From 5f27f5853ec5a8bcb8cd61c4c02207fa3c994376 Mon Sep 17 00:00:00 2001 From: Yousaf Kaukab Date: Apr 16 2024 08:42:36 +0000 Subject: Merge remote-tracking branch 'origin/cve/linux-5.14-LTSS' into SLE15-SP5 Conflicts: patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch series.conf Signed-off-by: Yousaf Kaukab --- diff --git a/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch b/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch new file mode 100644 index 0000000..4f48415 --- /dev/null +++ b/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch @@ -0,0 +1,95 @@ +From: Kuniyuki Iwashima +Date: Thu, 15 Feb 2024 15:05:16 -0800 +Subject: arp: Prevent overflow in arp_req_get(). +Patch-mainline: v6.8-rc6 +Git-commit: a7d6027790acea24446ddd6632d394096c0f4667 +References: CVE-2024-26733 bsc#1222585 + +syzkaller reported an overflown write in arp_req_get(). [0] + +When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour +entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. + +The arp_ha here is struct sockaddr, not struct sockaddr_storage, so +the sa_data buffer is just 14 bytes. + +In the splat below, 2 bytes are overflown to the next int field, +arp_flags. We initialise the field just after the memcpy(), so it's +not a problem. + +However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), +arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) +in arp_ioctl() before calling arp_req_get(). + +To avoid the overflow, let's limit the max length of memcpy(). + +Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible +array in struct sockaddr") just silenced syzkaller. + +[0]: +memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) +WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Modules linked in: +CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 +RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 +RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 +RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 +R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 +FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 + inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 + sock_do_ioctl+0xdf/0x260 net/socket.c:1204 + sock_ioctl+0x3ef/0x650 net/socket.c:1321 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x64/0xce +RIP: 0033:0x7f172b262b8d +Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d +RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 +RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 + + +Reported-by: syzkaller +Reported-by: Bjoern Doebel +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240215230516.31330-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Acked-by: Michal Kubecek + +--- + net/ipv4/arp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -1104,7 +1104,8 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev) + if (neigh) { + if (!(neigh->nud_state & NUD_NOARP)) { + read_lock_bh(&neigh->lock); +- memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len); ++ memcpy(r->arp_ha.sa_data, neigh->ha, ++ min(dev->addr_len, sizeof(r->arp_ha.sa_data))); + r->arp_flags = arp_state_to_flags(neigh); + read_unlock_bh(&neigh->lock); + r->arp_ha.sa_family = dev->type; diff --git a/patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch b/patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch index d2f75e0..4f1c16e 100644 --- a/patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch +++ b/patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch @@ -4,7 +4,7 @@ From: Qu Wenruo Date: Sat, 20 Jan 2024 19:41:28 +1030 Patch-mainline: v6.8-rc4 Git-commit: e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb -References: bsc#1219126 CVE-2024-23850 +References: bsc#1219126 CVE-2024-23850 CVE-2024-26727 bsc#1222536 Subject: [PATCH] btrfs: do not ASSERT() if the newly created subvolume already got read diff --git a/patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch b/patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch index a70421f..a09a794 100644 --- a/patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch +++ b/patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch @@ -3,7 +3,7 @@ Date: Tue, 2 Nov 2021 14:49:16 +0200 Subject: btrfs: fix memory ordering between normal and ordered work functions Git-commit: 45da9c1767ac31857df572f0a909fbe88fd5a7e9 Patch-mainline: v5.17 or v5.16-rc2 (next release) -References: git-fixes +References: git-fixes CVE-2021-47189 bsc#1222706 Ordered work functions aren't guaranteed to be handled by the same thread which executed the normal work functions. The only way execution between diff --git a/patches.suse/ceph-prevent-use-after-free-in-encode_cap_msg.patch b/patches.suse/ceph-prevent-use-after-free-in-encode_cap_msg.patch new file mode 100644 index 0000000..42cce2c --- /dev/null +++ b/patches.suse/ceph-prevent-use-after-free-in-encode_cap_msg.patch @@ -0,0 +1,54 @@ +From: Rishabh Dave +Date: Thu, 1 Feb 2024 17:07:16 +0530 +Subject: ceph: prevent use-after-free in encode_cap_msg() +Git-commit: cda4672da1c26835dcbd7aec2bfed954eda9b5ef +Patch-mainline: v6.8-rc4 +References: CVE-2024-26689 bsc#1222503 + +In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was +caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This +implies before the refcount could be increment here, it was freed. + +In same file, in "handle_cap_grant()" refcount is decremented by this +line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race +occurred and resource was freed by the latter line before the former +line could increment it. + +encode_cap_msg() is called by __send_cap() and __send_cap() is called by +ceph_check_caps() after calling __prep_cap(). __prep_cap() is where +arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where +the refcount must be increased to prevent "use after free" error. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/59259 +Signed-off-by: Rishabh Dave +Reviewed-by: Jeff Layton +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Acked-by: Luis Henriques +--- + fs/ceph/caps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index 9c02f328c966..e8bf082105d8 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1452,7 +1452,7 @@ static void __prep_cap(struct cap_msg_args *arg, struct ceph_cap *cap, + if (flushing & CEPH_CAP_XATTR_EXCL) { + arg->old_xattr_buf = __ceph_build_xattrs_blob(ci); + arg->xattr_version = ci->i_xattrs.version; +- arg->xattr_buf = ci->i_xattrs.blob; ++ arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob); + } else { + arg->xattr_buf = NULL; + arg->old_xattr_buf = NULL; +@@ -1553,6 +1553,7 @@ static void __send_cap(struct cap_msg_args *arg, struct ceph_inode_info *ci) + encode_cap_msg(msg, arg); + ceph_con_send(&arg->session->s_con, msg); + ceph_buffer_put(arg->old_xattr_buf); ++ ceph_buffer_put(arg->xattr_buf); + if (arg->wake) + wake_up_all(&ci->i_cap_wq); + } + diff --git a/patches.suse/ext4-fix-double-free-of-blocks-due-to-wrong-extents-.patch b/patches.suse/ext4-fix-double-free-of-blocks-due-to-wrong-extents-.patch new file mode 100644 index 0000000..394eaca --- /dev/null +++ b/patches.suse/ext4-fix-double-free-of-blocks-due-to-wrong-extents-.patch @@ -0,0 +1,74 @@ +From 55583e899a5357308274601364741a83e78d6ac4 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 4 Jan 2024 22:20:33 +0800 +Subject: [PATCH] ext4: fix double-free of blocks due to wrong extents + moved_len +Git-commit: 55583e899a5357308274601364741a83e78d6ac4 +Patch-mainline: v6.8-rc3 +References: bsc#1222422 CVE-2024-26704 + +In ext4_move_extents(), moved_len is only updated when all moves are +successfully executed, and only discards orig_inode and donor_inode +preallocations when moved_len is not zero. When the loop fails to exit +after successfully moving some extents, moved_len is not updated and +remains at 0, so it does not discard the preallocations. + +If the moved extents overlap with the preallocated extents, the +overlapped extents are freed twice in ext4_mb_release_inode_pa() and +ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: +Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is +incremented twice. Hence when trim is executed, a zero-division bug is +triggered in mb_update_avg_fragment_size() because bb_free is not zero +and bb_fragments is zero. + +Therefore, update move_len after each extent move to avoid the issue. + +Reported-by: Wei Chen +Reported-by: xingwei lee +Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com +Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") +Cc: # 3.18 +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/move_extent.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index 3aa57376d9c2..391efa6d4c56 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -618,6 +618,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + goto out; + o_end = o_start + len; + ++ *moved_len = 0; + while (o_start < o_end) { + struct ext4_extent *ex; + ext4_lblk_t cur_blk, next_blk; +@@ -672,7 +673,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + */ + ext4_double_up_write_data_sem(orig_inode, donor_inode); + /* Swap original branches with new branches */ +- move_extent_per_page(o_filp, donor_inode, ++ *moved_len += move_extent_per_page(o_filp, donor_inode, + orig_page_index, donor_page_index, + offset_in_page, cur_len, + unwritten, &ret); +@@ -682,9 +683,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + o_start += cur_len; + d_start += cur_len; + } +- *moved_len = o_start - orig_blk; +- if (*moved_len > len) +- *moved_len = len; + + out: + if (*moved_len) { +-- +2.35.3 + diff --git a/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch b/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch new file mode 100644 index 0000000..190adbe --- /dev/null +++ b/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch @@ -0,0 +1,76 @@ +From: Jakub Kicinski +Date: Thu, 15 Feb 2024 06:33:46 -0800 +Subject: net/sched: act_mirred: don't override retval if we already lost the skb +Patch-mainline: v6.8-rc6 +Git-commit: 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 +References: CVE-2024-26733 bsc#1222585 + +If we're redirecting the skb, and haven't called tcf_mirred_forward(), +yet, we need to tell the core to drop the skb by setting the retcode +to SHOT. If we have called tcf_mirred_forward(), however, the skb +is out of our hands and returning SHOT will lead to UaF. + +Move the retval override to the error path which actually need it. + +Reviewed-by: Michal Swiatkowski +Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") +Signed-off-by: Jakub Kicinski +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + net/sched/act_mirred.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -260,13 +260,13 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + dev = rcu_dereference_bh(m->tcfm_dev); + if (unlikely(!dev)) { + pr_notice_once("tc mirred: target device is gone\n"); +- goto out; ++ goto err_cant_do; + } + + if (unlikely(!(dev->flags & IFF_UP))) { + net_notice_ratelimited("tc mirred to Houston: device %s is down\n", + dev->name); +- goto out; ++ goto err_cant_do; + } + + /* we could easily avoid the clone only if called by ingress and clsact; +@@ -280,7 +280,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + if (!use_reinsert) { + skb2 = skb_clone(skb, GFP_ATOMIC); + if (!skb2) +- goto out; ++ goto err_cant_do; + } + + want_ingress = tcf_mirred_act_wants_ingress(m_eaction); +@@ -323,15 +323,18 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + } + + err = tcf_mirred_forward(want_ingress, skb2); +- if (err) { +-out: ++ if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- if (tcf_mirred_is_act_redirect(m_eaction)) +- retval = TC_ACT_SHOT; +- } + __this_cpu_dec(mirred_nest_level); + + return retval; ++ ++err_cant_do: ++ if (is_redirect) ++ retval = TC_ACT_SHOT; ++ tcf_action_inc_overlimit_qstats(&m->common); ++ __this_cpu_dec(mirred_nest_level); ++ return retval; + } + + static void tcf_stats_update(struct tc_action *a, u64 bytes, u64 packets, diff --git a/patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch b/patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch index 1662804..1c459d6 100644 --- a/patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch +++ b/patches.suse/scsi-core-Fix-scsi_mode_sense-buffer-length-handling.patch @@ -3,7 +3,7 @@ Date: Fri, 20 Aug 2021 16:02:53 +0900 Subject: [PATCH] scsi: core: Fix scsi_mode_sense() buffer length handling Git-commit: 17b49bcbf8351d3dbe57204468ac34f033ed60bc Patch-mainline: v5.16-rc1 -References: jsc#PED-1559 +References: jsc#PED-1559 git-fixes CVE-2021-47182 bsc#1222662 Several problems exist with scsi_mode_sense() buffer length handling: diff --git a/patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch b/patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch index 097c401..64e545c 100644 --- a/patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch +++ b/patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch @@ -4,7 +4,7 @@ Subject: scsi: lpfc: Fix link down processing to address NULL pointer dereference Patch-mainline: v5.16-rc1 Git-commit: 1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 -References: bsc#1192145 +References: bsc#1192145 CVE-2021-47183 bsc#1222664 If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer diff --git a/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch b/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch index 936376a..51f856b 100644 --- a/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch +++ b/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Oct 2021 22:08:24 +0800 Subject: [PATCH] tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc Git-commit: 3968ddcf05fb4b9409cd1859feb06a5b0550a1c1 Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47185 When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, which look like this one: diff --git a/patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch b/patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch index 9fff32e..b777e10 100644 --- a/patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch +++ b/patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch @@ -4,7 +4,7 @@ Date: Wed, 15 Sep 2021 11:49:25 +0800 Subject: [PATCH] usb: musb: tusb6010: check return value after calling platform_get_resource() Git-commit: 14651496a3de6807a17c310f63c894ea0c5d858e Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47181 bsc#1222660 It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. diff --git a/series.conf b/series.conf index 8c455d4..09f8a0b 100644 --- a/series.conf +++ b/series.conf @@ -45652,6 +45652,7 @@ patches.suse/serial-max310x-improve-crystal-stable-clock-detectio.patch patches.suse/serial-max310x-fail-probe-if-clock-crystal-is-unstab.patch patches.suse/misc-fastrpc-Mark-all-sessions-as-invalid-in-cb_remo.patch + patches.suse/ext4-fix-double-free-of-blocks-due-to-wrong-extents-.patch patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch patches.suse/nfsd-don-t-take-fi_lock-in-nfsd_break_deleg_cb.patch patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch @@ -45682,6 +45683,7 @@ patches.suse/efi-Don-t-add-memblocks-for-soft-reserved-memory.patch patches.suse/tracing-probes-Fix-to-show-a-parse-error-for-bad-type-for-comm.patch patches.suse/tracing-Fix-wasted-memory-in-saved_cmdlines-logic.patch + patches.suse/ceph-prevent-use-after-free-in-encode_cap_msg.patch patches.suse/scsi-core-Move-scsi_host_busy-out-of-host-lock-if-it-is-for-per-command.patch patches.suse/scsi-lpfc-use-unsigned-type-for-num_sge.patch patches.suse/firewire-core-send-bus-reset-promptly-on-gap-count-e.patch @@ -45752,6 +45754,8 @@ patches.suse/RDMA-srpt-Support-specifying-the-srpt_service_guid-p.patch patches.suse/RDMA-qedr-Fix-qedr_create_user_qp-error-flow.patch patches.suse/RDMA-srpt-fix-function-pointer-cast-warnings.patch + patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch + patches.suse/arp-Prevent-overflow-in-arp_req_get.patch patches.suse/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_gen.patch patches.suse/bpf-scripts-Correct-GPL-license-name.patch patches.suse/bpf-Fix-racing-between-bpf_timer_cancel_and_free-and.patch