From a9189dfb72215a6da28c3fc30dec1a5781dc39f5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 30 Jan 2022 20:20:56 +0100 Subject: [PATCH] 4.4-stable patches added patches: arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch drm-msm-fix-wrong-size-calculation.patch ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch ipv6_tunnel-rate-limit-warning-messages.patch net-fix-information-leakage-in-proc-net-ptype.patch net-procfs-show-net-devices-bound-packet-types.patch ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch --- ...ic-when-kasan-and-kprobe-are-enabled.patch | 113 ++++++++++++++++++ .../drm-msm-fix-wrong-size-calculation.patch | 41 +++++++ ...d-ip-generator-for-connected-sockets.patch | 65 ++++++++++ ...6_tunnel-rate-limit-warning-messages.patch | 44 +++++++ ...nformation-leakage-in-proc-net-ptype.patch | 69 +++++++++++ ...-show-net-devices-bound-packet-types.patch | 112 +++++++++++++++++ ...sk_bound_dev_if-match-in-ping_lookup.patch | 46 +++++++ queue-4.4/series | 7 ++ 8 files changed, 497 insertions(+) create mode 100644 queue-4.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch create mode 100644 queue-4.4/drm-msm-fix-wrong-size-calculation.patch create mode 100644 queue-4.4/ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch create mode 100644 queue-4.4/ipv6_tunnel-rate-limit-warning-messages.patch create mode 100644 queue-4.4/net-fix-information-leakage-in-proc-net-ptype.patch create mode 100644 queue-4.4/net-procfs-show-net-devices-bound-packet-types.patch create mode 100644 queue-4.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch diff --git a/queue-4.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch b/queue-4.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch new file mode 100644 index 00000000000..0759be6873c --- /dev/null +++ b/queue-4.4/arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch @@ -0,0 +1,113 @@ +From 8b59b0a53c840921b625378f137e88adfa87647e Mon Sep 17 00:00:00 2001 +From: sparkhuang +Date: Wed, 15 Dec 2021 10:08:23 +0100 +Subject: ARM: 9170/1: fix panic when kasan and kprobe are enabled + +From: sparkhuang + +commit 8b59b0a53c840921b625378f137e88adfa87647e upstream. + +arm32 uses software to simulate the instruction replaced +by kprobe. some instructions may be simulated by constructing +assembly functions. therefore, before executing instruction +simulation, it is necessary to construct assembly function +execution environment in C language through binding registers. +after kasan is enabled, the register binding relationship will +be destroyed, resulting in instruction simulation errors and +causing kernel panic. + +the kprobe emulate instruction function is distributed in three +files: actions-common.c actions-arm.c actions-thumb.c, so disable +KASAN when compiling these files. + +for example, use kprobe insert on cap_capable+20 after kasan +enabled, the cap_capable assembly code is as follows: +: +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e1a05000 mov r5, r0 +e280006c add r0, r0, #108 ; 0x6c +e1a04001 mov r4, r1 +e1a06002 mov r6, r2 +e59fa090 ldr sl, [pc, #144] ; +ebfc7bf8 bl c03aa4b4 <__asan_load4> +e595706c ldr r7, [r5, #108] ; 0x6c +e2859014 add r9, r5, #20 +...... +The emulate_ldr assembly code after enabling kasan is as follows: +c06f1384 : +e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr} +e282803c add r8, r2, #60 ; 0x3c +e1a05000 mov r5, r0 +e7e37855 ubfx r7, r5, #16, #4 +e1a00008 mov r0, r8 +e1a09001 mov r9, r1 +e1a04002 mov r4, r2 +ebf35462 bl c03c6530 <__asan_load4> +e357000f cmp r7, #15 +e7e36655 ubfx r6, r5, #12, #4 +e205a00f and sl, r5, #15 +0a000001 beq c06f13bc +e0840107 add r0, r4, r7, lsl #2 +ebf3545c bl c03c6530 <__asan_load4> +e084010a add r0, r4, sl, lsl #2 +ebf3545a bl c03c6530 <__asan_load4> +e2890010 add r0, r9, #16 +ebf35458 bl c03c6530 <__asan_load4> +e5990010 ldr r0, [r9, #16] +e12fff30 blx r0 +e356000f cm r6, #15 +1a000014 bne c06f1430 +e1a06000 mov r6, r0 +e2840040 add r0, r4, #64 ; 0x40 +...... + +when running in emulate_ldr to simulate the ldr instruction, panic +occurred, and the log is as follows: +Unable to handle kernel NULL pointer dereference at virtual address +00000090 +pgd = ecb46400 +[00000090] *pgd=2e0fa003, *pmd=00000000 +Internal error: Oops: 206 [#1] SMP ARM +PC is at cap_capable+0x14/0xb0 +LR is at emulate_ldr+0x50/0xc0 +psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c +r10: 00000000 r9 : c30897f4 r8 : ecd63cd4 +r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98 +r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +Control: 32c5387d Table: 2d546400 DAC: 55555555 +Process bash (pid: 1643, stack limit = 0xecd60190) +(cap_capable) from (kprobe_handler+0x218/0x340) +(kprobe_handler) from (kprobe_trap_handler+0x24/0x48) +(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364) +(do_undefinstr) from (__und_svc_finish+0x0/0x30) +(__und_svc_finish) from (cap_capable+0x18/0xb0) +(cap_capable) from (cap_vm_enough_memory+0x38/0x48) +(cap_vm_enough_memory) from +(security_vm_enough_memory_mm+0x48/0x6c) +(security_vm_enough_memory_mm) from +(copy_process.constprop.5+0x16b4/0x25c8) +(copy_process.constprop.5) from (_do_fork+0xe8/0x55c) +(_do_fork) from (SyS_clone+0x1c/0x24) +(SyS_clone) from (__sys_trace_return+0x0/0x10) +Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7) + +Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support") +Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") +Signed-off-by: huangshaobo +Acked-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/probes/kprobes/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/probes/kprobes/Makefile ++++ b/arch/arm/probes/kprobes/Makefile +@@ -1,3 +1,6 @@ ++KASAN_SANITIZE_actions-common.o := n ++KASAN_SANITIZE_actions-arm.o := n ++KASAN_SANITIZE_actions-thumb.o := n + obj-$(CONFIG_KPROBES) += core.o actions-common.o checkers-common.o + obj-$(CONFIG_ARM_KPROBES_TEST) += test-kprobes.o + test-kprobes-objs := test-core.o diff --git a/queue-4.4/drm-msm-fix-wrong-size-calculation.patch b/queue-4.4/drm-msm-fix-wrong-size-calculation.patch new file mode 100644 index 00000000000..e4ddcc8b5cf --- /dev/null +++ b/queue-4.4/drm-msm-fix-wrong-size-calculation.patch @@ -0,0 +1,41 @@ +From 0a727b459ee39bd4c5ced19d6024258ac87b6b2e Mon Sep 17 00:00:00 2001 +From: Xianting Tian +Date: Wed, 12 Jan 2022 20:33:34 +0800 +Subject: drm/msm: Fix wrong size calculation + +From: Xianting Tian + +commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e upstream. + +For example, memory-region in .dts as below, + reg = <0x0 0x50000000 0x0 0x20000000> + +We can get below values, +struct resource r; +r.start = 0x50000000; +r.end = 0x6fffffff; + +So the size should be: +size = r.end - r.start + 1 = 0x20000000 + +Signed-off-by: Xianting Tian +Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem") +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -286,7 +286,7 @@ static int msm_init_vram(struct drm_devi + ret = of_address_to_resource(node, 0, &r); + if (ret) + return ret; +- size = r.end - r.start; ++ size = r.end - r.start + 1; + DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start); + } else + #endif diff --git a/queue-4.4/ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch b/queue-4.4/ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch new file mode 100644 index 00000000000..1ebb673d87f --- /dev/null +++ b/queue-4.4/ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch @@ -0,0 +1,65 @@ +From 23f57406b82de51809d5812afd96f210f8b627f3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 26 Jan 2022 17:10:22 -0800 +Subject: ipv4: avoid using shared IP generator for connected sockets + +From: Eric Dumazet + +commit 23f57406b82de51809d5812afd96f210f8b627f3 upstream. + +ip_select_ident_segs() has been very conservative about using +the connected socket private generator only for packets with IP_DF +set, claiming it was needed for some VJ compression implementations. + +As mentioned in this referenced document, this can be abused. +(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment) + +Before switching to pure random IPID generation and possibly hurt +some workloads, lets use the private inet socket generator. + +Not only this will remove one vulnerability, this will also +improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT + +Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Reported-by: Ray Che +Cc: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -353,19 +353,18 @@ static inline void ip_select_ident_segs( + { + struct iphdr *iph = ip_hdr(skb); + ++ /* We had many attacks based on IPID, use the private ++ * generator as much as we can. ++ */ ++ if (sk && inet_sk(sk)->inet_daddr) { ++ iph->id = htons(inet_sk(sk)->inet_id); ++ inet_sk(sk)->inet_id += segs; ++ return; ++ } + if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) { +- /* This is only to work around buggy Windows95/2000 +- * VJ compression implementations. If the ID field +- * does not change, they drop every other packet in +- * a TCP stream using header compression. +- */ +- if (sk && inet_sk(sk)->inet_daddr) { +- iph->id = htons(inet_sk(sk)->inet_id); +- inet_sk(sk)->inet_id += segs; +- } else { +- iph->id = 0; +- } ++ iph->id = 0; + } else { ++ /* Unfortunately we need the big hammer to get a suitable IPID */ + __ip_select_ident(net, iph, segs); + } + } diff --git a/queue-4.4/ipv6_tunnel-rate-limit-warning-messages.patch b/queue-4.4/ipv6_tunnel-rate-limit-warning-messages.patch new file mode 100644 index 00000000000..01e017f1f72 --- /dev/null +++ b/queue-4.4/ipv6_tunnel-rate-limit-warning-messages.patch @@ -0,0 +1,44 @@ +From 6cee105e7f2ced596373951d9ea08dacc3883c68 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Thu, 20 Jan 2022 10:05:46 +0200 +Subject: ipv6_tunnel: Rate limit warning messages + +From: Ido Schimmel + +commit 6cee105e7f2ced596373951d9ea08dacc3883c68 upstream. + +The warning messages can be invoked from the data path for every packet +transmitted through an ip6gre netdev, leading to high CPU utilization. + +Fix that by rate limiting the messages. + +Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime") +Reported-by: Maksym Yaremchuk +Tested-by: Maksym Yaremchuk +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -917,12 +917,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t, + ldev = dev_get_by_index_rcu(net, p->link); + + if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0))) +- pr_warn("%s xmit: Local address not yet configured!\n", +- p->name); ++ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n", ++ p->name); + else if (!ipv6_addr_is_multicast(raddr) && + unlikely(ipv6_chk_addr(net, raddr, NULL, 0))) +- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n", +- p->name); ++ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n", ++ p->name); + else + ret = 1; + rcu_read_unlock(); diff --git a/queue-4.4/net-fix-information-leakage-in-proc-net-ptype.patch b/queue-4.4/net-fix-information-leakage-in-proc-net-ptype.patch new file mode 100644 index 00000000000..e29df24fc81 --- /dev/null +++ b/queue-4.4/net-fix-information-leakage-in-proc-net-ptype.patch @@ -0,0 +1,69 @@ +From 47934e06b65637c88a762d9c98329ae6e3238888 Mon Sep 17 00:00:00 2001 +From: Congyu Liu +Date: Tue, 18 Jan 2022 14:20:13 -0500 +Subject: net: fix information leakage in /proc/net/ptype + +From: Congyu Liu + +commit 47934e06b65637c88a762d9c98329ae6e3238888 upstream. + +In one net namespace, after creating a packet socket without binding +it to a device, users in other net namespaces can observe the new +`packet_type` added by this packet socket by reading `/proc/net/ptype` +file. This is minor information leakage as packet socket is +namespace aware. + +Add a net pointer in `packet_type` to keep the net namespace of +of corresponding packet socket. In `ptype_seq_show`, this net pointer +must be checked when it is not NULL. + +Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.") +Signed-off-by: Congyu Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 1 + + net/core/net-procfs.c | 3 ++- + net/packet/af_packet.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2055,6 +2055,7 @@ struct packet_type { + struct net_device *); + bool (*id_match)(struct packet_type *ptype, + struct sock *sk); ++ struct net *af_packet_net; + void *af_packet_priv; + struct list_head list; + }; +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -277,7 +277,8 @@ static int ptype_seq_show(struct seq_fil + + if (v == SEQ_START_TOKEN) + seq_puts(seq, "Type Device Function\n"); +- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) { ++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) && ++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) { + if (pt->type == htons(ETH_P_ALL)) + seq_puts(seq, "ALL "); + else +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1709,6 +1709,7 @@ static int fanout_add(struct sock *sk, u + match->prot_hook.dev = po->prot_hook.dev; + match->prot_hook.func = packet_rcv_fanout; + match->prot_hook.af_packet_priv = match; ++ match->prot_hook.af_packet_net = read_pnet(&match->net); + match->prot_hook.id_match = match_fanout_group; + list_add(&match->list, &fanout_list); + } +@@ -3167,6 +3168,7 @@ static int packet_create(struct net *net + po->prot_hook.func = packet_rcv_spkt; + + po->prot_hook.af_packet_priv = sk; ++ po->prot_hook.af_packet_net = sock_net(sk); + + if (proto) { + po->prot_hook.type = proto; diff --git a/queue-4.4/net-procfs-show-net-devices-bound-packet-types.patch b/queue-4.4/net-procfs-show-net-devices-bound-packet-types.patch new file mode 100644 index 00000000000..7f21b259ef7 --- /dev/null +++ b/queue-4.4/net-procfs-show-net-devices-bound-packet-types.patch @@ -0,0 +1,112 @@ +From 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 Mon Sep 17 00:00:00 2001 +From: Jianguo Wu +Date: Fri, 21 Jan 2022 17:15:31 +0800 +Subject: net-procfs: show net devices bound packet types + +From: Jianguo Wu + +commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 upstream. + +After commit:7866a621043f ("dev: add per net_device packet type chains"), +we can not get packet types that are bound to a specified net device by +/proc/net/ptype, this patch fix the regression. + +Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch: + +Before: + [root@localhost ~]# cat /proc/net/ptype + Type Device Function + 0800 ip_rcv + 0806 arp_rcv + 86dd ipv6_rcv + +After: + [root@localhost ~]# cat /proc/net/ptype + Type Device Function + ALL ens192 tpacket_rcv + 0800 ip_rcv + 0806 arp_rcv + 86dd ipv6_rcv + +v1 -> v2: + - fix the regression rather than adding new /proc API as + suggested by Stephen Hemminger. + +Fixes: 7866a621043f ("dev: add per net_device packet type chains") +Signed-off-by: Jianguo Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-procfs.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +--- a/net/core/net-procfs.c ++++ b/net/core/net-procfs.c +@@ -207,12 +207,23 @@ static const struct file_operations soft + .release = seq_release, + }; + +-static void *ptype_get_idx(loff_t pos) ++static void *ptype_get_idx(struct seq_file *seq, loff_t pos) + { ++ struct list_head *ptype_list = NULL; + struct packet_type *pt = NULL; ++ struct net_device *dev; + loff_t i = 0; + int t; + ++ for_each_netdev_rcu(seq_file_net(seq), dev) { ++ ptype_list = &dev->ptype_all; ++ list_for_each_entry_rcu(pt, ptype_list, list) { ++ if (i == pos) ++ return pt; ++ ++i; ++ } ++ } ++ + list_for_each_entry_rcu(pt, &ptype_all, list) { + if (i == pos) + return pt; +@@ -233,22 +244,40 @@ static void *ptype_seq_start(struct seq_ + __acquires(RCU) + { + rcu_read_lock(); +- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN; ++ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN; + } + + static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { ++ struct net_device *dev; + struct packet_type *pt; + struct list_head *nxt; + int hash; + + ++*pos; + if (v == SEQ_START_TOKEN) +- return ptype_get_idx(0); ++ return ptype_get_idx(seq, 0); + + pt = v; + nxt = pt->list.next; ++ if (pt->dev) { ++ if (nxt != &pt->dev->ptype_all) ++ goto found; ++ ++ dev = pt->dev; ++ for_each_netdev_continue_rcu(seq_file_net(seq), dev) { ++ if (!list_empty(&dev->ptype_all)) { ++ nxt = dev->ptype_all.next; ++ goto found; ++ } ++ } ++ ++ nxt = ptype_all.next; ++ goto ptype_all; ++ } ++ + if (pt->type == htons(ETH_P_ALL)) { ++ptype_all: + if (nxt != &ptype_all) + goto found; + hash = 0; diff --git a/queue-4.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch b/queue-4.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch new file mode 100644 index 00000000000..b3183f2a94b --- /dev/null +++ b/queue-4.4/ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch @@ -0,0 +1,46 @@ +From 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sat, 22 Jan 2022 06:40:56 -0500 +Subject: ping: fix the sk_bound_dev_if match in ping_lookup + +From: Xin Long + +commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 upstream. + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +the selftests 'router_broadcast.sh' will fail, as such command + + # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b + +can't receive the response skb by the PING socket. It's caused by mismatch +of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket, +as dif is vrf-h1 if dif's master was set to vrf-h1. + +This patch is to fix this regression by also checking the sk_bound_dev_if +against sdif so that the packets can stil be received even if the socket +is not bound to the vrf device but to the real iif. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Hangbin Liu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -223,7 +223,8 @@ static struct sock *ping_lookup(struct n + continue; + } + +- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) ++ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && ++ sk->sk_bound_dev_if != inet_sdif(skb)) + continue; + + sock_hold(sk); diff --git a/queue-4.4/series b/queue-4.4/series index b315ab52a9c..d19cdbbce8b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,10 @@ tty-add-support-for-brainboxes-uc-cards.patch usb-storage-add-unusual-devs-entry-for-vl817-usb-sata-bridge.patch usb-core-fix-hang-in-usb_kill_urb-by-adding-memory-barriers.patch scsi-bnx2fc-flush-destroy_work-queue-before-calling-bnx2fc_interface_put.patch +ipv6_tunnel-rate-limit-warning-messages.patch +arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch +net-fix-information-leakage-in-proc-net-ptype.patch +ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch +ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch +net-procfs-show-net-devices-bound-packet-types.patch +drm-msm-fix-wrong-size-calculation.patch -- 2.47.3