From 83d507a12879509a8a4a140ff9f5ceb64a9ab3f8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 4 Aug 2018 09:34:05 +0200 Subject: [PATCH] 4.9-stable patches added patches: bonding-avoid-lockdep-confusion-in-bond_get_stats.patch inet-frag-enforce-memory-limits-earlier.patch ipv4-frags-handle-possible-skb-truesize-change.patch net-dsa-do-not-suspend-resume-closed-slave_dev.patch net-stmmac-fix-wol-for-pci-based-setups.patch netlink-fix-spectre-v1-gadget-in-netlink_create.patch --- ...-lockdep-confusion-in-bond_get_stats.patch | 174 ++++++++++++++++++ ...t-frag-enforce-memory-limits-earlier.patch | 60 ++++++ ...-handle-possible-skb-truesize-change.patch | 50 +++++ ...-not-suspend-resume-closed-slave_dev.patch | 43 +++++ ...-stmmac-fix-wol-for-pci-based-setups.patch | 84 +++++++++ ...-spectre-v1-gadget-in-netlink_create.patch | 51 +++++ queue-4.9/series | 6 + 7 files changed, 468 insertions(+) create mode 100644 queue-4.9/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch create mode 100644 queue-4.9/inet-frag-enforce-memory-limits-earlier.patch create mode 100644 queue-4.9/ipv4-frags-handle-possible-skb-truesize-change.patch create mode 100644 queue-4.9/net-dsa-do-not-suspend-resume-closed-slave_dev.patch create mode 100644 queue-4.9/net-stmmac-fix-wol-for-pci-based-setups.patch create mode 100644 queue-4.9/netlink-fix-spectre-v1-gadget-in-netlink_create.patch diff --git a/queue-4.9/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch b/queue-4.9/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch new file mode 100644 index 00000000000..c8ff3d82835 --- /dev/null +++ b/queue-4.9/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch @@ -0,0 +1,174 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Eric Dumazet +Date: Tue, 31 Jul 2018 06:30:54 -0700 +Subject: bonding: avoid lockdep confusion in bond_get_stats() + +From: Eric Dumazet + +[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ] + +syzbot found that the following sequence produces a LOCKDEP splat [1] + +ip link add bond10 type bond +ip link add bond11 type bond +ip link set bond11 master bond10 + +To fix this, we can use the already provided nest_level. + +This patch also provides correct nesting for dev->addr_list_lock + +[1] +WARNING: possible recursive locking detected +4.18.0-rc6+ #167 Not tainted +-------------------------------------------- +syz-executor751/4439 is trying to acquire lock: +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + +but task is already holding lock: +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(&bond->stats_lock)->rlock); + lock(&(&bond->stats_lock)->rlock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +3 locks held by syz-executor751/4439: + #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77 + #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] + #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215 + +stack backtrace: +CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 + print_deadlock_bug kernel/locking/lockdep.c:1765 [inline] + check_deadlock kernel/locking/lockdep.c:1809 [inline] + validate_chain kernel/locking/lockdep.c:2405 [inline] + __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435 + lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:310 [inline] + bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + dev_get_stats+0x10f/0x470 net/core/dev.c:8316 + bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432 + dev_get_stats+0x10f/0x470 net/core/dev.c:8316 + rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169 + rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611 + rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268 + rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300 + rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline] + rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716 + notifier_call_chain+0x180/0x390 kernel/notifier.c:93 + __raw_notifier_call_chain kernel/notifier.c:394 [inline] + raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 + call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735 + call_netdevice_notifiers net/core/dev.c:1753 [inline] + netdev_features_change net/core/dev.c:1321 [inline] + netdev_change_features+0xb3/0x110 net/core/dev.c:7759 + bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120 + bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755 + bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528 + dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327 + dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493 + sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992 + sock_ioctl+0x30d/0x680 net/socket.c:1093 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + __do_sys_ioctl fs/ioctl.c:708 [inline] + __se_sys_ioctl fs/ioctl.c:706 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440859 +Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859 +RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390 +R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000 + +Signed-off-by: Eric Dumazet +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1682,6 +1682,8 @@ int bond_enslave(struct net_device *bond + goto err_upper_unlink; + } + ++ bond->nest_level = dev_get_nest_level(bond_dev) + 1; ++ + /* If the mode uses primary, then the following is handled by + * bond_change_active_slave(). + */ +@@ -1729,7 +1731,6 @@ int bond_enslave(struct net_device *bond + if (bond_mode_uses_xmit_hash(bond)) + bond_update_slave_arr(bond, NULL); + +- bond->nest_level = dev_get_nest_level(bond_dev); + + netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n", + slave_dev->name, +@@ -3359,6 +3360,13 @@ static void bond_fold_stats(struct rtnl_ + } + } + ++static int bond_get_nest_level(struct net_device *bond_dev) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ ++ return bond->nest_level; ++} ++ + static struct rtnl_link_stats64 *bond_get_stats(struct net_device *bond_dev, + struct rtnl_link_stats64 *stats) + { +@@ -3367,7 +3375,7 @@ static struct rtnl_link_stats64 *bond_ge + struct list_head *iter; + struct slave *slave; + +- spin_lock(&bond->stats_lock); ++ spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev)); + memcpy(stats, &bond->bond_stats, sizeof(*stats)); + + rcu_read_lock(); +@@ -4163,6 +4171,7 @@ static const struct net_device_ops bond_ + .ndo_neigh_setup = bond_neigh_setup, + .ndo_vlan_rx_add_vid = bond_vlan_rx_add_vid, + .ndo_vlan_rx_kill_vid = bond_vlan_rx_kill_vid, ++ .ndo_get_lock_subclass = bond_get_nest_level, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_netpoll_setup = bond_netpoll_setup, + .ndo_netpoll_cleanup = bond_netpoll_cleanup, +@@ -4655,6 +4664,7 @@ static int bond_init(struct net_device * + if (!bond->wq) + return -ENOMEM; + ++ bond->nest_level = SINGLE_DEPTH_NESTING; + netdev_lockdep_set_classes(bond_dev); + + list_add_tail(&bond->bond_list, &bn->dev_list); diff --git a/queue-4.9/inet-frag-enforce-memory-limits-earlier.patch b/queue-4.9/inet-frag-enforce-memory-limits-earlier.patch new file mode 100644 index 00000000000..38a9075b5bf --- /dev/null +++ b/queue-4.9/inet-frag-enforce-memory-limits-earlier.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Eric Dumazet +Date: Mon, 30 Jul 2018 20:09:11 -0700 +Subject: inet: frag: enforce memory limits earlier + +From: Eric Dumazet + +[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ] + +We currently check current frags memory usage only when +a new frag queue is created. This allows attackers to first +consume the memory budget (default : 4 MB) creating thousands +of frag queues, then sending tiny skbs to exceed high_thresh +limit by 2 to 3 order of magnitude. + +Note that before commit 648700f76b03 ("inet: frags: use rhashtables +for reassembly units"), work queue could be starved under DOS, +getting no cpu cycles. +After commit 648700f76b03, only the per frag queue timer can eventually +remove an incomplete frag queue and its skbs. + +Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue") +Signed-off-by: Eric Dumazet +Reported-by: Jann Horn +Cc: Florian Westphal +Cc: Peter Oskolkov +Cc: Paolo Abeni +Acked-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_fragment.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag + { + struct inet_frag_queue *q; + +- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { +- inet_frag_schedule_worker(f); +- return NULL; +- } +- + q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC); + if (!q) + return NULL; +@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(s + struct inet_frag_queue *q; + int depth = 0; + ++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { ++ inet_frag_schedule_worker(f); ++ return NULL; ++ } ++ + if (frag_mem_limit(nf) > nf->low_thresh) + inet_frag_schedule_worker(f); + diff --git a/queue-4.9/ipv4-frags-handle-possible-skb-truesize-change.patch b/queue-4.9/ipv4-frags-handle-possible-skb-truesize-change.patch new file mode 100644 index 00000000000..05e42605c61 --- /dev/null +++ b/queue-4.9/ipv4-frags-handle-possible-skb-truesize-change.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Eric Dumazet +Date: Mon, 30 Jul 2018 21:50:29 -0700 +Subject: ipv4: frags: handle possible skb truesize change + +From: Eric Dumazet + +[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ] + +ip_frag_queue() might call pskb_pull() on one skb that +is already in the fragment queue. + +We need to take care of possible truesize change, or we +might have an imbalance of the netns frags memory usage. + +IPv6 is immune to this bug, because RFC5722, Section 4, +amended by Errata ID 3089 states : + + When reassembling an IPv6 datagram, if + one or more its constituent fragments is determined to be an + overlapping fragment, the entire datagram (and any constituent + fragments) MUST be silently discarded. + +Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -446,11 +446,16 @@ found: + int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */ + + if (i < next->len) { ++ int delta = -next->truesize; ++ + /* Eat head of the next overlapped fragment + * and leave the loop. The next ones cannot overlap. + */ + if (!pskb_pull(next, i)) + goto err; ++ delta += next->truesize; ++ if (delta) ++ add_frag_mem_limit(qp->q.net, delta); + FRAG_CB(next)->offset += i; + qp->q.meat -= i; + if (next->ip_summed != CHECKSUM_UNNECESSARY) diff --git a/queue-4.9/net-dsa-do-not-suspend-resume-closed-slave_dev.patch b/queue-4.9/net-dsa-do-not-suspend-resume-closed-slave_dev.patch new file mode 100644 index 00000000000..eceeea63255 --- /dev/null +++ b/queue-4.9/net-dsa-do-not-suspend-resume-closed-slave_dev.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Florian Fainelli +Date: Tue, 31 Jul 2018 17:12:52 -0700 +Subject: net: dsa: Do not suspend/resume closed slave_dev + +From: Florian Fainelli + +[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ] + +If a DSA slave network device was previously disabled, there is no need +to suspend or resume it. + +Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement suspend/resume hooks") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1199,6 +1199,9 @@ int dsa_slave_suspend(struct net_device + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_detach(slave_dev); + + if (p->phy) { +@@ -1216,6 +1219,9 @@ int dsa_slave_resume(struct net_device * + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_attach(slave_dev); + + if (p->phy) { diff --git a/queue-4.9/net-stmmac-fix-wol-for-pci-based-setups.patch b/queue-4.9/net-stmmac-fix-wol-for-pci-based-setups.patch new file mode 100644 index 00000000000..36e5d94a9b0 --- /dev/null +++ b/queue-4.9/net-stmmac-fix-wol-for-pci-based-setups.patch @@ -0,0 +1,84 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Jose Abreu +Date: Tue, 31 Jul 2018 15:08:20 +0100 +Subject: net: stmmac: Fix WoL for PCI-based setups + +From: Jose Abreu + +[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ] + +WoL won't work in PCI-based setups because we are not saving the PCI EP +state before entering suspend state and not allowing D3 wake. + +Fix this by using a wrapper around stmmac_{suspend/resume} which +correctly sets the PCI EP state. + +Signed-off-by: Jose Abreu +Cc: David S. Miller +Cc: Joao Pinto +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 +++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -183,7 +183,7 @@ static int stmmac_pci_probe(struct pci_d + return -ENOMEM; + + /* Enable pci device */ +- ret = pcim_enable_device(pdev); ++ ret = pci_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -232,9 +232,45 @@ static int stmmac_pci_probe(struct pci_d + static void stmmac_pci_remove(struct pci_dev *pdev) + { + stmmac_dvr_remove(&pdev->dev); ++ pci_disable_device(pdev); + } + +-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume); ++static int stmmac_pci_suspend(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ ret = stmmac_suspend(dev); ++ if (ret) ++ return ret; ++ ++ ret = pci_save_state(pdev); ++ if (ret) ++ return ret; ++ ++ pci_disable_device(pdev); ++ pci_wake_from_d3(pdev, true); ++ return 0; ++} ++ ++static int stmmac_pci_resume(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ pci_restore_state(pdev); ++ pci_set_power_state(pdev, PCI_D0); ++ ++ ret = pci_enable_device(pdev); ++ if (ret) ++ return ret; ++ ++ pci_set_master(pdev); ++ ++ return stmmac_resume(dev); ++} ++ ++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume); + + #define STMMAC_VENDOR_ID 0x700 + #define STMMAC_QUARK_ID 0x0937 diff --git a/queue-4.9/netlink-fix-spectre-v1-gadget-in-netlink_create.patch b/queue-4.9/netlink-fix-spectre-v1-gadget-in-netlink_create.patch new file mode 100644 index 00000000000..c66f797d3ca --- /dev/null +++ b/queue-4.9/netlink-fix-spectre-v1-gadget-in-netlink_create.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Aug 4 09:11:40 CEST 2018 +From: Jeremy Cline +Date: Tue, 31 Jul 2018 21:13:16 +0000 +Subject: netlink: Fix spectre v1 gadget in netlink_create() + +From: Jeremy Cline + +[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ] + +'protocol' is a user-controlled value, so sanitize it after the bounds +check to avoid using it for speculative out-of-bounds access to arrays +indexed by it. + +This addresses the following accesses detected with the help of smatch: + +* net/netlink/af_netlink.c:654 __netlink_create() warn: potential + spectre issue 'nlk_cb_mutex_keys' [w] + +* net/netlink/af_netlink.c:654 __netlink_create() warn: potential + spectre issue 'nlk_cb_mutex_key_strings' [w] + +* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre + issue 'nl_table' [w] (local cap) + +Cc: Josh Poimboeuf +Signed-off-by: Jeremy Cline +Reviewed-by: Josh Poimboeuf +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -62,6 +62,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -654,6 +655,7 @@ static int netlink_create(struct net *ne + + if (protocol < 0 || protocol >= MAX_LINKS) + return -EPROTONOSUPPORT; ++ protocol = array_index_nospec(protocol, MAX_LINKS); + + netlink_lock_table(); + #ifdef CONFIG_MODULES diff --git a/queue-4.9/series b/queue-4.9/series index 950783f7b9f..20b048a4ef6 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,9 @@ tcp-refactor-tcp_ecn_check_ce-to-remove-sk-type-cast.patch tcp-add-one-more-quick-ack-after-after-ecn-events.patch pinctrl-intel-read-back-tx-buffer-state.patch sched-wait-remove-the-lockless-swait_active-check-in-swake_up.patch +bonding-avoid-lockdep-confusion-in-bond_get_stats.patch +inet-frag-enforce-memory-limits-earlier.patch +ipv4-frags-handle-possible-skb-truesize-change.patch +net-dsa-do-not-suspend-resume-closed-slave_dev.patch +netlink-fix-spectre-v1-gadget-in-netlink_create.patch +net-stmmac-fix-wol-for-pci-based-setups.patch -- 2.47.3