: Pablo Neira Ayuso + +commit 3f509c689a07a4aa989b426893d8491a7ffcc410 upstream. + +We're hitting bug while trying to reinsert an already existing +expectation: + +kernel BUG at kernel/timer.c:895! +invalid opcode: 0000 [#1] SMP +[...] +Call Trace: + + [] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack] + [] ? in4_pton+0x72/0x131 + [] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip] + [] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip] + [] process_sdp+0x30c/0x3ec [nf_conntrack_sip] + [] ? irq_exit+0x9a/0x9c + [] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip] + +We have to remove the RTP expectation if the RTCP expectation hits EBUSY +since we keep trying with other ports until we succeed. + +Reported-by: Rafal Fitt +Acked-by: David Miller +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/nf_nat_sip.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/netfilter/nf_nat_sip.c ++++ b/net/ipv4/netfilter/nf_nat_sip.c +@@ -501,7 +501,10 @@ static unsigned int ip_nat_sdp_media(str + ret = nf_ct_expect_related(rtcp_exp); + if (ret == 0) + break; +- else if (ret != -EBUSY) { ++ else if (ret == -EBUSY) { ++ nf_ct_unexpect_related(rtp_exp); ++ continue; ++ } else if (ret < 0) { + nf_ct_unexpect_related(rtp_exp); + port = 0; + break; diff --git a/queue-3.4/netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch b/queue-3.4/netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch new file mode 100644 index 00000000000..46f446cbf4b --- /dev/null +++ b/queue-3.4/netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch @@ -0,0 +1,49 @@ +From f22eb25cf5b1157b29ef88c793b71972efc47143 Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Thu, 9 Aug 2012 10:08:47 +0000 +Subject: netfilter: nf_nat_sip: fix via header translation with multiple parameters + +From: Patrick McHardy + +commit f22eb25cf5b1157b29ef88c793b71972efc47143 upstream. + +Via-headers are parsed beginning at the first character after the Via-address. +When the address is translated first and its length decreases, the offset to +start parsing at is incorrect and header parameters might be missed. + +Update the offset after translating the Via-address to fix this. + +Signed-off-by: Patrick McHardy +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/nf_nat_sip.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/nf_nat_sip.c ++++ b/net/ipv4/netfilter/nf_nat_sip.c +@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk + if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, + hdr, NULL, &matchoff, &matchlen, + &addr, &port) > 0) { +- unsigned int matchend, poff, plen, buflen, n; ++ unsigned int olen, matchend, poff, plen, buflen, n; + char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")]; + + /* We're only interested in headers related to this +@@ -163,11 +163,12 @@ static unsigned int ip_nat_sip(struct sk + goto next; + } + ++ olen = *datalen; + if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen, + &addr, port)) + return NF_DROP; + +- matchend = matchoff + matchlen; ++ matchend = matchoff + matchlen + *datalen - olen; + + /* The maddr= parameter (RFC 2361) specifies where to send + * the reply. */ diff --git a/queue-3.4/netfilter-xt_limit-have-r-cost-0-case-work.patch b/queue-3.4/netfilter-xt_limit-have-r-cost-0-case-work.patch new file mode 100644 index 00000000000..057cc7de077 --- /dev/null +++ b/queue-3.4/netfilter-xt_limit-have-r-cost-0-case-work.patch @@ -0,0 +1,42 @@ +From 82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Fri, 21 Sep 2012 22:26:52 +0000 +Subject: netfilter: xt_limit: have r->cost != 0 case work + +From: Jan Engelhardt + +commit 82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 upstream. + +Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when +a running state is saved to userspace and then reinstated from there. + +Make sure that private xt_limit area is initialized with correct values. +Otherwise, random matchings due to use of uninitialized memory. + +Signed-off-by: Jan Engelhardt +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_limit.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/xt_limit.c ++++ b/net/netfilter/xt_limit.c +@@ -117,11 +117,11 @@ static int limit_mt_check(const struct x + + /* For SMP, we only want to use one set of state. */ + r->master = priv; ++ /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies * ++ 128. */ ++ priv->prev = jiffies; ++ priv->credit = user2credits(r->avg * r->burst); /* Credits full. */ + if (r->cost == 0) { +- /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies * +- 128. */ +- priv->prev = jiffies; +- priv->credit = user2credits(r->avg * r->burst); /* Credits full. */ + r->credit_cap = priv->credit; /* Credits full. */ + r->cost = user2credits(r->avg); + } diff --git a/queue-3.4/series b/queue-3.4/series index 9092a27f6c1..f14c788b4fe 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -35,3 +35,9 @@ ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch netfilter-ipset-fix-timeout-value-overflow-bug.patch netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch +ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch +netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch +netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch +netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch +netfilter-limit-hashlimit-avoid-duplicated-inline.patch +netfilter-xt_limit-have-r-cost-0-case-work.patch