From: Greg Kroah-Hartman Date: Fri, 18 Feb 2022 14:56:03 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.9.303~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2d26f5c6a4a5980e2f92c4eb4a4a47b4c372a5d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bonding-fix-data-races-around-agg_select_timer.patch bonding-force-carrier-update-when-releasing-slave.patch dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch ipv6-per-netns-exclusive-flowlabel-checks.patch iwlwifi-pcie-fix-locking-when-hw-not-ready.patch iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch libsubcmd-fix-use-after-free-for-realloc-...-0.patch net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch net-dsa-lan9303-add-vlan-ids-to-master-device.patch net-dsa-lan9303-fix-reset-on-probe.patch net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch net-ieee802154-ca8210-fix-lifs-sifs-periods.patch net_sched-add-__rcu-annotation-to-netdev-qdisc.patch netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch selftests-exec-add-non-regular-to-test_gen_progs.patch selftests-netfilter-fix-exit-value-for-nft_concat_range.patch --- diff --git a/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch b/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch new file mode 100644 index 00000000000..02b016d57f2 --- /dev/null +++ b/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch @@ -0,0 +1,138 @@ +From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 14 Feb 2022 11:15:53 -0800 +Subject: bonding: fix data-races around agg_select_timer + +From: Eric Dumazet + +commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream. + +syzbot reported that two threads might write over agg_select_timer +at the same time. Make agg_select_timer atomic to fix the races. + +BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler + +read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1: + bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0: + bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998 + bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967 + __dev_open+0x274/0x3a0 net/core/dev.c:1407 + dev_open+0x54/0x190 net/core/dev.c:1443 + bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937 + do_set_master net/core/rtnetlink.c:2532 [inline] + do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736 + __rtnl_newlink net/core/rtnetlink.c:3414 [inline] + rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x00000050 -> 0x0000004f + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++----- + include/net/bond_3ad.h | 2 +- + 2 files changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -223,7 +223,7 @@ static inline int __check_agg_selection_ + if (bond == NULL) + return 0; + +- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0; ++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0; + } + + /** +@@ -1976,7 +1976,7 @@ static void ad_marker_response_received( + */ + void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout) + { +- BOND_AD_INFO(bond).agg_select_timer = timeout; ++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout); + } + + /** +@@ -2260,6 +2260,28 @@ void bond_3ad_update_ad_actor_settings(s + } + + /** ++ * bond_agg_timer_advance - advance agg_select_timer ++ * @bond: bonding structure ++ * ++ * Return true when agg_select_timer reaches 0. ++ */ ++static bool bond_agg_timer_advance(struct bonding *bond) ++{ ++ int val, nval; ++ ++ while (1) { ++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer); ++ if (!val) ++ return false; ++ nval = val - 1; ++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer, ++ val, nval) == val) ++ break; ++ } ++ return nval == 0; ++} ++ ++/** + * bond_3ad_state_machine_handler - handle state machines timeout + * @work: work context to fetch bonding struct to work on from + * +@@ -2294,9 +2316,7 @@ void bond_3ad_state_machine_handler(stru + if (!bond_has_slaves(bond)) + goto re_arm; + +- /* check if agg_select_timer timer after initialize is timed out */ +- if (BOND_AD_INFO(bond).agg_select_timer && +- !(--BOND_AD_INFO(bond).agg_select_timer)) { ++ if (bond_agg_timer_advance(bond)) { + slave = bond_first_slave_rcu(bond); + port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL; + +--- a/include/net/bond_3ad.h ++++ b/include/net/bond_3ad.h +@@ -262,7 +262,7 @@ struct ad_system { + struct ad_bond_info { + struct ad_system system; /* 802.3ad system structure */ + struct bond_3ad_stats stats; +- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ ++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */ + u16 aggregator_identifier; + }; + diff --git a/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch b/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch new file mode 100644 index 00000000000..a9d66cc4615 --- /dev/null +++ b/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch @@ -0,0 +1,49 @@ +From a6ab75cec1e461f8a35559054c146c21428430b8 Mon Sep 17 00:00:00 2001 +From: Zhang Changzhong +Date: Wed, 16 Feb 2022 22:18:08 +0800 +Subject: bonding: force carrier update when releasing slave + +From: Zhang Changzhong + +commit a6ab75cec1e461f8a35559054c146c21428430b8 upstream. + +In __bond_release_one(), bond_set_carrier() is only called when bond +device has no slave. Therefore, if we remove the up slave from a master +with two slaves and keep the down slave, the master will remain up. + +Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond)) +statement. + +Reproducer: +$ insmod bonding.ko mode=0 miimon=100 max_bonds=2 +$ ifconfig bond0 up +$ ifenslave bond0 eth0 eth1 +$ ifconfig eth0 down +$ ifenslave -d bond0 eth1 +$ cat /proc/net/bonding/bond0 + +Fixes: ff59c4563a8d ("[PATCH] bonding: support carrier state for master") +Signed-off-by: Zhang Changzhong +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2272,10 +2272,9 @@ static int __bond_release_one(struct net + bond_select_active_slave(bond); + } + +- if (!bond_has_slaves(bond)) { +- bond_set_carrier(bond); ++ bond_set_carrier(bond); ++ if (!bond_has_slaves(bond)) + eth_hw_addr_random(bond_dev); +- } + + unblock_netpoll_tx(); + synchronize_rcu(); diff --git a/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch b/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch new file mode 100644 index 00000000000..ac0ca16323d --- /dev/null +++ b/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch @@ -0,0 +1,37 @@ +From 07dd44852be89386ab12210df90a2d78779f3bff Mon Sep 17 00:00:00 2001 +From: Radu Bulie +Date: Mon, 14 Feb 2022 19:45:34 +0200 +Subject: dpaa2-eth: Initialize mutex used in one step timestamping path + +From: Radu Bulie + +commit 07dd44852be89386ab12210df90a2d78779f3bff upstream. + +1588 Single Step Timestamping code path uses a mutex to +enforce atomicity for two events: +- update of ptp single step register +- transmit ptp event packet + +Before this patch the mutex was not initialized. This +caused unexpected crashes in the Tx function. + +Fixes: c55211892f463 ("dpaa2-eth: support PTP Sync packet one-step timestamping") +Signed-off-by: Radu Bulie +Reviewed-by: Ioana Ciornei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4225,7 +4225,7 @@ static int dpaa2_eth_probe(struct fsl_mc + } + + INIT_WORK(&priv->tx_onestep_tstamp, dpaa2_eth_tx_onestep_tstamp); +- ++ mutex_init(&priv->onestep_tstamp_lock); + skb_queue_head_init(&priv->tx_skbs); + + /* Obtain a MC portal */ diff --git a/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch b/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch new file mode 100644 index 00000000000..3a049de14d6 --- /dev/null +++ b/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch @@ -0,0 +1,33 @@ +From d72d69abfdb6e0375981cfdda8eb45143f12c77d Mon Sep 17 00:00:00 2001 +From: Siva Mullati +Date: Fri, 7 Jan 2022 15:22:35 +0530 +Subject: drm/i915/gvt: Make DRM_I915_GVT depend on X86 + +From: Siva Mullati + +commit d72d69abfdb6e0375981cfdda8eb45143f12c77d upstream. + +GVT is not supported on non-x86 platforms, So add +dependency of X86 on config parameter DRM_I915_GVT. + +Fixes: 0ad35fed618c ("drm/i915: gvt: Introduce the basic architecture of GVT-g") +Signed-off-by: Siva Mullati +Signed-off-by: Zhi Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20220107095235.243448-1-siva.mullati@intel.com +Reviewed-by: Zhi Wang +Signed-off-by: Zhi Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/Kconfig ++++ b/drivers/gpu/drm/i915/Kconfig +@@ -100,6 +100,7 @@ config DRM_I915_USERPTR + config DRM_I915_GVT + bool "Enable Intel GVT-g graphics virtualization host support" + depends on DRM_I915 ++ depends on X86 + depends on 64BIT + default n + help diff --git a/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch new file mode 100644 index 00000000000..a26f8847c4d --- /dev/null +++ b/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch @@ -0,0 +1,103 @@ +From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Feb 2022 09:13:31 -0800 +Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit + +From: Eric Dumazet + +commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream. + +trace_napi_poll_hit() is reading stat->dev while another thread can write +on it from dropmon_net_event() + +Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already, +we only have to take care of load/store tearing. + +BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit + +write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1: + dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579 + notifier_call_chain kernel/notifier.c:84 [inline] + raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392 + call_netdevice_notifiers_info net/core/dev.c:1919 [inline] + call_netdevice_notifiers_extack net/core/dev.c:1931 [inline] + call_netdevice_notifiers net/core/dev.c:1945 [inline] + unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415 + ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123 + vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515 + ops_exit_list net/core/net_namespace.c:173 [inline] + cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0: + trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292 + trace_napi_poll include/trace/events/napi.h:14 [inline] + __napi_poll+0x36b/0x3f0 net/core/dev.c:6366 + napi_poll net/core/dev.c:6432 [inline] + net_rx_action+0x29e/0x650 net/core/dev.c:6519 + __do_softirq+0x158/0x2de kernel/softirq.c:558 + do_softirq+0xb1/0xf0 kernel/softirq.c:459 + __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] + _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:394 [inline] + ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline] + wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506 + process_one_work+0x3f6/0x960 kernel/workqueue.c:2307 + worker_thread+0x616/0xa70 kernel/workqueue.c:2454 + kthread+0x1bf/0x1e0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +value changed: 0xffff88815883e000 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker + +Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -280,13 +280,17 @@ static void trace_napi_poll_hit(void *ig + + rcu_read_lock(); + list_for_each_entry_rcu(new_stat, &hw_stats_list, list) { ++ struct net_device *dev; ++ + /* + * only add a note to our monitor buffer if: + * 1) this is the dev we received on + * 2) its after the last_rx delta + * 3) our rx_dropped count has gone up + */ +- if ((new_stat->dev == napi->dev) && ++ /* Paired with WRITE_ONCE() in dropmon_net_event() */ ++ dev = READ_ONCE(new_stat->dev); ++ if ((dev == napi->dev) && + (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) && + (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) { + trace_drop_common(NULL, NULL); +@@ -1574,7 +1578,10 @@ static int dropmon_net_event(struct noti + mutex_lock(&net_dm_mutex); + list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) { + if (new_stat->dev == dev) { +- new_stat->dev = NULL; ++ ++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */ ++ WRITE_ONCE(new_stat->dev, NULL); ++ + if (trace_state == TRACE_OFF) { + list_del_rcu(&new_stat->list); + kfree_rcu(new_stat, rcu); diff --git a/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch b/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch new file mode 100644 index 00000000000..068a0dda8ed --- /dev/null +++ b/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch @@ -0,0 +1,98 @@ +From 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 15 Feb 2022 11:00:37 -0500 +Subject: ipv6: per-netns exclusive flowlabel checks + +From: Willem de Bruijn + +commit 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b upstream. + +Ipv6 flowlabels historically require a reservation before use. +Optionally in exclusive mode (e.g., user-private). + +Commit 59c820b2317f ("ipv6: elide flowlabel check if no exclusive +leases exist") introduced a fastpath that avoids this check when no +exclusive leases exist in the system, and thus any flowlabel use +will be granted. + +That allows skipping the control operation to reserve a flowlabel +entirely. Though with a warning if the fast path fails: + + This is an optimization. Robust applications still have to revert to + requesting leases if the fast path fails due to an exclusive lease. + +Still, this is subtle. Better isolate network namespaces from each +other. Flowlabels are per-netns. Also record per-netns whether +exclusive leases are in use. Then behavior does not change based on +activity in other netns. + +Changes + v2 + - wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled + +Fixes: 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist") +Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/ +Reported-by: Congyu Liu +Signed-off-by: Willem de Bruijn +Tested-by: Congyu Liu +Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 5 ++++- + include/net/netns/ipv6.h | 3 ++- + net/ipv6/ip6_flowlabel.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -390,17 +390,20 @@ static inline void txopt_put(struct ipv6 + kfree_rcu(opt, rcu); + } + ++#if IS_ENABLED(CONFIG_IPV6) + struct ip6_flowlabel *__fl6_sock_lookup(struct sock *sk, __be32 label); + + extern struct static_key_false_deferred ipv6_flowlabel_exclusive; + static inline struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, + __be32 label) + { +- if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key)) ++ if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) && ++ READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl)) + return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT); + + return NULL; + } ++#endif + + struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, + struct ip6_flowlabel *fl, +--- a/include/net/netns/ipv6.h ++++ b/include/net/netns/ipv6.h +@@ -80,9 +80,10 @@ struct netns_ipv6 { + spinlock_t fib6_gc_lock; + unsigned int ip6_rt_gc_expire; + unsigned long ip6_rt_last_gc; ++ unsigned char flowlabel_has_excl; + #ifdef CONFIG_IPV6_MULTIPLE_TABLES +- unsigned int fib6_rules_require_fldissect; + bool fib6_has_custom_rules; ++ unsigned int fib6_rules_require_fldissect; + #ifdef CONFIG_IPV6_SUBTREES + unsigned int fib6_routes_require_src; + #endif +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -450,8 +450,10 @@ fl_create(struct net *net, struct sock * + err = -EINVAL; + goto done; + } +- if (fl_shared_exclusive(fl) || fl->opt) ++ if (fl_shared_exclusive(fl) || fl->opt) { ++ WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1); + static_branch_deferred_inc(&ipv6_flowlabel_exclusive); ++ } + return fl; + + done: diff --git a/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..d73512d5504 --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:52 +0200 +Subject: iwlwifi: pcie: fix locking when "HW not ready" + +From: Johannes Berg + +commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this. + +Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1313,8 +1313,7 @@ static int iwl_trans_pcie_start_fw(struc + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch b/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch new file mode 100644 index 00000000000..498d4242aac --- /dev/null +++ b/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch @@ -0,0 +1,34 @@ +From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 28 Jan 2022 14:30:53 +0200 +Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready" + +From: Johannes Berg + +commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream. + +If we run into this error path, we shouldn't unlock the mutex +since it's not locked since. Fix this in the gen2 code as well. + +Fixes: eda50cde58de ("iwlwifi: pcie: add context information support") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -320,8 +320,7 @@ int iwl_trans_pcie_gen2_start_fw(struct + /* This may fail if AMT took ownership of the device */ + if (iwl_pcie_prepare_card_hw(trans)) { + IWL_WARN(trans, "Exit HW not ready\n"); +- ret = -EIO; +- goto out; ++ return -EIO; + } + + iwl_enable_rfkill_int(trans); diff --git a/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch new file mode 100644 index 00000000000..23bfaebab85 --- /dev/null +++ b/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch @@ -0,0 +1,66 @@ +From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 13 Feb 2022 10:24:43 -0800 +Subject: libsubcmd: Fix use-after-free for realloc(..., 0) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream. + +GCC 12 correctly reports a potential use-after-free condition in the +xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)" +when size == 0: + +In file included from help.c:12: +In function 'xrealloc', + inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 56 | ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ +subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free] + 58 | ret = realloc(ptr, 1); + | ^~~~~~~~~~~~~~~ +subcmd-util.h:52:21: note: call to 'realloc' here + 52 | void *ret = realloc(ptr, size); + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence") +Reported-by: Valdis Klētnieks +Signed-off-by: Kees Kook +Tested-by: Valdis Klētnieks +Tested-by: Justin M. Forbes +Acked-by: Josh Poimboeuf +Cc: linux-hardening@vger.kernel.org +Cc: Valdis Klētnieks +Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/subcmd/subcmd-util.h | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/tools/lib/subcmd/subcmd-util.h ++++ b/tools/lib/subcmd/subcmd-util.h +@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch + static inline void *xrealloc(void *ptr, size_t size) + { + void *ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) { +- ret = realloc(ptr, size); +- if (!ret && !size) +- ret = realloc(ptr, 1); +- if (!ret) +- die("Out of memory, realloc failed"); +- } ++ if (!ret) ++ die("Out of memory, realloc failed"); + return ret; + } + diff --git a/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch b/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch new file mode 100644 index 00000000000..6f74e5889ff --- /dev/null +++ b/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch @@ -0,0 +1,49 @@ +From c832962ac972082b3a1f89775c9d4274c8cb5670 Mon Sep 17 00:00:00 2001 +From: Oleksandr Mazur +Date: Tue, 15 Feb 2022 18:53:03 +0200 +Subject: net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled + +From: Oleksandr Mazur + +commit c832962ac972082b3a1f89775c9d4274c8cb5670 upstream. + +Whenever bridge driver hits the max capacity of MDBs, it disables +the MC processing (by setting corresponding bridge option), but never +notifies switchdev about such change (the notifiers are called only upon +explicit setting of this option, through the registered netlink interface). + +This could lead to situation when Software MDB processing gets disabled, +but this event never gets offloaded to the underlying Hardware. + +Fix this by adding a notify message in such case. + +Fixes: 147c1e9b902c ("switchdev: bridge: Offload multicast disabled") +Signed-off-by: Oleksandr Mazur +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220215165303.31908-1-oleksandr.mazur@plvision.eu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -77,6 +77,9 @@ __br_multicast_add_group(struct net_brid + static void br_multicast_find_del_pg(struct net_bridge *br, + struct net_bridge_port_group *pg); + ++static int br_mc_disabled_update(struct net_device *dev, bool value, ++ struct netlink_ext_ack *extack); ++ + static struct net_bridge_port_group * + br_sg_port_find(struct net_bridge *br, + struct net_bridge_port_group_sg_key *sg_p) +@@ -1040,6 +1043,7 @@ struct net_bridge_mdb_entry *br_multicas + return mp; + + if (atomic_read(&br->mdb_hash_tbl.nelems) >= br->hash_max) { ++ br_mc_disabled_update(br->dev, false, NULL); + br_opt_toggle(br, BROPT_MULTICAST_ENABLED, false); + return ERR_PTR(-E2BIG); + } diff --git a/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch b/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch new file mode 100644 index 00000000000..ba13e2a6f31 --- /dev/null +++ b/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch @@ -0,0 +1,75 @@ +From 430065e2671905ac675f97b7af240cc255964e93 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 16 Feb 2022 20:48:18 +0000 +Subject: net: dsa: lan9303: add VLAN IDs to master device + +From: Mans Rullgard + +commit 430065e2671905ac675f97b7af240cc255964e93 upstream. + +If the master device does VLAN filtering, the IDs used by the switch +must be added for any frames to be received. Do this in the +port_enable() function, and remove them in port_disable(). + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220216204818.28746-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/Kconfig | 1 + + drivers/net/dsa/lan9303-core.c | 11 +++++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/Kconfig ++++ b/drivers/net/dsa/Kconfig +@@ -82,6 +82,7 @@ config NET_DSA_REALTEK_SMI + + config NET_DSA_SMSC_LAN9303 + tristate ++ depends on VLAN_8021Q || VLAN_8021Q=n + select NET_DSA_TAG_LAN9303 + select REGMAP + help +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #include "lan9303.h" +@@ -1083,21 +1084,27 @@ static void lan9303_adjust_link(struct d + static int lan9303_port_enable(struct dsa_switch *ds, int port, + struct phy_device *phy) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return 0; + ++ vlan_vid_add(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + return lan9303_enable_processing_port(chip, port); + } + + static void lan9303_port_disable(struct dsa_switch *ds, int port) + { ++ struct dsa_port *dp = dsa_to_port(ds, port); + struct lan9303 *chip = ds->priv; + +- if (!dsa_is_user_port(ds, port)) ++ if (!dsa_port_is_user(dp)) + return; + ++ vlan_vid_del(dp->cpu_dp->master, htons(ETH_P_8021Q), port); ++ + lan9303_disable_processing_port(chip, port); + lan9303_phy_write(ds, chip->phy_addr_base + port, MII_BMCR, BMCR_PDOWN); + } diff --git a/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch b/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch new file mode 100644 index 00000000000..c700786a132 --- /dev/null +++ b/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch @@ -0,0 +1,36 @@ +From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 9 Feb 2022 14:54:54 +0000 +Subject: net: dsa: lan9303: fix reset on probe + +From: Mans Rullgard + +commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream. + +The reset input to the LAN9303 chip is active low, and devicetree +gpio handles reflect this. Therefore, the gpio should be requested +with an initial state of high in order for the reset signal to be +asserted. Other uses of the gpio already use the correct polarity. + +Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") +Signed-off-by: Mans Rullgard +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fianelil +Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lan9303-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lan9303-core.c ++++ b/drivers/net/dsa/lan9303-core.c +@@ -1305,7 +1305,7 @@ static int lan9303_probe_reset_gpio(stru + struct device_node *np) + { + chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset", +- GPIOD_OUT_LOW); ++ GPIOD_OUT_HIGH); + if (IS_ERR(chip->reset_gpio)) + return PTR_ERR(chip->reset_gpio); + diff --git a/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch b/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch new file mode 100644 index 00000000000..9b87e708829 --- /dev/null +++ b/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch @@ -0,0 +1,34 @@ +From 8c6ae46150a453f8ae9a6cd49b45f354f478587d Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Tue, 15 Feb 2022 13:42:48 +0300 +Subject: net: dsa: lantiq_gswip: fix use after free in gswip_remove() + +From: Alexey Khoroshilov + +commit 8c6ae46150a453f8ae9a6cd49b45f354f478587d upstream. + +of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be +done before mdiobus_free(priv->ds->slave_mii_bus). + +Signed-off-by: Alexey Khoroshilov +Fixes: 0d120dfb5d67 ("net: dsa: lantiq_gswip: don't use devres for mdiobus") +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/1644921768-26477-1-git-send-email-khoroshilov@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/lantiq_gswip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -2114,8 +2114,8 @@ static int gswip_remove(struct platform_ + + if (priv->ds->slave_mii_bus) { + mdiobus_unregister(priv->ds->slave_mii_bus); +- mdiobus_free(priv->ds->slave_mii_bus); + of_node_put(priv->ds->slave_mii_bus->dev.of_node); ++ mdiobus_free(priv->ds->slave_mii_bus); + } + + for (i = 0; i < priv->num_gphy_fw; i++) diff --git a/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch b/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch new file mode 100644 index 00000000000..7942a6c5a52 --- /dev/null +++ b/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch @@ -0,0 +1,36 @@ +From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 1 Feb 2022 19:06:26 +0100 +Subject: net: ieee802154: ca8210: Fix lifs/sifs periods + +From: Miquel Raynal + +commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream. + +These periods are expressed in time units (microseconds) while 40 and 12 +are the number of symbol durations these periods will last. We need to +multiply them both with the symbol_duration in order to get these +values in microseconds. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2977,8 +2977,8 @@ static void ca8210_hw_setup(struct ieee8 + ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND; + ca8210_hw->phy->cca_ed_level = -9800; + ca8210_hw->phy->symbol_duration = 16; +- ca8210_hw->phy->lifs_period = 40; +- ca8210_hw->phy->sifs_period = 12; ++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration; ++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration; + ca8210_hw->flags = + IEEE802154_HW_AFILT | + IEEE802154_HW_OMIT_CKSUM | diff --git a/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch b/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch new file mode 100644 index 00000000000..7b3fb804042 --- /dev/null +++ b/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch @@ -0,0 +1,327 @@ +From 5891cd5ec46c2c2eb6427cb54d214b149635dd0e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 11 Feb 2022 12:06:23 -0800 +Subject: net_sched: add __rcu annotation to netdev->qdisc + +From: Eric Dumazet + +commit 5891cd5ec46c2c2eb6427cb54d214b149635dd0e upstream. + +syzbot found a data-race [1] which lead me to add __rcu +annotations to netdev->qdisc, and proper accessors +to get LOCKDEP support. + +[1] +BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu + +write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1: + attach_default_qdiscs net/sched/sch_generic.c:1167 [inline] + dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221 + __dev_open+0x2e9/0x3a0 net/core/dev.c:1416 + __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139 + rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150 + __rtnl_newlink net/core/rtnetlink.c:3489 [inline] + rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0: + qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323 + __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050 + tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211 + rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 470502de5bdb ("net: sched: unlock rules update API") +Signed-off-by: Eric Dumazet +Cc: Vlad Buslov +Reported-by: syzbot +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netdevice.h | 2 +- + net/core/rtnetlink.c | 6 ++++-- + net/sched/cls_api.c | 6 +++--- + net/sched/sch_api.c | 22 ++++++++++++---------- + net/sched/sch_generic.c | 29 ++++++++++++++++------------- + 5 files changed, 36 insertions(+), 29 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2061,7 +2061,7 @@ struct net_device { + struct netdev_queue *_tx ____cacheline_aligned_in_smp; + unsigned int num_tx_queues; + unsigned int real_num_tx_queues; +- struct Qdisc *qdisc; ++ struct Qdisc __rcu *qdisc; + unsigned int tx_queue_len; + spinlock_t tx_global_lock; + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1705,6 +1705,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + { + struct ifinfomsg *ifm; + struct nlmsghdr *nlh; ++ struct Qdisc *qdisc; + + ASSERT_RTNL(); + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags); +@@ -1722,6 +1723,7 @@ static int rtnl_fill_ifinfo(struct sk_bu + if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid)) + goto nla_put_failure; + ++ qdisc = rtnl_dereference(dev->qdisc); + if (nla_put_string(skb, IFLA_IFNAME, dev->name) || + nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) || + nla_put_u8(skb, IFLA_OPERSTATE, +@@ -1740,8 +1742,8 @@ static int rtnl_fill_ifinfo(struct sk_bu + #endif + put_master_ifindex(skb, dev) || + nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) || +- (dev->qdisc && +- nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) || ++ (qdisc && ++ nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) || + nla_put_ifalias(skb, dev) || + nla_put_u32(skb, IFLA_CARRIER_CHANGES, + atomic_read(&dev->carrier_up_count) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1045,7 +1045,7 @@ static int __tcf_qdisc_find(struct net * + + /* Find qdisc */ + if (!*parent) { +- *q = dev->qdisc; ++ *q = rcu_dereference(dev->qdisc); + *parent = (*q)->handle; + } else { + *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent)); +@@ -2591,7 +2591,7 @@ static int tc_dump_tfilter(struct sk_buf + + parent = tcm->tcm_parent; + if (!parent) +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + else + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); + if (!q) +@@ -2977,7 +2977,7 @@ static int tc_dump_chain(struct sk_buff + + parent = tcm->tcm_parent; + if (!parent) { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + parent = q->handle; + } else { + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -301,7 +301,7 @@ struct Qdisc *qdisc_lookup(struct net_de + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -320,7 +320,7 @@ struct Qdisc *qdisc_lookup_rcu(struct ne + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -1082,10 +1082,10 @@ static int qdisc_graft(struct net_device + skip: + if (!ingress) { + notify_and_destroy(net, skb, n, classid, +- dev->qdisc, new); ++ rtnl_dereference(dev->qdisc), new); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); +- dev->qdisc = new ? : &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + + if (new && new->ops->attach) + new->ops->attach(new); +@@ -1460,7 +1460,7 @@ static int tc_get_qdisc(struct sk_buff * + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + if (!q) { + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); +@@ -1549,7 +1549,7 @@ replay: + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + + /* It may be default qdisc, ignore it */ +@@ -1771,7 +1771,8 @@ static int tc_dump_qdisc(struct sk_buff + s_q_idx = 0; + q_idx = 0; + +- if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx, ++ if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc), ++ skb, cb, &q_idx, s_q_idx, + true, tca[TCA_DUMP_INVISIBLE]) < 0) + goto done; + +@@ -2047,7 +2048,7 @@ static int tc_ctl_tclass(struct sk_buff + } else if (qid1) { + qid = qid1; + } else if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + + /* Now qid is genuine qdisc handle consistent + * both with parent and child. +@@ -2058,7 +2059,7 @@ static int tc_ctl_tclass(struct sk_buff + portid = TC_H_MAKE(qid, portid); + } else { + if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + } + + /* OK. Locate qdisc */ +@@ -2219,7 +2220,8 @@ static int tc_dump_tclass(struct sk_buff + s_t = cb->args[0]; + t = 0; + +- if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t, true) < 0) ++ if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc), ++ skb, tcm, cb, &t, s_t, true) < 0) + goto done; + + dev_queue = dev_ingress_queue(dev); +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1088,30 +1088,33 @@ static void attach_default_qdiscs(struct + if (!netif_is_multiqueue(dev) || + dev->priv_flags & IFF_NO_QUEUE) { + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + } else { + qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL); + if (qdisc) { +- dev->qdisc = qdisc; ++ rcu_assign_pointer(dev->qdisc, qdisc); + qdisc->ops->attach(qdisc); + } + } ++ qdisc = rtnl_dereference(dev->qdisc); + + /* Detect default qdisc setup/init failed and fallback to "noqueue" */ +- if (dev->qdisc == &noop_qdisc) { ++ if (qdisc == &noop_qdisc) { + netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n", + default_qdisc_ops->id, noqueue_qdisc_ops.id); + dev->priv_flags |= IFF_NO_QUEUE; + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + dev->priv_flags ^= IFF_NO_QUEUE; + } + + #ifdef CONFIG_NET_SCHED +- if (dev->qdisc != &noop_qdisc) +- qdisc_hash_add(dev->qdisc, false); ++ if (qdisc != &noop_qdisc) ++ qdisc_hash_add(qdisc, false); + #endif + } + +@@ -1141,7 +1144,7 @@ void dev_activate(struct net_device *dev + * and noqueue_qdisc for virtual interfaces + */ + +- if (dev->qdisc == &noop_qdisc) ++ if (rtnl_dereference(dev->qdisc) == &noop_qdisc) + attach_default_qdiscs(dev); + + if (!netif_carrier_ok(dev)) +@@ -1306,7 +1309,7 @@ static int qdisc_change_tx_queue_len(str + void dev_qdisc_change_real_num_tx(struct net_device *dev, + unsigned int new_real_tx) + { +- struct Qdisc *qdisc = dev->qdisc; ++ struct Qdisc *qdisc = rtnl_dereference(dev->qdisc); + + if (qdisc->ops->change_real_num_tx) + qdisc->ops->change_real_num_tx(qdisc, new_real_tx); +@@ -1346,7 +1349,7 @@ static void dev_init_scheduler_queue(str + + void dev_init_scheduler(struct net_device *dev) + { +- dev->qdisc = &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +@@ -1374,8 +1377,8 @@ void dev_shutdown(struct net_device *dev + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +- qdisc_put(dev->qdisc); +- dev->qdisc = &noop_qdisc; ++ qdisc_put(rtnl_dereference(dev->qdisc)); ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + + WARN_ON(timer_pending(&dev->watchdog_timer)); + } diff --git a/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch b/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch new file mode 100644 index 00000000000..09b328a824a --- /dev/null +++ b/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch @@ -0,0 +1,32 @@ +From 2b4e5fb4d3776c391e40fb33673ba946dd96012d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 10 Feb 2022 10:06:42 +0100 +Subject: netfilter: nft_synproxy: unregister hooks on init error path + +From: Pablo Neira Ayuso + +commit 2b4e5fb4d3776c391e40fb33673ba946dd96012d upstream. + +Disable the IPv4 hooks if the IPv6 hooks fail to be registered. + +Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_synproxy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_synproxy.c ++++ b/net/netfilter/nft_synproxy.c +@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const st + if (err) + goto nf_ct_failure; + err = nf_synproxy_ipv6_init(snet, ctx->net); +- if (err) ++ if (err) { ++ nf_synproxy_ipv4_fini(snet, ctx->net); + goto nf_ct_failure; ++ } + break; + } + diff --git a/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch b/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch new file mode 100644 index 00000000000..ee213b1399b --- /dev/null +++ b/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch @@ -0,0 +1,50 @@ +From 31ded1535e3182778a1d0e5c32711f55da3bc512 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Wed, 16 Feb 2022 16:01:00 -0300 +Subject: perf bpf: Defer freeing string after possible strlen() on it + +From: Arnaldo Carvalho de Melo + +commit 31ded1535e3182778a1d0e5c32711f55da3bc512 upstream. + +This was detected by the gcc in Fedora Rawhide's gcc: + + 50 11.01 fedora:rawhide : FAIL gcc version 12.0.1 20220205 (Red Hat 12.0.1-0) (GCC) + inlined from 'bpf__config_obj' at util/bpf-loader.c:1242:9: + util/bpf-loader.c:1225:34: error: pointer 'map_opt' may be used after 'free' [-Werror=use-after-free] + 1225 | *key_scan_pos += strlen(map_opt); + | ^~~~~~~~~~~~~~~ + util/bpf-loader.c:1223:9: note: call to 'free' here + 1223 | free(map_name); + | ^~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +So do the calculations on the pointer before freeing it. + +Fixes: 04f9bf2bac72480c ("perf bpf-loader: Add missing '*' for key_scan_pos") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang ShaoBo +Link: https://lore.kernel.org/lkml/Yg1VtQxKrPpS3uNA@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/bpf-loader.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/bpf-loader.c ++++ b/tools/perf/util/bpf-loader.c +@@ -1215,9 +1215,10 @@ bpf__obj_config_map(struct bpf_object *o + pr_debug("ERROR: Invalid map config option '%s'\n", map_opt); + err = -BPF_LOADER_ERRNO__OBJCONF_MAP_OPT; + out: +- free(map_name); + if (!err) + *key_scan_pos += strlen(map_opt); ++ ++ free(map_name); + return err; + } + diff --git a/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch b/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch new file mode 100644 index 00000000000..555d5c0b58d --- /dev/null +++ b/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch @@ -0,0 +1,78 @@ +From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 16 Feb 2022 00:20:52 -0500 +Subject: ping: fix the dif and sdif check in ping_lookup + +From: Xin Long + +commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream. + +When 'ping' changes to use PING socket instead of RAW socket by: + + # sysctl -w net.ipv4.ping_group_range="0 100" + +There is another regression caused when matching sk_bound_dev_if +and dif, RAW socket is using inet_iif() while PING socket lookup +is using skb->dev->ifindex, the cmd below fails due to this: + + # ip link add dummy0 type dummy + # ip link set dummy0 up + # ip addr add 192.168.111.1/24 dev dummy0 + # ping -I dummy0 192.168.111.1 -c1 + +The issue was also reported on: + + https://github.com/iputils/iputils/issues/104 + +But fixed in iputils in a wrong way by not binding to device when +destination IP is on device, and it will cause some of kselftests +to fail, as Jianlin noticed. + +This patch is to use inet(6)_iif and inet(6)_sdif to get dif and +sdif for PING socket, and keep consistent with RAW socket. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -172,16 +172,23 @@ static struct sock *ping_lookup(struct n + struct sock *sk = NULL; + struct inet_sock *isk; + struct hlist_nulls_node *hnode; +- int dif = skb->dev->ifindex; ++ int dif, sdif; + + if (skb->protocol == htons(ETH_P_IP)) { ++ dif = inet_iif(skb); ++ sdif = inet_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n", + (int)ident, &ip_hdr(skb)->daddr, dif); + #if IS_ENABLED(CONFIG_IPV6) + } else if (skb->protocol == htons(ETH_P_IPV6)) { ++ dif = inet6_iif(skb); ++ sdif = inet6_sdif(skb); + pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n", + (int)ident, &ipv6_hdr(skb)->daddr, dif); + #endif ++ } else { ++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol)); ++ return NULL; + } + + read_lock_bh(&ping_table.lock); +@@ -221,7 +228,7 @@ static struct sock *ping_lookup(struct n + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif && +- sk->sk_bound_dev_if != inet_sdif(skb)) ++ sk->sk_bound_dev_if != sdif) + continue; + + sock_hold(sk); diff --git a/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch b/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch new file mode 100644 index 00000000000..599d3f60a55 --- /dev/null +++ b/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch @@ -0,0 +1,40 @@ +From a7e793a867ae312cecdeb6f06cceff98263e75dd Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Thu, 10 Feb 2022 22:13:23 +0500 +Subject: selftests/exec: Add non-regular to TEST_GEN_PROGS + +From: Muhammad Usama Anjum + +commit a7e793a867ae312cecdeb6f06cceff98263e75dd upstream. + +non-regular file needs to be compiled and then copied to the output +directory. Remove it from TEST_PROGS and add it to TEST_GEN_PROGS. This +removes error thrown by rsync when non-regular object isn't found: + +rsync: [sender] link_stat "/linux/tools/testing/selftests/exec/non-regular" failed: No such file or directory (2) +rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3] + +Fixes: 0f71241a8e32 ("selftests/exec: add file type errno tests") +Reported-by: "kernelci.org bot" +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Shuah Khan +Reviewed-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/exec/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/exec/Makefile ++++ b/tools/testing/selftests/exec/Makefile +@@ -3,8 +3,8 @@ CFLAGS = -Wall + CFLAGS += -Wno-nonnull + CFLAGS += -D_GNU_SOURCE + +-TEST_PROGS := binfmt_script non-regular +-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 ++TEST_PROGS := binfmt_script ++TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular + TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir + # Makefile is a run-time dependency, since it's accessed by the execveat test + TEST_FILES := Makefile diff --git a/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch b/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch new file mode 100644 index 00000000000..7e5fa3ed2f8 --- /dev/null +++ b/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch @@ -0,0 +1,33 @@ +From 2e71ec1a725a794a16e3862791ed43fe5ba6a06b Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 9 Feb 2022 16:25:51 +0800 +Subject: selftests: netfilter: fix exit value for nft_concat_range + +From: Hangbin Liu + +commit 2e71ec1a725a794a16e3862791ed43fe5ba6a06b upstream. + +When the nft_concat_range test failed, it exit 1 in the code +specifically. + +But when part of, or all of the test passed, it will failed the +[ ${passed} -eq 0 ] check and thus exit with 1, which is the same +exit value with failure result. Fix it by exit 0 when passed is not 0. + +Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") +Signed-off-by: Hangbin Liu +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/netfilter/nft_concat_range.sh ++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh +@@ -1583,4 +1583,4 @@ for name in ${TESTS}; do + done + done + +-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} ++[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0 diff --git a/queue-5.10/series b/queue-5.10/series index 7ad2261b102..7bbfad8bcde 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -48,3 +48,23 @@ iwlwifi-fix-use-after-free.patch drm-radeon-fix-backlight-control-on-imac-12-1.patch drm-i915-opregion-check-port-number-bounds-for-swsci-display-power-state.patch vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch +drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch +iwlwifi-pcie-fix-locking-when-hw-not-ready.patch +iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch +selftests-netfilter-fix-exit-value-for-nft_concat_range.patch +netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch +ipv6-per-netns-exclusive-flowlabel-checks.patch +net-dsa-lan9303-fix-reset-on-probe.patch +net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch +net-dsa-lan9303-add-vlan-ids-to-master-device.patch +net-ieee802154-ca8210-fix-lifs-sifs-periods.patch +ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch +bonding-force-carrier-update-when-releasing-slave.patch +drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch +net_sched-add-__rcu-annotation-to-netdev-qdisc.patch +bonding-fix-data-races-around-agg_select_timer.patch +libsubcmd-fix-use-after-free-for-realloc-...-0.patch +dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch +net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch +perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch +selftests-exec-add-non-regular-to-test_gen_progs.patch