From e4c368f2b7ef4b25e1da4dfcaa32db4b7a3feb21 Mon Sep 17 00:00:00 2001 From: Kernel Build Daemon Date: May 11 2023 05:40:40 +0000 Subject: Merge branch 'cve/linux-5.3' into SLE15-SP2-LTSS --- diff --git a/patches.suse/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch b/patches.suse/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch new file mode 100644 index 0000000..c0706c9 --- /dev/null +++ b/patches.suse/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch @@ -0,0 +1,131 @@ +From: Davide Caratti +Date: Fri, 20 Jan 2023 18:01:40 +0100 +Subject: act_mirred: use the backlog for nested calls to mirred ingress +Patch-mainline: v6.3-rc1 +Git-commit: ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640 +References: CVE-2022-4269 bsc#1206024 + +William reports kernel soft-lockups on some OVS topologies when TC mirred +egress->ingress action is hit by local TCP traffic [1]. +The same can also be reproduced with SCTP (thanks Xin for verifying), when +client and server reach themselves through mirred egress to ingress, and +one of the two peers sends a "heartbeat" packet (from within a timer). + +Enqueueing to backlog proved to fix this soft lockup; however, as Cong +noticed [2], we should preserve - when possible - the current mirred +behavior that counts as "overlimits" any eventual packet drop subsequent to +the mirred forwarding action [3]. A compromise solution might use the +backlog only when tcf_mirred_act() has a nest level greater than one: +change tcf_mirred_forward() accordingly. + +Also, add a kselftest that can reproduce the lockup and verifies TC mirred +ability to account for further packet drops after TC mirred egress->ingress +(when the nest level is 1). + + [1] https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/Y0w%2FWWY60gqrtGLp@pop-os.localdomain/ + [3] such behavior is not guaranteed: for example, if RPS or skb RX + timestamping is enabled on the mirred target device, the kernel + can defer receiving the skb and return NET_RX_SUCCESS inside + tcf_mirred_forward(). + +Reported-by: William Zhao +CC: Xin Long +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Acked-by: Michal Kubecek + +--- + net/sched/act_mirred.c | 7 +++ + .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++- + 2 files changed, 55 insertions(+), 1 deletion(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -207,12 +207,19 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, + return err; + } + ++static bool is_mirred_nested(void) ++{ ++ return unlikely(__this_cpu_read(mirred_nest_level) > 1); ++} ++ + static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb) + { + int err; + + if (!want_ingress) + err = dev_queue_xmit(skb); ++ else if (is_mirred_nested()) ++ err = netif_rx(skb); + else + err = netif_receive_skb(skb); + +--- a/tools/testing/selftests/net/forwarding/tc_actions.sh ++++ b/tools/testing/selftests/net/forwarding/tc_actions.sh +@@ -2,7 +2,8 @@ + # SPDX-License-Identifier: GPL-2.0 + + ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \ +- mirred_egress_mirror_test gact_trap_test" ++ mirred_egress_mirror_test gact_trap_test \ ++ mirred_egress_to_ingress_tcp_test" + NUM_NETIFS=4 + source tc_common.sh + source lib.sh +@@ -148,6 +149,52 @@ gact_trap_test() + log_test "trap ($tcflags)" + } + ++mirred_egress_to_ingress_tcp_test() ++{ ++ local tmpfile=$(mktemp) tmpfile1=$(mktemp) ++ ++ RET=0 ++ dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile ++ tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \ ++ $tcflags ip_proto tcp src_ip 192.0.2.1 dst_ip 192.0.2.2 \ ++ action ct commit nat src addr 192.0.2.2 pipe \ ++ action ct clear pipe \ ++ action ct commit nat dst addr 192.0.2.1 pipe \ ++ action ct clear pipe \ ++ action skbedit ptype host pipe \ ++ action mirred ingress redirect dev $h1 ++ tc filter add dev $h1 protocol ip pref 101 handle 101 egress flower \ ++ $tcflags ip_proto icmp \ ++ action mirred ingress redirect dev $h1 ++ tc filter add dev $h1 protocol ip pref 102 handle 102 ingress flower \ ++ ip_proto icmp \ ++ action drop ++ ++ ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1 & ++ local rpid=$! ++ ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile ++ wait -n $rpid ++ cmp -s $tmpfile $tmpfile1 ++ check_err $? "server output check failed" ++ ++ $MZ $h1 -c 10 -p 64 -a $h1mac -b $h1mac -A 192.0.2.1 -B 192.0.2.1 \ ++ -t icmp "ping,id=42,seq=5" -q ++ tc_check_packets "dev $h1 egress" 101 10 ++ check_err $? "didn't mirred redirect ICMP" ++ tc_check_packets "dev $h1 ingress" 102 10 ++ check_err $? "didn't drop mirred ICMP" ++ local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits) ++ test ${overlimits} = 10 ++ check_err $? "wrong overlimits, expected 10 got ${overlimits}" ++ ++ tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower ++ tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower ++ tc filter del dev $h1 ingress protocol ip pref 102 handle 102 flower ++ ++ rm -f $tmpfile $tmpfile1 ++ log_test "mirred_egress_to_ingress_tcp ($tcflags)" ++} ++ + setup_prepare() + { + h1=${NETIFS[p1]} diff --git a/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch b/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch index 37908da..0a68484 100644 --- a/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch +++ b/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch @@ -3,7 +3,7 @@ From: Gabriel Krisman Bertazi Date: Mon, 1 May 2023 11:49:09 -0400 Subject: [PATCH] io_uring: prevent race on registering fixed files Patch-mainline: Never, specific to 15SP3 -References: 1210414 CVE-2023-1872 +References: bsc#1210414 CVE-2023-1872 in 5.3, io_sqe_files_unregister is called without holding the io_uring ctx lock when in sqpoll,which means it can race with the io_sqe_files_unregister. This diff --git a/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch b/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch new file mode 100644 index 0000000..386477f --- /dev/null +++ b/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch @@ -0,0 +1,81 @@ +From: Davide Caratti +Date: Fri, 20 Jan 2023 18:01:39 +0100 +Subject: net/sched: act_mirred: better wording on protection against excessive stack growth +Patch-mainline: v6.3-rc1 +Git-commit: 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f +References: CVE-2022-4269 bsc#1206024 + +with commit e2ca070f89ec ("net: sched: protect against stack overflow in +TC act_mirred"), act_mirred protected itself against excessive stack growth +using per_cpu counter of nested calls to tcf_mirred_act(), and capping it +to MIRRED_RECURSION_LIMIT. However, such protection does not detect +recursion/loops in case the packet is enqueued to the backlog (for example, +when the mirred target device has RPS or skb timestamping enabled). Change +the wording from "recursion" to "nesting" to make it more clear to readers. + +CC: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Acked-by: Michal Kubecek + +--- + net/sched/act_mirred.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -27,8 +27,8 @@ + static LIST_HEAD(mirred_list); + static DEFINE_SPINLOCK(mirred_list_lock); + +-#define MIRRED_RECURSION_LIMIT 4 +-static DEFINE_PER_CPU(unsigned int, mirred_rec_level); ++#define MIRRED_NEST_LIMIT 4 ++static DEFINE_PER_CPU(unsigned int, mirred_nest_level); + + static bool tcf_mirred_is_act_redirect(int action) + { +@@ -226,7 +226,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + struct sk_buff *skb2 = skb; + bool m_mac_header_xmit; + struct net_device *dev; +- unsigned int rec_level; ++ unsigned int nest_level; + int retval, err = 0; + bool use_reinsert; + bool want_ingress; +@@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + int mac_len; + bool at_nh; + +- rec_level = __this_cpu_inc_return(mirred_rec_level); +- if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) { ++ nest_level = __this_cpu_inc_return(mirred_nest_level); ++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { + net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", + netdev_name(skb->dev)); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_SHOT; + } + +@@ -304,7 +304,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + err = tcf_mirred_forward(res->ingress, skb); + if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_CONSUMED; + } + } +@@ -316,7 +316,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + if (tcf_mirred_is_act_redirect(m_eaction)) + retval = TC_ACT_SHOT; + } +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + + return retval; + } diff --git a/patches.suse/net-sched-act_mirred-refactor-the-handle-of-xmit.patch b/patches.suse/net-sched-act_mirred-refactor-the-handle-of-xmit.patch new file mode 100644 index 0000000..0af2471 --- /dev/null +++ b/patches.suse/net-sched-act_mirred-refactor-the-handle-of-xmit.patch @@ -0,0 +1,73 @@ +From: wenxu +Date: Wed, 25 Nov 2020 12:01:22 +0800 +Subject: net/sched: act_mirred: refactor the handle of xmit +Patch-mainline: v5.11-rc1 +Git-commit: fa6d639930ee5cd3f932cc314f3407f07a06582d +References: CVE-2022-4269 bsc#1206024 + +This one is prepare for the next patch. + +Signed-off-by: wenxu +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + include/net/sch_generic.h | 5 ----- + net/sched/act_mirred.c | 21 +++++++++++++++------ + 2 files changed, 15 insertions(+), 11 deletions(-) + +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1296,9 +1296,4 @@ void mini_qdisc_pair_swap(struct mini_Qdisc_pair *miniqp, + void mini_qdisc_pair_init(struct mini_Qdisc_pair *miniqp, struct Qdisc *qdisc, + struct mini_Qdisc __rcu **p_miniq); + +-static inline int skb_tc_reinsert(struct sk_buff *skb, struct tcf_result *res) +-{ +- return res->ingress ? netif_receive_skb(skb) : dev_queue_xmit(skb); +-} +- + #endif +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -207,6 +207,18 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla, + return err; + } + ++static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb) ++{ ++ int err; ++ ++ if (!want_ingress) ++ err = dev_queue_xmit(skb); ++ else ++ err = netif_receive_skb(skb); ++ ++ return err; ++} ++ + static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + struct tcf_result *res) + { +@@ -291,18 +303,15 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + /* let's the caller reinsert the packet, if possible */ + if (use_reinsert) { + res->ingress = want_ingress; +- if (skb_tc_reinsert(skb, res)) ++ err = tcf_mirred_forward(res->ingress, skb); ++ if (err) + tcf_action_inc_overlimit_qstats(&m->common); + __this_cpu_dec(mirred_rec_level); + return TC_ACT_CONSUMED; + } + } + +- if (!want_ingress) +- err = dev_queue_xmit(skb2); +- else +- err = netif_receive_skb(skb2); +- ++ err = tcf_mirred_forward(want_ingress, skb2); + if (err) { + out: + tcf_action_inc_overlimit_qstats(&m->common); diff --git a/patches.suse/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch b/patches.suse/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch new file mode 100644 index 0000000..3d72ddd --- /dev/null +++ b/patches.suse/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch @@ -0,0 +1,112 @@ +From: Pablo Neira Ayuso +Date: Tue, 2 May 2023 10:25:24 +0200 +Subject: netfilter: nf_tables: deactivate anonymous set from preparation phase +Patch-mainline: v6.4-rc1 +Git-commit: c1592a89942e9678f7d9c8030efa777c0d57edab +References: CVE-2023-32233 bsc#1211043 + +Toggle deleted anonymous sets as inactive in the next generation, so +users cannot perform any update on it. Clear the generation bitmask +in case the transaction is aborted. + +The following KASAN splat shows a set element deletion for a bound +anonymous set that has been already removed in the same transaction. + +[ 64.921510] ================================================================== +[ 64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.924745] Write of size 8 at addr dead000000000122 by task test/890 +[ 64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253 +[ 64.931120] Call Trace: +[ 64.932699] +[ 64.934292] dump_stack_lvl+0x33/0x50 +[ 64.935908] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.937551] kasan_report+0xda/0x120 +[ 64.939186] ? nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.940814] nf_tables_commit+0xa24/0x1490 [nf_tables] +[ 64.942452] ? __kasan_slab_alloc+0x2d/0x60 +[ 64.944070] ? nf_tables_setelem_notify+0x190/0x190 [nf_tables] +[ 64.945710] ? kasan_set_track+0x21/0x30 +[ 64.947323] nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink] +[ 64.948898] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] + +Signed-off-by: Pablo Neira Ayuso +Acked-by: Michal Kubecek + +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 12 ++++++++++++ + net/netfilter/nft_dynset.c | 2 +- + net/netfilter/nft_lookup.c | 2 +- + net/netfilter/nft_objref.c | 2 +- + 5 files changed, 16 insertions(+), 3 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -507,6 +507,7 @@ struct nft_set_binding { + }; + + enum nft_trans_phase; ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase); +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4431,12 +4431,24 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, + } + } + ++void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ if (nft_set_is_anonymous(set)) ++ nft_clear(ctx->net, set); ++ ++ set->use++; ++} ++EXPORT_SYMBOL_GPL(nf_tables_activate_set); ++ + void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding, + enum nft_trans_phase phase) + { + switch (phase) { + case NFT_TRANS_PREPARE: ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ + set->use--; + return; + case NFT_TRANS_ABORT: +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -238,7 +238,7 @@ static void nft_dynset_activate(const struct nft_ctx *ctx, + { + struct nft_dynset *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_dynset_destroy(const struct nft_ctx *ctx, +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -132,7 +132,7 @@ static void nft_lookup_activate(const struct nft_ctx *ctx, + { + struct nft_lookup *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_lookup_destroy(const struct nft_ctx *ctx, +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -180,7 +180,7 @@ static void nft_objref_map_activate(const struct nft_ctx *ctx, + { + struct nft_objref_map *priv = nft_expr_priv(expr); + +- priv->set->use++; ++ nf_tables_activate_set(ctx, priv->set); + } + + static void nft_objref_map_destroy(const struct nft_ctx *ctx, diff --git a/patches.suse/timens-Forbid-changing-time-namespace-for-an-io_urin.patch b/patches.suse/timens-Forbid-changing-time-namespace-for-an-io_urin.patch new file mode 100644 index 0000000..6cc0a41 --- /dev/null +++ b/patches.suse/timens-Forbid-changing-time-namespace-for-an-io_urin.patch @@ -0,0 +1,83 @@ +From 9e9e8c54554066d4ba4bf1eeaba9a3b98c480cc8 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Mon, 1 May 2023 23:19:53 -0400 +Subject: [PATCH] timens: Forbid changing time namespace for an io_uring + process +Patch-mainline: Never, specific to 15SP3 +References: bsc#1208474 CVE-2023-23586 + +Even if single-threaded from a userspace point of view, io-uring applications +spawn kernelspace workers that partially share mm_struct with the original task. + +Allowing the time namespace to be changed for such tasks open doors for +race-conditions that can leak kernel memory. Newer kernels already fix this by +completely reworking the way io-workers work that avoid the shared mm issue, but +older kernels are still vulnerable. This patch avoids the issue by preventing +time namespaces from being set when a task has created io-workers. + +Signed-off-by: Gabriel Krisman Bertazi +--- + fs/io_uring.c | 13 +++++++++++++ + include/linux/sched/task.h | 9 +++++++++ + lib/is_single_threaded.c | 3 +++ + 3 files changed, 25 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 66d3a2420aaf..6e0cd421aaee 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2440,6 +2440,19 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr, + return submitted; + } + ++static int __io_uring_fd(const void *arg, struct file *file, ++ unsigned int fd) ++{ ++ return file->f_op == &io_uring_fops; ++} ++ ++bool current_has_io_workers(void) ++{ ++ if (iterate_fd(current->files, 0, __io_uring_fd, NULL)) ++ return true; ++ return false; ++} ++ + static int io_sq_thread(void *data) + { + struct io_ring_ctx *ctx = data; +diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h +index f1879884238e..4569dd5c2054 100644 +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -176,4 +176,13 @@ static inline void task_unlock(struct task_struct *p) + spin_unlock(&p->alloc_lock); + } + ++#if defined(CONFIG_IO_URING) ++extern bool current_has_io_workers(void); ++#else ++static inline bool current_has_io_workers(void) ++{ ++ return false; ++} ++#endif ++ + #endif /* _LINUX_SCHED_TASK_H */ +diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c +index 8c98b20bfc41..9717ff883497 100644 +--- a/lib/is_single_threaded.c ++++ b/lib/is_single_threaded.c +@@ -22,6 +22,9 @@ bool current_is_single_threaded(void) + if (atomic_read(&task->signal->live) != 1) + return false; + ++ if (current_has_io_workers()) ++ return false; ++ + if (atomic_read(&mm->mm_users) == 1) + return true; + +-- +2.40.1 + diff --git a/series.conf b/series.conf index 29d3a58..2a55ec0 100644 --- a/series.conf +++ b/series.conf @@ -18027,6 +18027,7 @@ patches.suse/ibmvnic-Correctly-re-enable-interrupts-in-NAPI-polli.patch patches.suse/ibmvnic-Use-netdev_alloc_skb-instead-of-alloc_skb-to.patch patches.suse/ibmvnic-Do-not-replenish-RX-buffers-after-every-poll.patch + patches.suse/net-sched-act_mirred-refactor-the-handle-of-xmit.patch patches.suse/samples-bpf-Refactor-test_cgrp2_sock2-program-with-l.patch patches.suse/bpf-fix-bpf_put_raw_tracepoint-s-use-of-_module_address.patch patches.suse/selftests-bpf-Fix-invalid-use-of-strncat-in-test_soc.patch @@ -23385,6 +23386,8 @@ patches.suse/net-sched-tcindex-update-imperfect-hash-filters-resp.patch patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch patches.suse/0001-kvm-initialize-all-of-the-kvm_debugregs-structure-be.patch + patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch + patches.suse/act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch patches.suse/net-add-sock_init_data_uid.patch patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch @@ -23407,6 +23410,7 @@ patches.suse/cifs-fix-negotiate-context-parsing.patch patches.suse/0001-wifi-brcmfmac-slab-out-of-bounds-read-in-brcmf_get_a.patch patches.suse/xfs-verify-buffer-contents-when-we-skip-log-replay.patch + patches.suse/netfilter-nf_tables-deactivate-anonymous-set-from-pr.patch ######################################################## # end of sorted patches @@ -23603,6 +23607,7 @@ patches.suse/io_uring-Fix-current-fs-handling-in-io_sq_wq_submit_.patch patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch + patches.suse/timens-Forbid-changing-time-namespace-for-an-io_urin.patch ######################################################## # Block layer