From: Greg Kroah-Hartman Date: Thu, 11 Sep 2025 13:12:41 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.10.244~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc4d1eed07fc324ef72519aefb24aec691f07b90;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: media-i2c-imx214-fix-link-frequency-validation.patch media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch mtd-add-check-for-devm_kcalloc.patch net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch series --- diff --git a/queue-5.10/media-i2c-imx214-fix-link-frequency-validation.patch b/queue-5.10/media-i2c-imx214-fix-link-frequency-validation.patch new file mode 100644 index 0000000000..dc14c1a2e8 --- /dev/null +++ b/queue-5.10/media-i2c-imx214-fix-link-frequency-validation.patch @@ -0,0 +1,90 @@ +From stable+bounces-178970-greg=kroah.com@vger.kernel.org Mon Sep 8 23:06:08 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 17:06:01 -0400 +Subject: media: i2c: imx214: Fix link frequency validation +To: stable@vger.kernel.org +Cc: "André Apitzsch" , "Ricardo Ribalda" , "Sakari Ailus" , "Hans Verkuil" , "Sasha Levin" +Message-ID: <20250908210601.2345440-1-sashal@kernel.org> + +From: André Apitzsch + +[ Upstream commit acc294519f1749041e1b8c74d46bbf6c57d8b061 ] + +The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then +IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), +which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) + +Parsing the PLL registers with the defined 24MHz input. We're in single +PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends +up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 +"Frame rate calculation formula" says "Pixel rate +[pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically +agrees with my number above. + +3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg +0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link +frequency of 600MHz due to DDR. +That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. + +Keep the previous link frequency for backward compatibility. + +Acked-by: Ricardo Ribalda +Signed-off-by: André Apitzsch +Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +[ changed dev_err() to dev_err_probe() for the final error case ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx214.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/media/i2c/imx214.c ++++ b/drivers/media/i2c/imx214.c +@@ -20,7 +20,9 @@ + #include + + #define IMX214_DEFAULT_CLK_FREQ 24000000 +-#define IMX214_DEFAULT_LINK_FREQ 480000000 ++#define IMX214_DEFAULT_LINK_FREQ 600000000 ++/* Keep wrong link frequency for backward compatibility */ ++#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 + #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) + #define IMX214_FPS 30 + #define IMX214_MBUS_CODE MEDIA_BUS_FMT_SRGGB10_1X10 +@@ -891,17 +893,26 @@ static int imx214_parse_fwnode(struct de + goto done; + } + +- for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) ++ if (bus_cfg.nr_of_link_frequencies != 1) ++ dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); ++ ++ for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { + if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) + break; +- +- if (i == bus_cfg.nr_of_link_frequencies) { +- dev_err(dev, "link-frequencies %d not supported, Please review your DT\n", +- IMX214_DEFAULT_LINK_FREQ); +- ret = -EINVAL; +- goto done; ++ if (bus_cfg.link_frequencies[i] == ++ IMX214_DEFAULT_LINK_FREQ_LEGACY) { ++ dev_warn(dev, ++ "link-frequencies %d not supported, please review your DT. Continuing anyway\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ break; ++ } + } + ++ if (i == bus_cfg.nr_of_link_frequencies) ++ ret = dev_err_probe(dev, -EINVAL, ++ "link-frequencies %d not supported, please review your DT\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ + done: + v4l2_fwnode_endpoint_free(&bus_cfg); + fwnode_handle_put(endpoint); diff --git a/queue-5.10/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch b/queue-5.10/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch new file mode 100644 index 0000000000..e01cb0ccce --- /dev/null +++ b/queue-5.10/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch @@ -0,0 +1,49 @@ +From stable+bounces-178977-greg=kroah.com@vger.kernel.org Mon Sep 8 23:44:04 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 17:43:58 -0400 +Subject: media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning +To: stable@vger.kernel.org +Cc: Arnd Bergmann , Nathan Chancellor , Alexandre Courbot , Hans Verkuil , Sasha Levin +Message-ID: <20250908214358.2431222-1-sashal@kernel.org> + +From: Arnd Bergmann + +[ Upstream commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 ] + +This is one of three clang warnings about incompatible enum types +in a conditional expression: + +drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] + 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ + +The code is correct, so just rework it to avoid the warning. + +Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Reviewed-by: Alexandre Courbot +Signed-off-by: Hans Verkuil +[ Adapted file path ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c ++++ b/drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c +@@ -509,7 +509,11 @@ static int h264_enc_init(struct mtk_vcod + + inst->ctx = ctx; + inst->vpu_inst.ctx = ctx; +- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; ++ if (is_ext) ++ inst->vpu_inst.id = SCP_IPI_VENC_H264; ++ else ++ inst->vpu_inst.id = IPI_VENC_H264; ++ + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx, VENC_SYS); + + mtk_vcodec_debug_enter(inst); diff --git a/queue-5.10/mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch b/queue-5.10/mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch new file mode 100644 index 0000000000..c402b22ccc --- /dev/null +++ b/queue-5.10/mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch @@ -0,0 +1,43 @@ +From 68fc0f4b0d25692940cdc85c68e366cae63e1757 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 15 Aug 2025 19:28:20 +0200 +Subject: mptcp: pm: kernel: flush: do not reset ADD_ADDR limit + +From: Matthieu Baerts (NGI0) + +commit 68fc0f4b0d25692940cdc85c68e366cae63e1757 upstream. + +A flush of the MPTCP endpoints should not affect the MPTCP limits. In +other words, 'ip mptcp endpoint flush' should not change 'ip mptcp +limits'. + +But it was the case: the MPTCP_PM_ATTR_RCV_ADD_ADDRS (add_addr_accepted) +limit was reset by accident. Removing the reset of this counter during a +flush fixes this issue. + +Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") +Cc: stable@vger.kernel.org +Reported-by: Thomas Dreibholz +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/579 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-2-521fe9957892@kernel.org +Signed-off-by: Jakub Kicinski +[adjusted patch by removing WRITE_ONCE to take into account the missing + commit 72603d207d59 ("mptcp: use WRITE_ONCE for the pernet *_max")] +Signed-off-by: Maximilian Heyne +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -869,7 +869,6 @@ static void __flush_addrs(struct pm_nl_p + static void __reset_counters(struct pm_nl_pernet *pernet) + { + pernet->add_addr_signal_max = 0; +- pernet->add_addr_accept_max = 0; + pernet->local_addr_max = 0; + pernet->addrs = 0; + } diff --git a/queue-5.10/mtd-add-check-for-devm_kcalloc.patch b/queue-5.10/mtd-add-check-for-devm_kcalloc.patch new file mode 100644 index 0000000000..41cc29d929 --- /dev/null +++ b/queue-5.10/mtd-add-check-for-devm_kcalloc.patch @@ -0,0 +1,37 @@ +From stable+bounces-178951-greg=kroah.com@vger.kernel.org Mon Sep 8 20:39:06 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 14:38:57 -0400 +Subject: mtd: Add check for devm_kcalloc() +To: stable@vger.kernel.org +Cc: Jiasheng Jiang , Miquel Raynal , Sasha Levin +Message-ID: <20250908183857.1816448-1-sashal@kernel.org> + +From: Jiasheng Jiang + +[ Upstream commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e ] + +Add a check for devm_kcalloc() to ensure successful allocation. + +Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpstore.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/mtdpstore.c ++++ b/drivers/mtd/mtdpstore.c +@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct + longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize)); + cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + ++ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap) ++ return; ++ + cxt->dev.total_size = mtd->size; + /* just support dmesg right now */ + cxt->dev.flags = PSTORE_FLAGS_DMESG; diff --git a/queue-5.10/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch b/queue-5.10/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch new file mode 100644 index 0000000000..a33d5ce7d7 --- /dev/null +++ b/queue-5.10/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch @@ -0,0 +1,275 @@ +From stable+bounces-178962-greg=kroah.com@vger.kernel.org Mon Sep 8 22:28:26 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 16:28:19 -0400 +Subject: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. +To: stable@vger.kernel.org +Cc: Kuniyuki Iwashima , Jakub Kicinski , Sasha Levin +Message-ID: <20250908202819.2331278-1-sashal@kernel.org> + +From: Kuniyuki Iwashima + +[ Upstream commit 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 ] + +When I ran the repro [0] and waited a few seconds, I observed two +LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] + +Reproduction Steps: + + 1) Mount CIFS + 2) Add an iptables rule to drop incoming FIN packets for CIFS + 3) Unmount CIFS + 4) Unload the CIFS module + 5) Remove the iptables rule + +At step 3), the CIFS module calls sock_release() for the underlying +TCP socket, and it returns quickly. However, the socket remains in +FIN_WAIT_1 because incoming FIN packets are dropped. + +At this point, the module's refcnt is 0 while the socket is still +alive, so the following rmmod command succeeds. + + # ss -tan + State Recv-Q Send-Q Local Address:Port Peer Address:Port + FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 + + # lsmod | grep cifs + cifs 1159168 0 + +This highlights a discrepancy between the lifetime of the CIFS module +and the underlying TCP socket. Even after CIFS calls sock_release() +and it returns, the TCP socket does not die immediately in order to +close the connection gracefully. + +While this is generally fine, it causes an issue with LOCKDEP because +CIFS assigns a different lock class to the TCP socket's sk->sk_lock +using sock_lock_init_class_and_name(). + +Once an incoming packet is processed for the socket or a timer fires, +sk->sk_lock is acquired. + +Then, LOCKDEP checks the lock context in check_wait_context(), where +hlock_class() is called to retrieve the lock class. However, since +the module has already been unloaded, hlock_class() logs a warning +and returns NULL, triggering the null-ptr-deref. + +If LOCKDEP is enabled, we must ensure that a module calling +sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded +while such a socket is still alive to prevent this issue. + +Let's hold the module reference in sock_lock_init_class_and_name() +and release it when the socket is freed in sk_prot_free(). + +Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() +that calls sock_lock_init_class_and_name() for a listening socket, +which clones a socket by sk_clone_lock() without GFP_ZERO. + +[0]: +CIFS_SERVER="10.0.0.137" +CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" +DEV="enp0s3" +CRED="/root/WindowsCredential.txt" + +MNT=$(mktemp -d /tmp/XXXXXX) +mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 + +iptables -A INPUT -s ${CIFS_SERVER} -j DROP + +for i in $(seq 10); +do + umount ${MNT} + rmmod cifs + sleep 1 +done + +rm -r ${MNT} + +iptables -D INPUT -s ${CIFS_SERVER} -j DROP + +[1]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +... +Call Trace: + + __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) +... + +BUG: kernel NULL pointer dereference, address: 00000000000000c4 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) +Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 +RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 +RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 +RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff +R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 +R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 +FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) + ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) + ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) + ip_list_rcv_finish (net/ipv4/ip_input.c:628) + ip_list_rcv (net/ipv4/ip_input.c:670) + __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) + netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) + napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) + e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) + __napi_poll.constprop.0 (net/core/dev.c:7191) + net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) + handle_softirqs (kernel/softirq.c:561) + __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) + irq_exit_rcu (kernel/softirq.c:680) + common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) + + + asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) +RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) +Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 +RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 +RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 +RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) + do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) + start_secondary (arch/x86/kernel/smpboot.c:315) + common_startup_64 (arch/x86/kernel/head_64.S:421) + +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CR2: 00000000000000c4 + +Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") +Signed-off-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +[ no ns_tracker and sk_user_frags fields ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 40 ++++++++++++++++++++++++++++++++++++++-- + net/core/sock.c | 5 +++++ + 2 files changed, 43 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -341,6 +341,8 @@ struct bpf_local_storage; + * @sk_txtime_deadline_mode: set deadline mode for SO_TXTIME + * @sk_txtime_report_errors: set report errors mode for SO_TXTIME + * @sk_txtime_unused: unused txtime flags ++ * @sk_owner: reference to the real owner of the socket that calls ++ * sock_lock_init_class_and_name(). + */ + struct sock { + /* +@@ -521,6 +523,10 @@ struct sock { + struct bpf_local_storage __rcu *sk_bpf_storage; + #endif + struct rcu_head sk_rcu; ++ ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++ struct module *sk_owner; ++#endif + }; + + enum sk_pacing { +@@ -1607,6 +1613,35 @@ static inline void sock_release_ownershi + } + } + ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++ __module_get(owner); ++ sk->sk_owner = owner; ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++ sk->sk_owner = NULL; ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++ module_put(sk->sk_owner); ++} ++#else ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++} ++#endif + /* + * Macro so as to not evaluate some arguments when + * lockdep is not enabled. +@@ -1616,13 +1651,14 @@ static inline void sock_release_ownershi + */ + #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ + do { \ ++ sk_owner_set(sk, THIS_MODULE); \ + sk->sk_lock.owned = 0; \ + init_waitqueue_head(&sk->sk_lock.wq); \ + spin_lock_init(&(sk)->sk_lock.slock); \ + debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ +- sizeof((sk)->sk_lock)); \ ++ sizeof((sk)->sk_lock)); \ + lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ +- (skey), (sname)); \ ++ (skey), (sname)); \ + lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ + } while (0) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1652,6 +1652,8 @@ int sock_getsockopt(struct socket *sock, + */ + static inline void sock_lock_init(struct sock *sk) + { ++ sk_owner_clear(sk); ++ + if (sk->sk_kern_sock) + sock_lock_init_class_and_name( + sk, +@@ -1738,6 +1740,9 @@ static void sk_prot_free(struct proto *p + cgroup_sk_free(&sk->sk_cgrp_data); + mem_cgroup_sk_free(sk); + security_sk_free(sk); ++ ++ sk_owner_put(sk); ++ + if (slab != NULL) + kmem_cache_free(slab, sk); + else diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..87f3bd7f5d --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,5 @@ +mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch +media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch +media-i2c-imx214-fix-link-frequency-validation.patch +net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch +mtd-add-check-for-devm_kcalloc.patch