--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Vivien Didelot <vivien.didelot@gmail.com>
+Date: Mon, 3 Jun 2019 16:57:13 -0400
+Subject: ethtool: fix potential userspace buffer overflow
+
+From: Vivien Didelot <vivien.didelot@gmail.com>
+
+[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]
+
+ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
+and pass it to the kernel driver via ops->get_regs() for filling.
+
+There is no restriction about what the kernel drivers can or cannot do
+with the open ethtool_regs structure. They usually set regs->version
+and ignore regs->len or set it to the same size as ops->get_regs_len().
+
+But if userspace allocates a smaller buffer for the registers dump,
+we would cause a userspace buffer overflow in the final copy_to_user()
+call, which uses the regs.len value potentially reset by the driver.
+
+To fix this, make this case obvious and store regs.len before calling
+ops->get_regs(), to only copy as much data as requested by userspace,
+up to the value returned by ops->get_regs_len().
+
+While at it, remove the redundant check for non-null regbuf.
+
+Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/ethtool.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1390,13 +1390,16 @@ static int ethtool_get_regs(struct net_d
+ return -ENOMEM;
+ }
+
++ if (regs.len < reglen)
++ reglen = regs.len;
++
+ ops->get_regs(dev, ®s, regbuf);
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, ®s, sizeof(regs)))
+ goto out;
+ useraddr += offsetof(struct ethtool_regs, data);
+- if (regbuf && copy_to_user(useraddr, regbuf, regs.len))
++ if (copy_to_user(useraddr, regbuf, reglen))
+ goto out;
+ ret = 0;
+
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:19 +0200
+Subject: ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
+
+From: Olivier Matz <olivier.matz@6wind.com>
+
+[ Upstream commit b9aa52c4cb457e7416cc0c95f475e72ef4a61336 ]
+
+The following code returns EFAULT (Bad address):
+
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1);
+ sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */
+
+The IPv4 equivalent code works. A workaround is to use IPPROTO_RAW
+instead of IPPROTO_ICMPV6.
+
+The failure happens because 2 bytes are eaten from the msghdr by
+rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6
+equivalent of "ipv4: Avoid reading user iov twice after
+raw_probe_proto_opt""), but at that time it was not a problem because
+IPV6_HDRINCL was not yet introduced.
+
+Only eat these 2 bytes if hdrincl == 0.
+
+Fixes: 715f504b1189 ("ipv6: add IPV6_HDRINCL option for raw sockets")
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -880,11 +880,14 @@ static int rawv6_sendmsg(struct sock *sk
+ opt = ipv6_fixup_options(&opt_space, opt);
+
+ fl6.flowi6_proto = proto;
+- rfv.msg = msg;
+- rfv.hlen = 0;
+- err = rawv6_probe_proto_opt(&rfv, &fl6);
+- if (err)
+- goto out;
++
++ if (!hdrincl) {
++ rfv.msg = msg;
++ rfv.hlen = 0;
++ err = rawv6_probe_proto_opt(&rfv, &fl6);
++ if (err)
++ goto out;
++ }
+
+ if (!ipv6_addr_any(daddr))
+ fl6.daddr = *daddr;
--- /dev/null
+From foo@baz Sun 09 Jun 2019 09:44:19 AM CEST
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:18 +0200
+Subject: ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
+
+From: Olivier Matz <olivier.matz@6wind.com>
+
+[ Upstream commit 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91 ]
+
+As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race
+condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate
+READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the
+value of inet->hdrincl in a local variable, to avoid introducing a race
+condition in the next commit.
+
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -774,6 +774,7 @@ static int rawv6_sendmsg(struct sock *sk
+ struct sockcm_cookie sockc;
+ struct ipcm6_cookie ipc6;
+ int addr_len = msg->msg_namelen;
++ int hdrincl;
+ u16 proto;
+ int err;
+
+@@ -787,6 +788,13 @@ static int rawv6_sendmsg(struct sock *sk
+ if (msg->msg_flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
++ /* hdrincl should be READ_ONCE(inet->hdrincl)
++ * but READ_ONCE() doesn't work with bit fields.
++ * Doing this indirectly yields the same result.
++ */
++ hdrincl = inet->hdrincl;
++ hdrincl = READ_ONCE(hdrincl);
++
+ /*
+ * Get and verify the address.
+ */
+@@ -904,7 +912,7 @@ static int rawv6_sendmsg(struct sock *sk
+ fl6.flowi6_oif = np->ucast_oif;
+ security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
+
+- if (inet->hdrincl)
++ if (hdrincl)
+ fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH;
+
+ if (ipc6.tclass < 0)
+@@ -927,7 +935,7 @@ static int rawv6_sendmsg(struct sock *sk
+ goto do_confirm;
+
+ back_from_confirm:
+- if (inet->hdrincl)
++ if (hdrincl)
+ err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags);
+ else {
+ ipc6.opt = opt;
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 1 May 2019 18:18:42 -0700
+Subject: neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ]
+
+Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
+INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
+updated to use the altered key. The result is that every packet Tx does
+a lookup on the gateway address which does not find an entry, a new one
+is created only to find the existing one in the table right before the
+insert since arp_constructor was updated to reset the primary key. This
+is seen in the allocs and destroys counters:
+ ip -s -4 ntable show | head -10 | grep alloc
+
+which increase for each packet showing the unnecessary overhread.
+
+Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.
+
+Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
+Reported-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Tested-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -30,6 +30,7 @@
+ #include <linux/times.h>
+ #include <net/net_namespace.h>
+ #include <net/neighbour.h>
++#include <net/arp.h>
+ #include <net/dst.h>
+ #include <net/sock.h>
+ #include <net/netevent.h>
+@@ -2489,7 +2490,13 @@ int neigh_xmit(int index, struct net_dev
+ if (!tbl)
+ goto out;
+ rcu_read_lock_bh();
+- neigh = __neigh_lookup_noref(tbl, addr, dev);
++ if (index == NEIGH_ARP_TABLE) {
++ u32 key = *((u32 *)addr);
++
++ neigh = __ipv4_neigh_lookup_noref(dev, key);
++ } else {
++ neigh = __neigh_lookup_noref(tbl, addr, dev);
++ }
+ if (!neigh)
+ neigh = __neigh_create(tbl, addr, dev, false);
+ err = PTR_ERR(neigh);
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Erez Alfasi <ereza@mellanox.com>
+Date: Mon, 20 May 2019 17:42:52 +0300
+Subject: net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
+
+From: Erez Alfasi <ereza@mellanox.com>
+
+[ Upstream commit 135dd9594f127c8a82d141c3c8430e9e2143216a ]
+
+Querying EEPROM high pages data for SFP module is currently
+not supported by our driver but is still tried, resulting in
+invalid FW queries.
+
+Set the EEPROM ethtool data length to 256 for SFP module to
+limit the reading for page 0 only and prevent invalid FW queries.
+
+Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support")
+Signed-off-by: Erez Alfasi <ereza@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +++-
+ drivers/net/ethernet/mellanox/mlx4/port.c | 5 -----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1930,6 +1930,8 @@ static int mlx4_en_set_tunable(struct ne
+ return ret;
+ }
+
++#define MLX4_EEPROM_PAGE_LEN 256
++
+ static int mlx4_en_get_module_info(struct net_device *dev,
+ struct ethtool_modinfo *modinfo)
+ {
+@@ -1964,7 +1966,7 @@ static int mlx4_en_get_module_info(struc
+ break;
+ case MLX4_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
++ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
+ break;
+ default:
+ return -ENOSYS;
+--- a/drivers/net/ethernet/mellanox/mlx4/port.c
++++ b/drivers/net/ethernet/mellanox/mlx4/port.c
+@@ -1960,11 +1960,6 @@ int mlx4_get_module_info(struct mlx4_dev
+ size -= offset + size - I2C_PAGE_SIZE;
+
+ i2c_addr = I2C_ADDR_LOW;
+- if (offset >= I2C_PAGE_SIZE) {
+- /* Reset offset to high page */
+- i2c_addr = I2C_ADDR_HIGH;
+- offset -= I2C_PAGE_SIZE;
+- }
+
+ cable_info = (struct mlx4_cable_info *)inmad->data;
+ cable_info->dev_mem_address = cpu_to_be16(offset);
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Thu, 6 Jun 2019 04:00:03 -0400
+Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]
+
+When the following tests last for several hours, the problem will occur.
+
+Server:
+ rds-stress -r 1.1.1.16 -D 1M
+Client:
+ rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30
+
+The following will occur.
+
+"
+Starting up....
+tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu
+%
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+"
+>From vmcore, we can find that clean_list is NULL.
+
+>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
+Then rds_ib_mr_pool_flush_worker calls
+"
+ rds_ib_flush_mr_pool(pool, 0, NULL);
+"
+Then in function
+"
+int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
+ int free_all, struct rds_ib_mr **ibmr_ret)
+"
+ibmr_ret is NULL.
+
+In the source code,
+"
+...
+list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+if (ibmr_ret)
+ *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+
+/* more than one entry in llist nodes */
+if (clean_nodes->next)
+ llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
+...
+"
+When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next
+instead of clean_nodes is added in clean_list.
+So clean_nodes is discarded. It can not be used again.
+The workqueue is executed periodically. So more and more clean_nodes are
+discarded. Finally the clean_list is NULL.
+Then this problem will occur.
+
+Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_rdma.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/rds/ib_rdma.c
++++ b/net/rds/ib_rdma.c
+@@ -416,12 +416,14 @@ int rds_ib_flush_mr_pool(struct rds_ib_m
+ wait_clean_list_grace();
+
+ list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+- if (ibmr_ret)
++ if (ibmr_ret) {
+ *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+-
++ clean_nodes = clean_nodes->next;
++ }
+ /* more than one entry in llist nodes */
+- if (clean_nodes->next)
+- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
++ if (clean_nodes)
++ llist_add_batch(clean_nodes, clean_tail,
++ &pool->clean_list);
+
+ }
+
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 6 Jun 2019 15:45:03 +0200
+Subject: pktgen: do not sleep with the thread lock held.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]
+
+Currently, the process issuing a "start" command on the pktgen procfs
+interface, acquires the pktgen thread lock and never release it, until
+all pktgen threads are completed. The above can blocks indefinitely any
+other pktgen command and any (even unrelated) netdevice removal - as
+the pktgen netdev notifier acquires the same lock.
+
+The issue is demonstrated by the following script, reported by Matteo:
+
+ip -b - <<'EOF'
+ link add type dummy
+ link add type veth
+ link set dummy0 up
+EOF
+modprobe pktgen
+echo reset >/proc/net/pktgen/pgctrl
+{
+ echo rem_device_all
+ echo add_device dummy0
+} >/proc/net/pktgen/kpktgend_0
+echo count 0 >/proc/net/pktgen/dummy0
+echo start >/proc/net/pktgen/pgctrl &
+sleep 1
+rmmod veth
+
+Fix the above releasing the thread lock around the sleep call.
+
+Additionally we must prevent racing with forcefull rmmod - as the
+thread lock no more protects from them. Instead, acquire a self-reference
+before waiting for any thread. As a side effect, running
+
+rmmod pktgen
+
+while some thread is running now fails with "module in use" error,
+before this patch such command hanged indefinitely.
+
+Note: the issue predates the commit reported in the fixes tag, but
+this fix can't be applied before the mentioned commit.
+
+v1 -> v2:
+ - no need to check for thread existence after flipping the lock,
+ pktgen threads are freed only at net exit time
+ -
+
+Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
+Reported-and-tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/pktgen.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -3147,7 +3147,13 @@ static int pktgen_wait_thread_run(struct
+ {
+ while (thread_is_running(t)) {
+
++ /* note: 't' will still be around even after the unlock/lock
++ * cycle because pktgen_thread threads are only cleared at
++ * net exit
++ */
++ mutex_unlock(&pktgen_thread_lock);
+ msleep_interruptible(100);
++ mutex_lock(&pktgen_thread_lock);
+
+ if (signal_pending(current))
+ goto signal;
+@@ -3162,6 +3168,10 @@ static int pktgen_wait_all_threads_run(s
+ struct pktgen_thread *t;
+ int sig = 1;
+
++ /* prevent from racing with rmmod */
++ if (!try_module_get(THIS_MODULE))
++ return sig;
++
+ mutex_lock(&pktgen_thread_lock);
+
+ list_for_each_entry(t, &pn->pktgen_threads, th_list) {
+@@ -3175,6 +3185,7 @@ static int pktgen_wait_all_threads_run(s
+ t->control |= (T_STOP);
+
+ mutex_unlock(&pktgen_thread_lock);
++ module_put(THIS_MODULE);
+ return sig;
+ }
+
--- /dev/null
+From 41da877a19fb3d45dad80997e92f25965feaabc3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 9 Jun 2019 09:55:08 +0200
+Subject: Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit d5c71a7c533e88a9fcc74fe1b5c25743868fa300 as the
+patch that this "fixes" is about to be reverted...
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/fib_rules.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -430,7 +430,6 @@ int fib_nl_newrule(struct sk_buff *skb,
+ goto errout_free;
+
+ if (rule_exists(ops, frh, tb, rule)) {
+- err = 0;
+ if (nlh->nlmsg_flags & NLM_F_EXCL)
+ err = -EEXIST;
+ goto errout_free;
--- /dev/null
+From foo@baz Sun 09 Jun 2019 10:02:57 AM CEST
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 5 Jun 2019 12:27:14 +0800
+Subject: Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 4970b42d5c362bf873982db7d93245c5281e58f4 ]
+
+This reverts commit e9919a24d3022f72bcadc407e73a6ef17093a849.
+
+Nathan reported the new behaviour breaks Android, as Android just add
+new rules and delete old ones.
+
+If we return 0 without adding dup rules, Android will remove the new
+added rules and causing system to soft-reboot.
+
+Fixes: e9919a24d302 ("fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied")
+Reported-by: Nathan Chancellor <natechancellor@gmail.com>
+Reported-by: Yaro Slav <yaro330@gmail.com>
+Reported-by: Maciej Żenczykowski <zenczykowski@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/fib_rules.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -429,9 +429,9 @@ int fib_nl_newrule(struct sk_buff *skb,
+ if (rule->l3mdev && rule->table)
+ goto errout_free;
+
+- if (rule_exists(ops, frh, tb, rule)) {
+- if (nlh->nlmsg_flags & NLM_F_EXCL)
+- err = -EEXIST;
++ if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
++ rule_exists(ops, frh, tb, rule)) {
++ err = -EEXIST;
+ goto errout_free;
+ }
+
revert-x86-build-move-_etext-to-actual-end-of-.text.patch
efi-libstub-unify-command-line-param-parsing.patch
media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch
+ethtool-fix-potential-userspace-buffer-overflow.patch
+neighbor-call-__ipv4_neigh_lookup_noref-in-neigh_xmit.patch
+net-mlx4_en-ethtool-remove-unsupported-sfp-eeprom-high-pages-query.patch
+net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
+pktgen-do-not-sleep-with-the-thread-lock-held.patch
+ipv6-fix-efault-on-sendto-with-icmpv6-and-hdrincl.patch
+ipv6-use-read_once-for-inet-hdrincl-as-in-ipv4.patch
+revert-fib_rules-fix-error-in-backport-of-e9919a24d302-fib_rules-return-0.patch
+revert-fib_rules-return-0-directly-if-an-exactly-same-rule-exists-when-nlm_f_excl-not-supplied.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
