From: Greg Kroah-Hartman Date: Wed, 26 Sep 2018 09:28:29 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.18.11~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=671ac0d20a58f007c053617884e036911c52297b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: gso_segment-reset-skb-mac_len-after-modifying-network-header.patch ipv6-fix-possible-use-after-free-in-ip6_xmit.patch neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch net-hp100-fix-always-true-check-for-link-up-state.patch net-sched-act_sample-fix-null-dereference-in-the-data-path.patch pppoe-fix-reception-of-frames-with-no-mac-header.patch qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch tls-zero-the-crypto-information-from-tls_context-before-freeing.patch udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch udp6-add-missing-checks-on-edumux-packet-processing.patch --- diff --git a/queue-4.14/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch b/queue-4.14/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch new file mode 100644 index 00000000000..7df35963efc --- /dev/null +++ b/queue-4.14/gso_segment-reset-skb-mac_len-after-modifying-network-header.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: "Toke Høiland-Jørgensen" +Date: Thu, 13 Sep 2018 16:43:07 +0200 +Subject: gso_segment: Reset skb->mac_len after modifying network header + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit c56cae23c6b167acc68043c683c4573b80cbcc2c ] + +When splitting a GSO segment that consists of encapsulated packets, the +skb->mac_len of the segments can end up being set wrong, causing packet +drops in particular when using act_mirred and ifb interfaces in +combination with a qdisc that splits GSO packets. + +This happens because at the time skb_segment() is called, network_header +will point to the inner header, throwing off the calculation in +skb_reset_mac_len(). The network_header is subsequently adjust by the +outer IP gso_segment handlers, but they don't set the mac_len. + +Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6 +gso_segment handlers, after they modify the network_header. + +Many thanks to Eric Dumazet for his help in identifying the cause of +the bug. + +Acked-by: Dave Taht +Reviewed-by: Eric Dumazet +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/af_inet.c | 1 + + net/ipv6/ip6_offload.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1307,6 +1307,7 @@ struct sk_buff *inet_gso_segment(struct + if (encap) + skb_reset_inner_headers(skb); + skb->network_header = (u8 *)iph - skb->head; ++ skb_reset_mac_len(skb); + } while ((skb = skb->next)); + + out: +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -113,6 +113,7 @@ static struct sk_buff *ipv6_gso_segment( + payload_len = skb->len - nhoff - sizeof(*ipv6h); + ipv6h->payload_len = htons(payload_len); + skb->network_header = (u8 *)ipv6h - skb->head; ++ skb_reset_mac_len(skb); + + if (udpfrag) { + int err = ip6_find_1stfragopt(skb, &prevhdr); diff --git a/queue-4.14/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch b/queue-4.14/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch new file mode 100644 index 00000000000..b904bbb54f5 --- /dev/null +++ b/queue-4.14/ipv6-fix-possible-use-after-free-in-ip6_xmit.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Eric Dumazet +Date: Fri, 14 Sep 2018 12:02:31 -0700 +Subject: ipv6: fix possible use-after-free in ip6_xmit() + +From: Eric Dumazet + +[ Upstream commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 ] + +In the unlikely case ip6_xmit() has to call skb_realloc_headroom(), +we need to call skb_set_owner_w() before consuming original skb, +otherwise we risk a use-after-free. + +Bring IPv6 in line with what we do in IPv4 to fix this. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -219,12 +219,10 @@ int ip6_xmit(const struct sock *sk, stru + kfree_skb(skb); + return -ENOBUFS; + } ++ if (skb->sk) ++ skb_set_owner_w(skb2, skb->sk); + consume_skb(skb); + skb = skb2; +- /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically, +- * it is safe to call in our context (socket lock not held) +- */ +- skb_set_owner_w(skb, (struct sock *)sk); + } + if (opt->opt_flen) + ipv6_push_frag_opts(skb, opt, &proto); diff --git a/queue-4.14/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch b/queue-4.14/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch new file mode 100644 index 00000000000..259a18b1ec5 --- /dev/null +++ b/queue-4.14/neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Vasily Khoruzhick +Date: Thu, 13 Sep 2018 11:12:03 -0700 +Subject: neighbour: confirm neigh entries when ARP packet is received + +From: Vasily Khoruzhick + +[ Upstream commit f0e0d04413fcce9bc76388839099aee93cd0d33b ] + +Update 'confirmed' timestamp when ARP packet is received. It shouldn't +affect locktime logic and anyway entry can be confirmed by any higher-layer +protocol. Thus it makes sense to confirm it when ARP packet is received. + +Fixes: 77d7123342dc ("neighbour: update neigh timestamps iff update is effective") +Signed-off-by: Vasily Khoruzhick +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1174,6 +1174,12 @@ int neigh_update(struct neighbour *neigh + lladdr = neigh->ha; + } + ++ /* Update confirmed timestamp for neighbour entry after we ++ * received ARP packet even if it doesn't change IP to MAC binding. ++ */ ++ if (new & NUD_CONNECTED) ++ neigh->confirmed = jiffies; ++ + /* If entry was valid and address is not changed, + do not change entry state, if new one is STALE. + */ +@@ -1195,15 +1201,12 @@ int neigh_update(struct neighbour *neigh + } + } + +- /* Update timestamps only once we know we will make a change to the ++ /* Update timestamp only once we know we will make a change to the + * neighbour entry. Otherwise we risk to move the locktime window with + * noop updates and ignore relevant ARP updates. + */ +- if (new != old || lladdr != neigh->ha) { +- if (new & NUD_CONNECTED) +- neigh->confirmed = jiffies; ++ if (new != old || lladdr != neigh->ha) + neigh->updated = jiffies; +- } + + if (new != old) { + neigh_del_timer(neigh); diff --git a/queue-4.14/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch b/queue-4.14/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch new file mode 100644 index 00000000000..c239819c8f1 --- /dev/null +++ b/queue-4.14/net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Willy Tarreau +Date: Wed, 12 Sep 2018 07:36:35 +0200 +Subject: net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT + +From: Willy Tarreau + +[ Upstream commit 9824dfae5741275473a23a7ed5756c7b6efacc9d ] + +Fields ->dev and ->next of struct ipddp_route may be copied to +userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible +to CAP_NET_ADMIN though. Let's manually copy the relevant fields +instead of using memcpy(). + +BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html +Cc: Jann Horn +Signed-off-by: Willy Tarreau +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/appletalk/ipddp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/appletalk/ipddp.c ++++ b/drivers/net/appletalk/ipddp.c +@@ -283,8 +283,12 @@ static int ipddp_ioctl(struct net_device + case SIOCFINDIPDDPRT: + spin_lock_bh(&ipddp_route_lock); + rp = __ipddp_find_route(&rcp); +- if (rp) +- memcpy(&rcp2, rp, sizeof(rcp2)); ++ if (rp) { ++ memset(&rcp2, 0, sizeof(rcp2)); ++ rcp2.ip = rp->ip; ++ rcp2.at = rp->at; ++ rcp2.flags = rp->flags; ++ } + spin_unlock_bh(&ipddp_route_lock); + + if (rp) { diff --git a/queue-4.14/net-hp100-fix-always-true-check-for-link-up-state.patch b/queue-4.14/net-hp100-fix-always-true-check-for-link-up-state.patch new file mode 100644 index 00000000000..67080833950 --- /dev/null +++ b/queue-4.14/net-hp100-fix-always-true-check-for-link-up-state.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Colin Ian King +Date: Fri, 14 Sep 2018 17:39:53 +0100 +Subject: net: hp100: fix always-true check for link up state + +From: Colin Ian King + +[ Upstream commit a7f38002fb69b44f8fc622ecb838665d0b8666af ] + +The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value +that is always non-zero and hence the wait for the link to drop always +terminates prematurely. Fix this by using a logical not operator instead +of a bitwise complement. This issue has been in the driver since +pre-2.6.12-rc2. + +Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hp/hp100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hp/hp100.c ++++ b/drivers/net/ethernet/hp/hp100.c +@@ -2634,7 +2634,7 @@ static int hp100_login_to_vg_hub(struct + /* Wait for link to drop */ + time = jiffies + (HZ / 10); + do { +- if (~(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) ++ if (!(hp100_inb(VG_LAN_CFG_1) & HP100_LINK_UP_ST)) + break; + if (!in_interrupt()) + schedule_timeout_interruptible(1); diff --git a/queue-4.14/net-sched-act_sample-fix-null-dereference-in-the-data-path.patch b/queue-4.14/net-sched-act_sample-fix-null-dereference-in-the-data-path.patch new file mode 100644 index 00000000000..ece142bc76c --- /dev/null +++ b/queue-4.14/net-sched-act_sample-fix-null-dereference-in-the-data-path.patch @@ -0,0 +1,110 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Davide Caratti +Date: Fri, 14 Sep 2018 12:03:18 +0200 +Subject: net/sched: act_sample: fix NULL dereference in the data path + +From: Davide Caratti + +[ Upstream commit 34043d250f51368f214aed7f54c2dc29c819a8c7 ] + +Matteo reported the following splat, testing the datapath of TC 'sample': + + BUG: KASAN: null-ptr-deref in tcf_sample_act+0xc4/0x310 + Read of size 8 at addr 0000000000000000 by task nc/433 + + CPU: 0 PID: 433 Comm: nc Not tainted 4.19.0-rc3-kvm #17 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20180531_142017-buildhw-08.phx2.fedoraproject.org-1.fc28 04/01/2014 + Call Trace: + kasan_report.cold.6+0x6c/0x2fa + tcf_sample_act+0xc4/0x310 + ? dev_hard_start_xmit+0x117/0x180 + tcf_action_exec+0xa3/0x160 + tcf_classify+0xdd/0x1d0 + htb_enqueue+0x18e/0x6b0 + ? deref_stack_reg+0x7a/0xb0 + ? htb_delete+0x4b0/0x4b0 + ? unwind_next_frame+0x819/0x8f0 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + __dev_queue_xmit+0x722/0xca0 + ? unwind_get_return_address_ptr+0x50/0x50 + ? netdev_pick_tx+0xe0/0xe0 + ? save_stack+0x8c/0xb0 + ? kasan_kmalloc+0xbe/0xd0 + ? __kmalloc_track_caller+0xe4/0x1c0 + ? __kmalloc_reserve.isra.45+0x24/0x70 + ? __alloc_skb+0xdd/0x2e0 + ? sk_stream_alloc_skb+0x91/0x3b0 + ? tcp_sendmsg_locked+0x71b/0x15a0 + ? tcp_sendmsg+0x22/0x40 + ? __sys_sendto+0x1b0/0x250 + ? __x64_sys_sendto+0x6f/0x80 + ? do_syscall_64+0x5d/0x150 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + ? __sys_sendto+0x1b0/0x250 + ? __x64_sys_sendto+0x6f/0x80 + ? do_syscall_64+0x5d/0x150 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 + ip_finish_output2+0x495/0x590 + ? ip_copy_metadata+0x2e0/0x2e0 + ? skb_gso_validate_network_len+0x6f/0x110 + ? ip_finish_output+0x174/0x280 + __tcp_transmit_skb+0xb17/0x12b0 + ? __tcp_select_window+0x380/0x380 + tcp_write_xmit+0x913/0x1de0 + ? __sk_mem_schedule+0x50/0x80 + tcp_sendmsg_locked+0x49d/0x15a0 + ? tcp_rcv_established+0x8da/0xa30 + ? tcp_set_state+0x220/0x220 + ? clear_user+0x1f/0x50 + ? iov_iter_zero+0x1ae/0x590 + ? __fget_light+0xa0/0xe0 + tcp_sendmsg+0x22/0x40 + __sys_sendto+0x1b0/0x250 + ? __ia32_sys_getpeername+0x40/0x40 + ? _copy_to_user+0x58/0x70 + ? poll_select_copy_remaining+0x176/0x200 + ? __pollwait+0x1c0/0x1c0 + ? ktime_get_ts64+0x11f/0x140 + ? kern_select+0x108/0x150 + ? core_sys_select+0x360/0x360 + ? vfs_read+0x127/0x150 + ? kernel_write+0x90/0x90 + __x64_sys_sendto+0x6f/0x80 + do_syscall_64+0x5d/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fefef2b129d + Code: ff ff ff ff eb b6 0f 1f 80 00 00 00 00 48 8d 05 51 37 0c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41 + RSP: 002b:00007fff2f5350c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 000056118d60c120 RCX: 00007fefef2b129d + RDX: 0000000000002000 RSI: 000056118d629320 RDI: 0000000000000003 + RBP: 000056118d530370 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000002000 + R13: 000056118d5c2a10 R14: 000056118d5c2a10 R15: 000056118d5303b8 + +tcf_sample_act() tried to update its per-cpu stats, but tcf_sample_init() +forgot to allocate them, because tcf_idr_create() was called with a wrong +value of 'cpustats'. Setting it to true proved to fix the reported crash. + +Reported-by: Matteo Croce +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action") +Tested-by: Matteo Croce +Signed-off-by: Davide Caratti +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_sample.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_sample.c ++++ b/net/sched/act_sample.c +@@ -64,7 +64,7 @@ static int tcf_sample_init(struct net *n + + if (!exists) { + ret = tcf_idr_create(tn, parm->index, est, a, +- &act_sample_ops, bind, false); ++ &act_sample_ops, bind, true); + if (ret) + return ret; + ret = ACT_P_CREATED; diff --git a/queue-4.14/pppoe-fix-reception-of-frames-with-no-mac-header.patch b/queue-4.14/pppoe-fix-reception-of-frames-with-no-mac-header.patch new file mode 100644 index 00000000000..60060854a6c --- /dev/null +++ b/queue-4.14/pppoe-fix-reception-of-frames-with-no-mac-header.patch @@ -0,0 +1,99 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Guillaume Nault +Date: Fri, 14 Sep 2018 16:28:05 +0200 +Subject: pppoe: fix reception of frames with no mac header + +From: Guillaume Nault + +[ Upstream commit 8540827ebac6b654ab2f69c8fbce9e4fbd6304a0 ] + +pppoe_rcv() needs to look back at the Ethernet header in order to +lookup the PPPoE session. Therefore we need to ensure that the mac +header is big enough to contain an Ethernet header. Otherwise +eth_hdr(skb)->h_source might access invalid data. + +================================================================== +BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline] +BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline] +BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450 +CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 + __get_item drivers/net/ppp/pppoe.c:172 [inline] + get_item drivers/net/ppp/pppoe.c:236 [inline] + pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450 + __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562 + __netif_receive_skb net/core/dev.c:4627 [inline] + netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 + netif_receive_skb+0x230/0x240 net/core/dev.c:4725 + tun_rx_batched drivers/net/tun.c:1555 [inline] + tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962 + tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 + call_write_iter include/linux/fs.h:1782 [inline] + new_sync_write fs/read_write.c:469 [inline] + __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 + vfs_write+0x463/0x8d0 fs/read_write.c:544 + SYSC_write+0x172/0x360 fs/read_write.c:589 + SyS_write+0x55/0x80 fs/read_write.c:581 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x4447c9 +RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9 +RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004 +RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda +R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0 +R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 + sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 + tun_alloc_skb drivers/net/tun.c:1532 [inline] + tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829 + tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 + call_write_iter include/linux/fs.h:1782 [inline] + new_sync_write fs/read_write.c:469 [inline] + __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 + vfs_write+0x463/0x8d0 fs/read_write.c:544 + SYSC_write+0x172/0x360 fs/read_write.c:589 + SyS_write+0x55/0x80 fs/read_write.c:581 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +================================================================== + +Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") +Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pppoe.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb + if (!skb) + goto out; + ++ if (skb_mac_header_len(skb) < ETH_HLEN) ++ goto drop; ++ + if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) + goto drop; + diff --git a/queue-4.14/qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch b/queue-4.14/qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch new file mode 100644 index 00000000000..81a3fbb5b4d --- /dev/null +++ b/queue-4.14/qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: "Bjørn Mork" +Date: Mon, 17 Sep 2018 22:00:24 +0200 +Subject: qmi_wwan: set DTR for modems in forced USB2 mode + +From: "Bjørn Mork" + +[ Upstream commit 922005c7f50e7f4b2a6dbc182e9c575b4f92396b ] + +Recent firmware revisions have added the ability to force +these modems to USB2 mode, hiding their SuperSpeed +capabilities from the host. The driver has been using the +SuperSpeed capability, as shown by the bcdUSB field of the +device descriptor, to detect the need to enable the DTR +quirk. This method fails when the modems are forced to +USB2 mode by the modem firmware. + +Fix by unconditionally enabling the DTR quirk for the +affected device IDs. + +Reported-by: Fred Veldini +Reported-by: Deshu Wen +Signed-off-by: Bjørn Mork +Reported-by: Fred Veldini +Reported-by: Deshu Wen +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1205,13 +1205,13 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */ + {QMI_FIXED_INTF(0x1199, 0x9063, 8)}, /* Sierra Wireless EM7305 */ + {QMI_FIXED_INTF(0x1199, 0x9063, 10)}, /* Sierra Wireless EM7305 */ +- {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */ +- {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x9071, 10)},/* Sierra Wireless MC74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x9079, 10)},/* Sierra Wireless EM74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x907b, 10)},/* Sierra Wireless EM74xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..8a2f7a3bfb1 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,13 @@ +gso_segment-reset-skb-mac_len-after-modifying-network-header.patch +ipv6-fix-possible-use-after-free-in-ip6_xmit.patch +net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch +net-hp100-fix-always-true-check-for-link-up-state.patch +pppoe-fix-reception-of-frames-with-no-mac-header.patch +qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch +udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch +neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch +udp6-add-missing-checks-on-edumux-packet-processing.patch +net-sched-act_sample-fix-null-dereference-in-the-data-path.patch +tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch +tls-zero-the-crypto-information-from-tls_context-before-freeing.patch +tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch diff --git a/queue-4.14/tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch b/queue-4.14/tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch new file mode 100644 index 00000000000..6ebdaa58e4a --- /dev/null +++ b/queue-4.14/tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch @@ -0,0 +1,29 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Sabrina Dubroca +Date: Wed, 12 Sep 2018 17:44:43 +0200 +Subject: tls: clear key material from kernel memory when do_tls_setsockopt_conf fails + +From: Sabrina Dubroca + +[ Upstream commit c844eb46b7d43c2cf760169df5ae1d5b033af338 ] + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -425,7 +425,7 @@ static int do_tls_setsockopt_tx(struct s + goto out; + + err_crypto_info: +- memset(crypto_info, 0, sizeof(*crypto_info)); ++ memzero_explicit(crypto_info, sizeof(union tls_crypto_context)); + out: + return rc; + } diff --git a/queue-4.14/tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch b/queue-4.14/tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch new file mode 100644 index 00000000000..61493d89c1f --- /dev/null +++ b/queue-4.14/tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Sabrina Dubroca +Date: Wed, 12 Sep 2018 17:44:41 +0200 +Subject: tls: don't copy the key out of tls12_crypto_info_aes_gcm_128 + +From: Sabrina Dubroca + +[ Upstream commit 7cba09c6d5bc73ebbd25a353742d9ddb7a713b95 ] + +There's no need to copy the key to an on-stack buffer before calling +crypto_aead_setkey(). + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_sw.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -661,7 +661,6 @@ static void tls_sw_free_resources(struct + + int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx) + { +- char keyval[TLS_CIPHER_AES_GCM_128_KEY_SIZE]; + struct tls_crypto_info *crypto_info; + struct tls12_crypto_info_aes_gcm_128 *gcm_128_info; + struct tls_sw_context *sw_ctx; +@@ -753,9 +752,7 @@ int tls_set_sw_offload(struct sock *sk, + + ctx->push_pending_record = tls_sw_push_pending_record; + +- memcpy(keyval, gcm_128_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE); +- +- rc = crypto_aead_setkey(sw_ctx->aead_send, keyval, ++ rc = crypto_aead_setkey(sw_ctx->aead_send, gcm_128_info->key, + TLS_CIPHER_AES_GCM_128_KEY_SIZE); + if (rc) + goto free_aead; diff --git a/queue-4.14/tls-zero-the-crypto-information-from-tls_context-before-freeing.patch b/queue-4.14/tls-zero-the-crypto-information-from-tls_context-before-freeing.patch new file mode 100644 index 00000000000..35924863f13 --- /dev/null +++ b/queue-4.14/tls-zero-the-crypto-information-from-tls_context-before-freeing.patch @@ -0,0 +1,114 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Sabrina Dubroca +Date: Wed, 12 Sep 2018 17:44:42 +0200 +Subject: tls: zero the crypto information from tls_context before freeing + +From: Sabrina Dubroca + +[ Upstream commit 86029d10af18381814881d6cce2dd6872163b59f ] + +This contains key material in crypto_send_aes_gcm_128 and +crypto_recv_aes_gcm_128. + +Introduce union tls_crypto_context, and replace the two identical +unions directly embedded in struct tls_context with it. We can then +use this union to clean up the memory in the new tls_ctx_free() +function. + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tls.h | 14 ++++++++------ + net/tls/tls_main.c | 15 ++++++++++++--- + net/tls/tls_sw.c | 2 +- + 3 files changed, 21 insertions(+), 10 deletions(-) + +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -79,11 +79,13 @@ enum { + TLS_PENDING_CLOSED_RECORD + }; + ++union tls_crypto_context { ++ struct tls_crypto_info info; ++ struct tls12_crypto_info_aes_gcm_128 aes_gcm_128; ++}; ++ + struct tls_context { +- union { +- struct tls_crypto_info crypto_send; +- struct tls12_crypto_info_aes_gcm_128 crypto_send_aes_gcm_128; +- }; ++ union tls_crypto_context crypto_send; + + void *priv_ctx; + +@@ -208,8 +210,8 @@ static inline void tls_fill_prepend(stru + * size KTLS_DTLS_HEADER_SIZE + KTLS_DTLS_NONCE_EXPLICIT_SIZE + */ + buf[0] = record_type; +- buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.version); +- buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.version); ++ buf[1] = TLS_VERSION_MINOR(ctx->crypto_send.info.version); ++ buf[2] = TLS_VERSION_MAJOR(ctx->crypto_send.info.version); + /* we can use IV for nonce explicit according to spec */ + buf[3] = pkt_len >> 8; + buf[4] = pkt_len & 0xFF; +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -218,6 +218,15 @@ static void tls_write_space(struct sock + ctx->sk_write_space(sk); + } + ++static void tls_ctx_free(struct tls_context *ctx) ++{ ++ if (!ctx) ++ return; ++ ++ memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send)); ++ kfree(ctx); ++} ++ + static void tls_sk_proto_close(struct sock *sk, long timeout) + { + struct tls_context *ctx = tls_get_ctx(sk); +@@ -246,7 +255,7 @@ static void tls_sk_proto_close(struct so + kfree(ctx->iv); + + sk_proto_close = ctx->sk_proto_close; +- kfree(ctx); ++ tls_ctx_free(ctx); + + release_sock(sk); + sk_proto_close(sk, timeout); +@@ -274,7 +283,7 @@ static int do_tls_getsockopt_tx(struct s + } + + /* get user crypto info */ +- crypto_info = &ctx->crypto_send; ++ crypto_info = &ctx->crypto_send.info; + + if (!TLS_CRYPTO_INFO_READY(crypto_info)) { + rc = -EBUSY; +@@ -371,7 +380,7 @@ static int do_tls_setsockopt_tx(struct s + } + + /* get user crypto info */ +- crypto_info = &ctx->crypto_send; ++ crypto_info = &ctx->crypto_send.info; + + /* Currently we don't support set crypto info more than one time */ + if (TLS_CRYPTO_INFO_READY(crypto_info)) { +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -687,7 +687,7 @@ int tls_set_sw_offload(struct sock *sk, + ctx->priv_ctx = (struct tls_offload_context *)sw_ctx; + ctx->free_resources = tls_sw_free_resources; + +- crypto_info = &ctx->crypto_send; ++ crypto_info = &ctx->crypto_send.info; + switch (crypto_info->cipher_type) { + case TLS_CIPHER_AES_GCM_128: { + nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE; diff --git a/queue-4.14/udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch b/queue-4.14/udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch new file mode 100644 index 00000000000..d326856fc36 --- /dev/null +++ b/queue-4.14/udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch @@ -0,0 +1,99 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Paolo Abeni +Date: Thu, 13 Sep 2018 16:27:20 +0200 +Subject: udp4: fix IP_CMSG_CHECKSUM for connected sockets + +From: Paolo Abeni + +[ Upstream commit 2b5a921740a55c00223a797d075b9c77c42cb171 ] + +commit 2abb7cdc0dc8 ("udp: Add support for doing checksum +unnecessary conversion") left out the early demux path for +connected sockets. As a result IP_CMSG_CHECKSUM gives wrong +values for such socket when GRO is not enabled/available. + +This change addresses the issue by moving the csum conversion to a +common helper and using such helper in both the default and the +early demux rx path. + +Fixes: 2abb7cdc0dc8 ("udp: Add support for doing checksum unnecessary conversion") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 49 ++++++++++++++++++++++++++----------------------- + 1 file changed, 26 insertions(+), 23 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2049,6 +2049,28 @@ static inline int udp4_csum_init(struct + inet_compute_pseudo); + } + ++/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and ++ * return code conversion for ip layer consumption ++ */ ++static int udp_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb, ++ struct udphdr *uh) ++{ ++ int ret; ++ ++ if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk)) ++ skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check, ++ inet_compute_pseudo); ++ ++ ret = udp_queue_rcv_skb(sk, skb); ++ ++ /* a return value > 0 means to resubmit the input, but ++ * it wants the return to be -protocol, or 0 ++ */ ++ if (ret > 0) ++ return -ret; ++ return 0; ++} ++ + /* + * All we need to do is get the socket, and then do a checksum. + */ +@@ -2095,14 +2117,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, + if (unlikely(sk->sk_rx_dst != dst)) + udp_sk_rx_dst_set(sk, dst); + +- ret = udp_queue_rcv_skb(sk, skb); ++ ret = udp_unicast_rcv_skb(sk, skb, uh); + sock_put(sk); +- /* a return value > 0 means to resubmit the input, but +- * it wants the return to be -protocol, or 0 +- */ +- if (ret > 0) +- return -ret; +- return 0; ++ return ret; + } + + if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST)) +@@ -2110,22 +2127,8 @@ int __udp4_lib_rcv(struct sk_buff *skb, + saddr, daddr, udptable, proto); + + sk = __udp4_lib_lookup_skb(skb, uh->source, uh->dest, udptable); +- if (sk) { +- int ret; +- +- if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk)) +- skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check, +- inet_compute_pseudo); +- +- ret = udp_queue_rcv_skb(sk, skb); +- +- /* a return value > 0 means to resubmit the input, but +- * it wants the return to be -protocol, or 0 +- */ +- if (ret > 0) +- return -ret; +- return 0; +- } ++ if (sk) ++ return udp_unicast_rcv_skb(sk, skb, uh); + + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) + goto drop; diff --git a/queue-4.14/udp6-add-missing-checks-on-edumux-packet-processing.patch b/queue-4.14/udp6-add-missing-checks-on-edumux-packet-processing.patch new file mode 100644 index 00000000000..7846e180ff9 --- /dev/null +++ b/queue-4.14/udp6-add-missing-checks-on-edumux-packet-processing.patch @@ -0,0 +1,127 @@ +From foo@baz Wed Sep 26 11:28:02 CEST 2018 +From: Paolo Abeni +Date: Thu, 13 Sep 2018 16:27:21 +0200 +Subject: udp6: add missing checks on edumux packet processing + +From: Paolo Abeni + +[ Upstream commit eb63f2964dbe36f26deac77d3016791675821ded ] + +Currently the UDPv6 early demux rx code path lacks some mandatory +checks, already implemented into the normal RX code path - namely +the checksum conversion and no_check6_rx check. + +Similar to the previous commit, we move the common processing to +an UDPv6 specific helper and call it from both edemux code path +and normal code path. In respect to the UDPv4, we need to add an +explicit check for non zero csum according to no_check6_rx value. + +Reported-by: Jianlin Shi +Suggested-by: Xin Long +Fixes: c9f2c1ae123a ("udp6: fix socket leak on early demux") +Fixes: 2abb7cdc0dc8 ("udp: Add support for doing checksum unnecessary conversion") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/udp.c | 65 ++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 37 insertions(+), 28 deletions(-) + +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -780,6 +780,28 @@ static void udp6_sk_rx_dst_set(struct so + } + } + ++/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and ++ * return code conversion for ip layer consumption ++ */ ++static int udp6_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb, ++ struct udphdr *uh) ++{ ++ int ret; ++ ++ if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk)) ++ skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check, ++ ip6_compute_pseudo); ++ ++ ret = udpv6_queue_rcv_skb(sk, skb); ++ ++ /* a return value > 0 means to resubmit the input, but ++ * it wants the return to be -protocol, or 0 ++ */ ++ if (ret > 0) ++ return -ret; ++ return 0; ++} ++ + int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, + int proto) + { +@@ -831,13 +853,14 @@ int __udp6_lib_rcv(struct sk_buff *skb, + if (unlikely(sk->sk_rx_dst != dst)) + udp6_sk_rx_dst_set(sk, dst); + +- ret = udpv6_queue_rcv_skb(sk, skb); +- sock_put(sk); ++ if (!uh->check && !udp_sk(sk)->no_check6_rx) { ++ sock_put(sk); ++ goto report_csum_error; ++ } + +- /* a return value > 0 means to resubmit the input */ +- if (ret > 0) +- return ret; +- return 0; ++ ret = udp6_unicast_rcv_skb(sk, skb, uh); ++ sock_put(sk); ++ return ret; + } + + /* +@@ -850,30 +873,13 @@ int __udp6_lib_rcv(struct sk_buff *skb, + /* Unicast */ + sk = __udp6_lib_lookup_skb(skb, uh->source, uh->dest, udptable); + if (sk) { +- int ret; +- +- if (!uh->check && !udp_sk(sk)->no_check6_rx) { +- udp6_csum_zero_error(skb); +- goto csum_error; +- } +- +- if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk)) +- skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check, +- ip6_compute_pseudo); +- +- ret = udpv6_queue_rcv_skb(sk, skb); +- +- /* a return value > 0 means to resubmit the input */ +- if (ret > 0) +- return ret; +- +- return 0; ++ if (!uh->check && !udp_sk(sk)->no_check6_rx) ++ goto report_csum_error; ++ return udp6_unicast_rcv_skb(sk, skb, uh); + } + +- if (!uh->check) { +- udp6_csum_zero_error(skb); +- goto csum_error; +- } ++ if (!uh->check) ++ goto report_csum_error; + + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) + goto discard; +@@ -894,6 +900,9 @@ short_packet: + ulen, skb->len, + daddr, ntohs(uh->dest)); + goto discard; ++ ++report_csum_error: ++ udp6_csum_zero_error(skb); + csum_error: + __UDP6_INC_STATS(net, UDP_MIB_CSUMERRORS, proto == IPPROTO_UDPLITE); + discard: diff --git a/queue-4.18/series b/queue-4.18/series new file mode 100644 index 00000000000..8183ab1e67d --- /dev/null +++ b/queue-4.18/series @@ -0,0 +1,22 @@ +gso_segment-reset-skb-mac_len-after-modifying-network-header.patch +ipv6-fix-possible-use-after-free-in-ip6_xmit.patch +net-appletalk-fix-minor-pointer-leak-to-userspace-in-siocfindipddprt.patch +net-hp100-fix-always-true-check-for-link-up-state.patch +pppoe-fix-reception-of-frames-with-no-mac-header.patch +qmi_wwan-set-dtr-for-modems-in-forced-usb2-mode.patch +udp4-fix-ip_cmsg_checksum-for-connected-sockets.patch +tls-don-t-copy-the-key-out-of-tls12_crypto_info_aes_gcm_128.patch +tls-zero-the-crypto-information-from-tls_context-before-freeing.patch +tls-clear-key-material-from-kernel-memory-when-do_tls_setsockopt_conf-fails.patch +neighbour-confirm-neigh-entries-when-arp-packet-is-received.patch +udp6-add-missing-checks-on-edumux-packet-processing.patch +net-sched-act_sample-fix-null-dereference-in-the-data-path.patch +hv_netvsc-fix-schedule-in-rcu-context.patch +net-dsa-mv88e6xxx-fix-atu-miss-violation.patch +socket-fix-struct-ifreq-size-in-compat-ioctl.patch +tls-fix-currently-broken-msg_peek-behavior.patch +bnxt_en-fix-vf-mac-address-regression.patch +ipv6-use-rt6_info-members-when-dst-is-set-in-rt6_fill_node.patch +net-ipv6-do-not-copy-dst-flags-on-rt-init.patch +net-mvpp2-let-phylink-manage-the-carrier-state.patch +net-rtnl_configure_link-fix-dev-flags-changes-arg-to-__dev_notify_flags.patch