From: Greg Kroah-Hartman Date: Sat, 12 Aug 2023 18:04:42 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v4.14.323~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82505e950abde3cf83f49d219448e85465947d44;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch net-tls-avoid-discarding-data-on-record-close.patch rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch rdma-umem-set-iova-in-odp-flow.patch --- diff --git a/queue-6.4/net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch b/queue-6.4/net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch new file mode 100644 index 00000000000..284ac104386 --- /dev/null +++ b/queue-6.4/net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch @@ -0,0 +1,160 @@ +From 2aa71b4b294ee2c3041d085404cea914be9b3225 Mon Sep 17 00:00:00 2001 +From: Jonas Gorski +Date: Fri, 4 Aug 2023 12:12:20 +0200 +Subject: net: marvell: prestera: fix handling IPv4 routes with nhid + +From: Jonas Gorski + +commit 2aa71b4b294ee2c3041d085404cea914be9b3225 upstream. + +Fix handling IPv4 routes referencing a nexthop via its id by replacing +calls to fib_info_nh() with fib_info_nhc(). + +Trying to add an IPv4 route referencing a nextop via nhid: + + $ ip link set up swp5 + $ ip a a 10.0.0.1/24 dev swp5 + $ ip nexthop add dev swp5 id 20 via 10.0.0.2 + $ ip route add 10.0.1.0/24 nhid 20 + +triggers warnings when trying to handle the route: + +[ 528.805763] ------------[ cut here ]------------ +[ 528.810437] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 528.820434] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci] +[ 528.837485] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G O 6.4.5 #1 +[ 528.845178] Hardware name: delta,tn48m-dn (DT) +[ 528.849641] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera] +[ 528.857352] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 528.864347] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 528.870135] lr : prestera_k_arb_fib_evt+0xb20/0xd50 [prestera] +[ 528.876007] sp : ffff80000b20bc90 +[ 528.879336] x29: ffff80000b20bc90 x28: 0000000000000000 x27: ffff0001374d3a48 +[ 528.886510] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800 +[ 528.893683] x23: ffff000101c89148 x22: ffff000101c89000 x21: ffff000101c89200 +[ 528.900855] x20: ffff00013641fda0 x19: ffff800009d01088 x18: 0000000000000059 +[ 528.908027] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000 +[ 528.915198] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000 +[ 528.922371] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013d2020 +[ 528.929543] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 000000001ca72f86 +[ 528.936715] x5 : 0000000033399ea7 x4 : 0000000000000000 x3 : ffff0001374d3acc +[ 528.943886] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80 +[ 528.951058] Call trace: +[ 528.953516] __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 528.958952] __prestera_router_fib_event_work+0x100/0x158 [prestera] +[ 528.965348] process_one_work+0x208/0x488 +[ 528.969387] worker_thread+0x4c/0x430 +[ 528.973068] kthread+0x120/0x138 +[ 528.976313] ret_from_fork+0x10/0x20 +[ 528.979909] ---[ end trace 0000000000000000 ]--- +[ 528.984998] ------------[ cut here ]------------ +[ 528.989645] WARNING: CPU: 3 PID: 53 at include/net/nexthop.h:468 __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 528.999628] Modules linked in: prestera_pci act_gact act_police sch_ingress cls_u32 cls_flower prestera arm64_delta_tn48m_dn_led(O) arm64_delta_tn48m_dn_cpld(O) [last unloaded: prestera_pci] +[ 529.016676] CPU: 3 PID: 53 Comm: kworker/u8:3 Tainted: G W O 6.4.5 #1 +[ 529.024368] Hardware name: delta,tn48m-dn (DT) +[ 529.028830] Workqueue: prestera_ordered __prestera_router_fib_event_work [prestera] +[ 529.036539] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 529.043533] pc : __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 529.049318] lr : __prestera_k_arb_fc_apply+0x280/0x2f8 [prestera] +[ 529.055452] sp : ffff80000b20bc60 +[ 529.058781] x29: ffff80000b20bc60 x28: 0000000000000000 x27: ffff0001374d3a48 +[ 529.065953] x26: ffff000105604000 x25: ffff000134af8a28 x24: ffff0001374d3800 +[ 529.073126] x23: ffff000101c89148 x22: ffff000101c89148 x21: ffff00013641fda0 +[ 529.080299] x20: ffff000101c89000 x19: ffff000101c89020 x18: 0000000000000059 +[ 529.087471] x17: 0000000000000277 x16: 0000000000000000 x15: 0000000000000000 +[ 529.094642] x14: 0000000000000003 x13: 00000000000fe400 x12: 0000000000000000 +[ 529.101814] x11: 0000000000000002 x10: 0000000000000aa0 x9 : ffff8000013cee80 +[ 529.108985] x8 : 0000000000000018 x7 : 000000007b1703f8 x6 : 0000000000000018 +[ 529.116157] x5 : 00000000d3497eb6 x4 : ffff000105604081 x3 : 000000008e979557 +[ 529.123329] x2 : 0000000000000000 x1 : ffff00010200de00 x0 : ffff000134ae3f80 +[ 529.130501] Call trace: +[ 529.132958] __prestera_fi_is_direct+0x2c/0x68 [prestera] +[ 529.138394] prestera_k_arb_fib_evt+0x6b8/0xd50 [prestera] +[ 529.143918] __prestera_router_fib_event_work+0x100/0x158 [prestera] +[ 529.150313] process_one_work+0x208/0x488 +[ 529.154348] worker_thread+0x4c/0x430 +[ 529.158030] kthread+0x120/0x138 +[ 529.161274] ret_from_fork+0x10/0x20 +[ 529.164867] ---[ end trace 0000000000000000 ]--- + +and results in a non offloaded route: + + $ ip route + 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap + 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 rt_trap + +When creating a route referencing a nexthop via its ID, the nexthop will +be stored in a separate nh pointer instead of the array of nexthops in +the fib_info struct. This causes issues since fib_info_nh() only handles +the nexthops array, but not the separate nh pointer, and will loudly +WARN about it. + +In contrast fib_info_nhc() handles both, but returns a fib_nh_common +pointer instead of a fib_nh pointer. Luckily we only ever access fields +from the fib_nh_common parts, so we can just replace all instances of +fib_info_nh() with fib_info_nhc() and access the fields via their +fib_nh_common names. + +This allows handling IPv4 routes with an external nexthop, and they now +get offloaded as expected: + + $ ip route + 10.0.0.0/24 dev swp5 proto kernel scope link src 10.0.0.1 rt_trap + 10.0.1.0/24 nhid 20 via 10.0.0.2 dev swp5 offload rt_offload + +Fixes: 396b80cb5cc8 ("net: marvell: prestera: Add neighbour cache accounting") +Signed-off-by: Jonas Gorski +Acked-by: Elad Nachman +Link: https://lore.kernel.org/r/20230804101220.247515-1-jonas.gorski@bisdn.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/prestera/prestera_router.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/marvell/prestera/prestera_router.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_router.c +@@ -166,11 +166,11 @@ prestera_util_neigh2nc_key(struct preste + + static bool __prestera_fi_is_direct(struct fib_info *fi) + { +- struct fib_nh *fib_nh; ++ struct fib_nh_common *fib_nhc; + + if (fib_info_num_path(fi) == 1) { +- fib_nh = fib_info_nh(fi, 0); +- if (fib_nh->fib_nh_gw_family == AF_UNSPEC) ++ fib_nhc = fib_info_nhc(fi, 0); ++ if (fib_nhc->nhc_gw_family == AF_UNSPEC) + return true; + } + +@@ -261,7 +261,7 @@ static bool + __prestera_util_kern_n_is_reachable_v4(u32 tb_id, __be32 *addr, + struct net_device *dev) + { +- struct fib_nh *fib_nh; ++ struct fib_nh_common *fib_nhc; + struct fib_result res; + bool reachable; + +@@ -269,8 +269,8 @@ __prestera_util_kern_n_is_reachable_v4(u + + if (!prestera_util_kern_get_route(&res, tb_id, addr)) + if (prestera_fi_is_direct(res.fi)) { +- fib_nh = fib_info_nh(res.fi, 0); +- if (dev == fib_nh->fib_nh_dev) ++ fib_nhc = fib_info_nhc(res.fi, 0); ++ if (dev == fib_nhc->nhc_dev) + reachable = true; + } + +@@ -324,7 +324,7 @@ prestera_kern_fib_info_nhc(struct fib_no + if (info->family == AF_INET) { + fen4_info = container_of(info, struct fib_entry_notifier_info, + info); +- return &fib_info_nh(fen4_info->fi, n)->nh_common; ++ return fib_info_nhc(fen4_info->fi, n); + } else if (info->family == AF_INET6) { + fen6_info = container_of(info, struct fib6_entry_notifier_info, + info); diff --git a/queue-6.4/net-tls-avoid-discarding-data-on-record-close.patch b/queue-6.4/net-tls-avoid-discarding-data-on-record-close.patch new file mode 100644 index 00000000000..a6c3e220f1f --- /dev/null +++ b/queue-6.4/net-tls-avoid-discarding-data-on-record-close.patch @@ -0,0 +1,161 @@ +From 6b47808f223c70ff564f9b363446d2a5fa1e05b2 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski +Date: Fri, 4 Aug 2023 15:59:51 -0700 +Subject: net: tls: avoid discarding data on record close + +From: Jakub Kicinski + +commit 6b47808f223c70ff564f9b363446d2a5fa1e05b2 upstream. + +TLS records end with a 16B tag. For TLS device offload we only +need to make space for this tag in the stream, the device will +generate and replace it with the actual calculated tag. + +Long time ago the code would just re-reference the head frag +which mostly worked but was suboptimal because it prevented TCP +from combining the record into a single skb frag. I'm not sure +if it was correct as the first frag may be shorter than the tag. + +The commit under fixes tried to replace that with using the page +frag and if the allocation failed rolling back the data, if record +was long enough. It achieves better fragment coalescing but is +also buggy. + +We don't roll back the iterator, so unless we're at the end of +send we'll skip the data we designated as tag and start the +next record as if the rollback never happened. +There's also the possibility that the record was constructed +with MSG_MORE and the data came from a different syscall and +we already told the user space that we "got it". + +Allocate a single dummy page and use it as fallback. + +Found by code inspection, and proven by forcing allocation +failures. + +Fixes: e7b159a48ba6 ("net/tls: remove the record tail optimization") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_device.c | 64 ++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 31 deletions(-) + +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -52,6 +52,8 @@ static LIST_HEAD(tls_device_list); + static LIST_HEAD(tls_device_down_list); + static DEFINE_SPINLOCK(tls_device_lock); + ++static struct page *dummy_page; ++ + static void tls_device_free_ctx(struct tls_context *ctx) + { + if (ctx->tx_conf == TLS_HW) { +@@ -313,36 +315,33 @@ static int tls_push_record(struct sock * + return tls_push_sg(sk, ctx, offload_ctx->sg_tx_data, 0, flags); + } + +-static int tls_device_record_close(struct sock *sk, +- struct tls_context *ctx, +- struct tls_record_info *record, +- struct page_frag *pfrag, +- unsigned char record_type) ++static void tls_device_record_close(struct sock *sk, ++ struct tls_context *ctx, ++ struct tls_record_info *record, ++ struct page_frag *pfrag, ++ unsigned char record_type) + { + struct tls_prot_info *prot = &ctx->prot_info; +- int ret; ++ struct page_frag dummy_tag_frag; + + /* append tag + * device will fill in the tag, we just need to append a placeholder + * use socket memory to improve coalescing (re-using a single buffer + * increases frag count) +- * if we can't allocate memory now, steal some back from data ++ * if we can't allocate memory now use the dummy page + */ +- if (likely(skb_page_frag_refill(prot->tag_size, pfrag, +- sk->sk_allocation))) { +- ret = 0; +- tls_append_frag(record, pfrag, prot->tag_size); +- } else { +- ret = prot->tag_size; +- if (record->len <= prot->overhead_size) +- return -ENOMEM; ++ if (unlikely(pfrag->size - pfrag->offset < prot->tag_size) && ++ !skb_page_frag_refill(prot->tag_size, pfrag, sk->sk_allocation)) { ++ dummy_tag_frag.page = dummy_page; ++ dummy_tag_frag.offset = 0; ++ pfrag = &dummy_tag_frag; + } ++ tls_append_frag(record, pfrag, prot->tag_size); + + /* fill prepend */ + tls_fill_prepend(ctx, skb_frag_address(&record->frags[0]), + record->len - prot->overhead_size, + record_type); +- return ret; + } + + static int tls_create_new_record(struct tls_offload_context_tx *offload_ctx, +@@ -535,18 +534,8 @@ last_record: + + if (done || record->len >= max_open_record_len || + (record->num_frags >= MAX_SKB_FRAGS - 1)) { +- rc = tls_device_record_close(sk, tls_ctx, record, +- pfrag, record_type); +- if (rc) { +- if (rc > 0) { +- size += rc; +- } else { +- size = orig_size; +- destroy_record(record); +- ctx->open_record = NULL; +- break; +- } +- } ++ tls_device_record_close(sk, tls_ctx, record, ++ pfrag, record_type); + + rc = tls_push_record(sk, + tls_ctx, +@@ -1466,14 +1455,26 @@ int __init tls_device_init(void) + { + int err; + +- destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0); +- if (!destruct_wq) ++ dummy_page = alloc_page(GFP_KERNEL); ++ if (!dummy_page) + return -ENOMEM; + ++ destruct_wq = alloc_workqueue("ktls_device_destruct", 0, 0); ++ if (!destruct_wq) { ++ err = -ENOMEM; ++ goto err_free_dummy; ++ } ++ + err = register_netdevice_notifier(&tls_dev_notifier); + if (err) +- destroy_workqueue(destruct_wq); ++ goto err_destroy_wq; + ++ return 0; ++ ++err_destroy_wq: ++ destroy_workqueue(destruct_wq); ++err_free_dummy: ++ put_page(dummy_page); + return err; + } + +@@ -1482,4 +1483,5 @@ void __exit tls_device_cleanup(void) + unregister_netdevice_notifier(&tls_dev_notifier); + destroy_workqueue(destruct_wq); + clean_acked_data_flush(); ++ put_page(dummy_page); + } diff --git a/queue-6.4/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch b/queue-6.4/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch new file mode 100644 index 00000000000..a3ab7be5788 --- /dev/null +++ b/queue-6.4/rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch @@ -0,0 +1,33 @@ +From 5ac8480ae4d01f0ca5dfd561884424046df2478a Mon Sep 17 00:00:00 2001 +From: Kalesh AP +Date: Wed, 9 Aug 2023 21:44:36 -0700 +Subject: RDMA/bnxt_re: Fix error handling in probe failure path + +From: Kalesh AP + +commit 5ac8480ae4d01f0ca5dfd561884424046df2478a upstream. + +During bnxt_re_dev_init(), when bnxt_re_setup_chip_ctx() fails unregister +with L2 first before bailing out probe. + +Fixes: ae8637e13185 ("RDMA/bnxt_re: Add chip context to identify 57500 series") +Link: https://lore.kernel.org/r/1691642677-21369-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1152,6 +1152,8 @@ static int bnxt_re_dev_init(struct bnxt_ + + rc = bnxt_re_setup_chip_ctx(rdev, wqe_mode); + if (rc) { ++ bnxt_unregister_dev(rdev->en_dev); ++ clear_bit(BNXT_RE_FLAG_NETDEV_REGISTERED, &rdev->flags); + ibdev_err(&rdev->ibdev, "Failed to get chip context\n"); + return -EINVAL; + } diff --git a/queue-6.4/rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch b/queue-6.4/rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch new file mode 100644 index 00000000000..3896666b26c --- /dev/null +++ b/queue-6.4/rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch @@ -0,0 +1,33 @@ +From 5363fc488da579923edf6a2fdca3d3b651dd800b Mon Sep 17 00:00:00 2001 +From: Selvin Xavier +Date: Wed, 9 Aug 2023 21:44:35 -0700 +Subject: RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF + +From: Selvin Xavier + +commit 5363fc488da579923edf6a2fdca3d3b651dd800b upstream. + +ib_dealloc_device() should be called only after device cleanup. Fix the +dealloc sequence. + +Fixes: 6d758147c7b8 ("RDMA/bnxt_re: Use auxiliary driver interface") +Link: https://lore.kernel.org/r/1691642677-21369-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1425,8 +1425,8 @@ static void bnxt_re_remove(struct auxili + } + bnxt_re_setup_cc(rdev, false); + ib_unregister_device(&rdev->ibdev); +- ib_dealloc_device(&rdev->ibdev); + bnxt_re_dev_uninit(rdev); ++ ib_dealloc_device(&rdev->ibdev); + skip_remove: + mutex_unlock(&bnxt_re_mutex); + } diff --git a/queue-6.4/rdma-umem-set-iova-in-odp-flow.patch b/queue-6.4/rdma-umem-set-iova-in-odp-flow.patch new file mode 100644 index 00000000000..c56a5467d8c --- /dev/null +++ b/queue-6.4/rdma-umem-set-iova-in-odp-flow.patch @@ -0,0 +1,63 @@ +From 186b169cf1e4be85aa212a893ea783a543400979 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 19 Jul 2023 12:02:41 +0300 +Subject: RDMA/umem: Set iova in ODP flow + +From: Michael Guralnik + +commit 186b169cf1e4be85aa212a893ea783a543400979 upstream. + +Fixing the ODP registration flow to set the iova correctly. +The calculation in ib_umem_num_dma_blocks() function assumes the iova of +the umem is set correctly. + +When iova is not set, the calculation in ib_umem_num_dma_blocks() is +equivalent to length/page_size, which is true only when memory is aligned. +For unaligned memory, iova must be set for the ALIGN() in the +ib_umem_num_dma_blocks() to take effect and return a correct value. + +mlx5_ib uses ib_umem_num_dma_blocks() to decide the mkey size to use for +the MR. Without this fix, when registering unaligned ODP MR, a wrong +size mkey might be chosen and this might cause the UMR to fail. + +UMR would fail over insufficient size to update the mkey translation: +infiniband mlx5_0: dump_cqe:273:(pid 0): dump error cqe +00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00000030: 00 00 00 00 0f 00 78 06 25 00 00 58 00 da ac d2 +infiniband mlx5_0: mlx5_ib_post_send_wait:806:(pid 20311): reg umr +failed (6) +infiniband mlx5_0: pagefault_real_mr:661:(pid 20311): Failed to update +mkey page tables + +Fixes: f0093fb1a7cb ("RDMA/mlx5: Move mlx5_ib_cont_pages() to the creation of the mlx5_ib_mr") +Fixes: a665aca89a41 ("RDMA/umem: Split ib_umem_num_pages() into ib_umem_num_dma_blocks()") +Signed-off-by: Artemy Kovalyov +Signed-off-by: Michael Guralnik +Link: https://lore.kernel.org/r/3d4be7ca2155bf239dd8c00a2d25974a92c26ab8.1689757344.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/umem.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -85,6 +85,8 @@ unsigned long ib_umem_find_best_pgsz(str + dma_addr_t mask; + int i; + ++ umem->iova = va = virt; ++ + if (umem->is_odp) { + unsigned int page_size = BIT(to_ib_umem_odp(umem)->page_shift); + +@@ -100,7 +102,6 @@ unsigned long ib_umem_find_best_pgsz(str + */ + pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT); + +- umem->iova = va = virt; + /* The best result is the smallest page size that results in the minimum + * number of required pages. Compute the largest page size that could + * work based on VA address bits that don't change. diff --git a/queue-6.4/series b/queue-6.4/series index 861a3c29b1c..8307624ec33 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -147,3 +147,8 @@ drm-nouveau-remove-unused-tu102_gr_load-function.patch drm-rockchip-don-t-spam-logs-in-atomic-check.patch wifi-brcm80211-handle-params_v1-allocation-failure.patch wifi-cfg80211-fix-sband-iftype-data-lookup-for-ap_vlan.patch +rdma-umem-set-iova-in-odp-flow.patch +rdma-bnxt_re-properly-order-ib_device_unalloc-to-avoid-uaf.patch +rdma-bnxt_re-fix-error-handling-in-probe-failure-path.patch +net-tls-avoid-discarding-data-on-record-close.patch +net-marvell-prestera-fix-handling-ipv4-routes-with-nhid.patch