From: Sasha Levin Date: Sat, 15 Mar 2025 01:12:08 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.6.84~49 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5da33922f2f155567112e361b76681f127568808;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/drivers-hv-replace-binary-semaphore-with-mutex.patch b/queue-5.4/drivers-hv-replace-binary-semaphore-with-mutex.patch new file mode 100644 index 0000000000..da27435477 --- /dev/null +++ b/queue-5.4/drivers-hv-replace-binary-semaphore-with-mutex.patch @@ -0,0 +1,77 @@ +From 00dee6b3e4563726b004105f67fb0c2ea5b8f689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 13:00:04 -0700 +Subject: drivers/hv: Replace binary semaphore with mutex + +From: Davidlohr Bueso + +[ Upstream commit 8aea7f82153d6f292add3eb4bd7ba8edcae5c7f7 ] + +At a slight footprint cost (24 vs 32 bytes), mutexes are more optimal +than semaphores; it's also a nicer interface for mutual exclusion, +which is why they are encouraged over binary semaphores, when possible. + +Replace the hyperv_mmio_lock, its semantics implies traditional lock +ownership; that is, the lock owner is the same for both lock/unlock +operations. Therefore it is safe to convert. + +Signed-off-by: Davidlohr Bueso +Signed-off-by: Sasha Levin +Stable-dep-of: 73fe9073c0cc ("Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()") +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 01a2eeb2ec961..488ea7810ad99 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -107,7 +107,7 @@ static struct notifier_block hyperv_panic_block = { + static const char *fb_mmio_name = "fb_range"; + static struct resource *fb_mmio; + static struct resource *hyperv_mmio; +-static DEFINE_SEMAPHORE(hyperv_mmio_lock); ++static DEFINE_MUTEX(hyperv_mmio_lock); + + static int vmbus_exists(void) + { +@@ -2082,7 +2082,7 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, + int retval; + + retval = -ENXIO; +- down(&hyperv_mmio_lock); ++ mutex_lock(&hyperv_mmio_lock); + + /* + * If overlaps with frame buffers are allowed, then first attempt to +@@ -2137,7 +2137,7 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, + } + + exit: +- up(&hyperv_mmio_lock); ++ mutex_unlock(&hyperv_mmio_lock); + return retval; + } + EXPORT_SYMBOL_GPL(vmbus_allocate_mmio); +@@ -2154,7 +2154,7 @@ void vmbus_free_mmio(resource_size_t start, resource_size_t size) + { + struct resource *iter; + +- down(&hyperv_mmio_lock); ++ mutex_lock(&hyperv_mmio_lock); + for (iter = hyperv_mmio; iter; iter = iter->sibling) { + if ((iter->start >= start + size) || (iter->end <= start)) + continue; +@@ -2162,7 +2162,7 @@ void vmbus_free_mmio(resource_size_t start, resource_size_t size) + __release_region(iter, start, size); + } + release_mem_region(start, size); +- up(&hyperv_mmio_lock); ++ mutex_unlock(&hyperv_mmio_lock); + + } + EXPORT_SYMBOL_GPL(vmbus_free_mmio); +-- +2.39.5 + diff --git a/queue-5.4/drivers-hv-vmbus-don-t-release-fb_mmio-resource-in-v.patch b/queue-5.4/drivers-hv-vmbus-don-t-release-fb_mmio-resource-in-v.patch new file mode 100644 index 0000000000..80c9cc99c8 --- /dev/null +++ b/queue-5.4/drivers-hv-vmbus-don-t-release-fb_mmio-resource-in-v.patch @@ -0,0 +1,85 @@ +From 84eb145be58810364fbf7703b3bcfef9b9368443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 20:52:08 -0700 +Subject: Drivers: hv: vmbus: Don't release fb_mmio resource in + vmbus_free_mmio() + +From: Michael Kelley + +[ Upstream commit 73fe9073c0cc28056cb9de0c8a516dac070f1d1f ] + +The VMBus driver manages the MMIO space it owns via the hyperv_mmio +resource tree. Because the synthetic video framebuffer portion of the +MMIO space is initially setup by the Hyper-V host for each guest, the +VMBus driver does an early reserve of that portion of MMIO space in the +hyperv_mmio resource tree. It saves a pointer to that resource in +fb_mmio. When a VMBus driver requests MMIO space and passes "true" +for the "fb_overlap_ok" argument, the reserved framebuffer space is +used if possible. In that case it's not necessary to do another request +against the "shadow" hyperv_mmio resource tree because that resource +was already requested in the early reserve steps. + +However, the vmbus_free_mmio() function currently does no special +handling for the fb_mmio resource. When a framebuffer device is +removed, or the driver is unbound, the current code for +vmbus_free_mmio() releases the reserved resource, leaving fb_mmio +pointing to memory that has been freed. If the same or another +driver is subsequently bound to the device, vmbus_allocate_mmio() +checks against fb_mmio, and potentially gets garbage. Furthermore +a second unbind operation produces this "nonexistent resource" error +because of the unbalanced behavior between vmbus_allocate_mmio() and +vmbus_free_mmio(): + +[ 55.499643] resource: Trying to free nonexistent + resource <0x00000000f0000000-0x00000000f07fffff> + +Fix this by adding logic to vmbus_free_mmio() to recognize when +MMIO space in the fb_mmio reserved area would be released, and don't +release it. This filtering ensures the fb_mmio resource always exists, +and makes vmbus_free_mmio() more parallel with vmbus_allocate_mmio(). + +Fixes: be000f93e5d7 ("drivers:hv: Track allocations of children of hv_vmbus in private resource tree") +Signed-off-by: Michael Kelley +Tested-by: Saurabh Sengar +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/r/20250310035208.275764-1-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20250310035208.275764-1-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 488ea7810ad99..ecf79f3126b58 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2155,12 +2155,25 @@ void vmbus_free_mmio(resource_size_t start, resource_size_t size) + struct resource *iter; + + mutex_lock(&hyperv_mmio_lock); ++ ++ /* ++ * If all bytes of the MMIO range to be released are within the ++ * special case fb_mmio shadow region, skip releasing the shadow ++ * region since no corresponding __request_region() was done ++ * in vmbus_allocate_mmio(). ++ */ ++ if (fb_mmio && start >= fb_mmio->start && ++ (start + size - 1 <= fb_mmio->end)) ++ goto skip_shadow_release; ++ + for (iter = hyperv_mmio; iter; iter = iter->sibling) { + if ((iter->start >= start + size) || (iter->end <= start)) + continue; + + __release_region(iter, start, size); + } ++ ++skip_shadow_release: + release_mem_region(start, size); + mutex_unlock(&hyperv_mmio_lock); + +-- +2.39.5 + diff --git a/queue-5.4/ipvs-prevent-integer-overflow-in-do_ip_vs_get_ctl.patch b/queue-5.4/ipvs-prevent-integer-overflow-in-do_ip_vs_get_ctl.patch new file mode 100644 index 0000000000..4f13ebec8c --- /dev/null +++ b/queue-5.4/ipvs-prevent-integer-overflow-in-do_ip_vs_get_ctl.patch @@ -0,0 +1,68 @@ +From a9156bdf426233b2085adf5c8a434cce0830c69c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 10:45:53 +0300 +Subject: ipvs: prevent integer overflow in do_ip_vs_get_ctl() + +From: Dan Carpenter + +[ Upstream commit 80b78c39eb86e6b55f56363b709eb817527da5aa ] + +The get->num_services variable is an unsigned int which is controlled by +the user. The struct_size() function ensures that the size calculation +does not overflow an unsigned long, however, we are saving the result to +an int so the calculation can overflow. + +Both "len" and "get->num_services" come from the user. This check is +just a sanity check to help the user and ensure they are using the API +correctly. An integer overflow here is not a big deal. This has no +security impact. + +Save the result from struct_size() type size_t to fix this integer +overflow bug. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dan Carpenter +Acked-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 2bc82dabfe3b8..dcce6aaac970e 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2809,12 +2809,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + case IP_VS_SO_GET_SERVICES: + { + struct ip_vs_get_services *get; +- int size; ++ size_t size; + + get = (struct ip_vs_get_services *)arg; + size = struct_size(get, entrytable, get->num_services); + if (*len != size) { +- pr_err("length: %u != %u\n", *len, size); ++ pr_err("length: %u != %zu\n", *len, size); + ret = -EINVAL; + goto out; + } +@@ -2850,12 +2850,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + case IP_VS_SO_GET_DESTS: + { + struct ip_vs_get_dests *get; +- int size; ++ size_t size; + + get = (struct ip_vs_get_dests *)arg; + size = struct_size(get, entrytable, get->num_dests); + if (*len != size) { +- pr_err("length: %u != %u\n", *len, size); ++ pr_err("length: %u != %zu\n", *len, size); + ret = -EINVAL; + goto out; + } +-- +2.39.5 + diff --git a/queue-5.4/net-mlx5e-prevent-bridge-link-show-failure-for-non-e.patch b/queue-5.4/net-mlx5e-prevent-bridge-link-show-failure-for-non-e.patch new file mode 100644 index 0000000000..28d4cf1c05 --- /dev/null +++ b/queue-5.4/net-mlx5e-prevent-bridge-link-show-failure-for-non-e.patch @@ -0,0 +1,53 @@ +From 8abb83eb0062e131b2b44c42934c04e0d6be13d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 00:01:44 +0200 +Subject: net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed + devices + +From: Carolina Jubran + +[ Upstream commit e92df790d07a8eea873efcb84776e7b71f81c7d5 ] + +mlx5_eswitch_get_vepa returns -EPERM if the device lacks +eswitch_manager capability, blocking mlx5e_bridge_getlink from +retrieving VEPA mode. Since mlx5e_bridge_getlink implements +ndo_bridge_getlink, returning -EPERM causes bridge link show to fail +instead of skipping devices without this capability. + +To avoid this, return -EOPNOTSUPP from mlx5e_bridge_getlink when +mlx5_eswitch_get_vepa fails, ensuring the command continues processing +other devices while ignoring those without the necessary capability. + +Fixes: 4b89251de024 ("net/mlx5: Support ndo bridge_setlink and getlink") +Signed-off-by: Carolina Jubran +Reviewed-by: Jianbo Liu +Signed-off-by: Tariq Toukan +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/1741644104-97767-7-git-send-email-tariqt@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 363c4ab059909..b3ba996004f1d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4684,11 +4684,9 @@ static int mlx5e_bridge_getlink(struct sk_buff *skb, u32 pid, u32 seq, + struct mlx5e_priv *priv = netdev_priv(dev); + struct mlx5_core_dev *mdev = priv->mdev; + u8 mode, setting; +- int err; + +- err = mlx5_eswitch_get_vepa(mdev->priv.eswitch, &setting); +- if (err) +- return err; ++ if (mlx5_eswitch_get_vepa(mdev->priv.eswitch, &setting)) ++ return -EOPNOTSUPP; + mode = setting ? BRIDGE_MODE_VEPA : BRIDGE_MODE_VEB; + return ndo_dflt_bridge_getlink(skb, pid, seq, dev, + mode, +-- +2.39.5 + diff --git a/queue-5.4/net_sched-prevent-creation-of-classes-with-tc_h_root.patch b/queue-5.4/net_sched-prevent-creation-of-classes-with-tc_h_root.patch new file mode 100644 index 0000000000..b142eae1da --- /dev/null +++ b/queue-5.4/net_sched-prevent-creation-of-classes-with-tc_h_root.patch @@ -0,0 +1,50 @@ +From bbced519979c6f508be382e38293f934d283d784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 15:23:54 -0800 +Subject: net_sched: Prevent creation of classes with TC_H_ROOT + +From: Cong Wang + +[ Upstream commit 0c3057a5a04d07120b3d0ec9c79568fceb9c921e ] + +The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination +condition when traversing up the qdisc tree to update parent backlog +counters. However, if a class is created with classid TC_H_ROOT, the +traversal terminates prematurely at this class instead of reaching the +actual root qdisc, causing parent statistics to be incorrectly maintained. +In case of DRR, this could lead to a crash as reported by Mingi Cho. + +Prevent the creation of any Qdisc class with classid TC_H_ROOT +(0xFFFFFFFF) across all qdisc types, as suggested by Jamal. + +Reported-by: Mingi Cho +Signed-off-by: Cong Wang +Reviewed-by: Simon Horman +Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") +Link: https://patch.msgid.link/20250306232355.93864-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 178044a845dfd..60c8b81a22dcd 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -2159,6 +2159,12 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, + return -EOPNOTSUPP; + } + ++ /* Prevent creation of traffic classes with classid TC_H_ROOT */ ++ if (clid == TC_H_ROOT) { ++ NL_SET_ERR_MSG(extack, "Cannot create traffic class with classid TC_H_ROOT"); ++ return -EINVAL; ++ } ++ + new_cl = cl; + err = -EOPNOTSUPP; + if (cops->change) +-- +2.39.5 + diff --git a/queue-5.4/netfilter-nf_conncount-fully-initialize-struct-nf_co.patch b/queue-5.4/netfilter-nf_conncount-fully-initialize-struct-nf_co.patch new file mode 100644 index 0000000000..1430958485 --- /dev/null +++ b/queue-5.4/netfilter-nf_conncount-fully-initialize-struct-nf_co.patch @@ -0,0 +1,129 @@ +From ee7a55b5827ba461cbd3a72f8cf73a40b4e2f1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 17:07:38 +0900 +Subject: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple + in insert_tree() + +From: Kohei Enju + +[ Upstream commit d653bfeb07ebb3499c403404c21ac58a16531607 ] + +Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage +collection confirm race"), `cpu` and `jiffies32` were introduced to +the struct nf_conncount_tuple. + +The commit made nf_conncount_add() initialize `conn->cpu` and +`conn->jiffies32` when allocating the struct. +In contrast, count_tree() was not changed to initialize them. + +By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and +traversal"), count_tree() was split and the relevant allocation +code now resides in insert_tree(). +Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). + +BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] +BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 + find_or_evict net/netfilter/nf_conncount.c:117 [inline] + __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 + count_tree net/netfilter/nf_conncount.c:438 [inline] + nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 + connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 + __nft_match_eval net/netfilter/nft_compat.c:403 [inline] + nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 + NF_HOOK_LIST include/linux/netfilter.h:350 [inline] + ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 + ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 + __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] + __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 + __netif_receive_skb_list net/core/dev.c:6035 [inline] + netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 + netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 + xdp_recv_frames net/bpf/test_run.c:280 [inline] + xdp_test_run_batch net/bpf/test_run.c:361 [inline] + bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 + bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 + bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 + __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 + __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] + __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 + ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 + do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] + __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 + do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 + do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4121 [inline] + slab_alloc_node mm/slub.c:4164 [inline] + kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 + insert_tree net/netfilter/nf_conncount.c:372 [inline] + count_tree net/netfilter/nf_conncount.c:450 [inline] + nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 + connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 + __nft_match_eval net/netfilter/nft_compat.c:403 [inline] + nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 + expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] + nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 + nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 + nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] + nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 + nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 + NF_HOOK_LIST include/linux/netfilter.h:350 [inline] + ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 + ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 + __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] + __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 + __netif_receive_skb_list net/core/dev.c:6035 [inline] + netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 + netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 + xdp_recv_frames net/bpf/test_run.c:280 [inline] + xdp_test_run_batch net/bpf/test_run.c:361 [inline] + bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 + bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 + bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 + __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 + __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] + __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 + ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 + do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] + __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 + do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 + do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + +Reported-by: syzbot+83fed965338b573115f7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=83fed965338b573115f7 +Fixes: b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race") +Signed-off-by: Kohei Enju +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conncount.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c +index 0ce12a33ffda4..a66a27fe7f458 100644 +--- a/net/netfilter/nf_conncount.c ++++ b/net/netfilter/nf_conncount.c +@@ -366,6 +366,8 @@ insert_tree(struct net *net, + + conn->tuple = *tuple; + conn->zone = *zone; ++ conn->cpu = raw_smp_processor_id(); ++ conn->jiffies32 = (u32)jiffies; + memcpy(rbconn->key, key, sizeof(u32) * data->keylen); + + nf_conncount_list_init(&rbconn->list); +-- +2.39.5 + diff --git a/queue-5.4/netfilter-nft_exthdr-fix-offset-with-ipv4_find_optio.patch b/queue-5.4/netfilter-nft_exthdr-fix-offset-with-ipv4_find_optio.patch new file mode 100644 index 0000000000..c479450c39 --- /dev/null +++ b/queue-5.4/netfilter-nft_exthdr-fix-offset-with-ipv4_find_optio.patch @@ -0,0 +1,78 @@ +From 932a2e26d90be32c7c123f8c6f4a31c7b751d024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Mar 2025 00:14:36 +0300 +Subject: netfilter: nft_exthdr: fix offset with ipv4_find_option() + +From: Alexey Kashavkin + +[ Upstream commit 6edd78af9506bb182518da7f6feebd75655d9a0e ] + +There is an incorrect calculation in the offset variable which causes +the nft_skb_copy_to_reg() function to always return -EFAULT. Adding the +start variable is redundant. In the __ip_options_compile() function the +correct offset is specified when finding the function. There is no need +to add the size of the iphdr structure to the offset. + +Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +Signed-off-by: Alexey Kashavkin +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index ca268293cfa12..de43abf6d1191 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -83,7 +83,6 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb, + unsigned char optbuf[sizeof(struct ip_options) + 40]; + struct ip_options *opt = (struct ip_options *)optbuf; + struct iphdr *iph, _iph; +- unsigned int start; + bool found = false; + __be32 info; + int optlen; +@@ -91,7 +90,6 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb, + iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); + if (!iph) + return -EBADMSG; +- start = sizeof(struct iphdr); + + optlen = iph->ihl * 4 - (int)sizeof(struct iphdr); + if (optlen <= 0) +@@ -101,7 +99,7 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb, + /* Copy the options since __ip_options_compile() modifies + * the options. + */ +- if (skb_copy_bits(skb, start, opt->__data, optlen)) ++ if (skb_copy_bits(skb, sizeof(struct iphdr), opt->__data, optlen)) + return -EBADMSG; + opt->optlen = optlen; + +@@ -116,18 +114,18 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb, + found = target == IPOPT_SSRR ? opt->is_strictroute : + !opt->is_strictroute; + if (found) +- *offset = opt->srr + start; ++ *offset = opt->srr; + break; + case IPOPT_RR: + if (!opt->rr) + break; +- *offset = opt->rr + start; ++ *offset = opt->rr; + found = true; + break; + case IPOPT_RA: + if (!opt->router_alert) + break; +- *offset = opt->router_alert + start; ++ *offset = opt->router_alert; + found = true; + break; + default: +-- +2.39.5 + diff --git a/queue-5.4/netpoll-fix-use-correct-return-type-for-ndo_start_xm.patch b/queue-5.4/netpoll-fix-use-correct-return-type-for-ndo_start_xm.patch new file mode 100644 index 0000000000..2c99094d94 --- /dev/null +++ b/queue-5.4/netpoll-fix-use-correct-return-type-for-ndo_start_xm.patch @@ -0,0 +1,51 @@ +From 30e2846289fb3b0d594cea0847687ab82d9dcaa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 18:20:58 +0800 +Subject: netpoll: Fix use correct return type for ndo_start_xmit() + +From: Yunjian Wang + +[ Upstream commit a54776f2c4939bdee084c9ecd00a4a5a25b7c429 ] + +The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix +the ndo function to use the correct type. + +Signed-off-by: Yunjian Wang +Signed-off-by: David S. Miller +Stable-dep-of: 505ead7ab77f ("netpoll: hold rcu read lock in __netpoll_send_skb()") +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 9a67aa989d606..35a3277ee3567 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -70,10 +70,11 @@ module_param(carrier_timeout, uint, 0644); + #define np_notice(np, fmt, ...) \ + pr_notice("%s: " fmt, np->name, ##__VA_ARGS__) + +-static int netpoll_start_xmit(struct sk_buff *skb, struct net_device *dev, +- struct netdev_queue *txq) ++static netdev_tx_t netpoll_start_xmit(struct sk_buff *skb, ++ struct net_device *dev, ++ struct netdev_queue *txq) + { +- int status = NETDEV_TX_OK; ++ netdev_tx_t status = NETDEV_TX_OK; + netdev_features_t features; + + features = netif_skb_features(skb); +@@ -325,7 +326,7 @@ static int netpoll_owner_active(struct net_device *dev) + void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, + struct net_device *dev) + { +- int status = NETDEV_TX_BUSY; ++ netdev_tx_t status = NETDEV_TX_BUSY; + unsigned long tries; + /* It is up to the caller to keep npinfo alive. */ + struct netpoll_info *npinfo; +-- +2.39.5 + diff --git a/queue-5.4/netpoll-hold-rcu-read-lock-in-__netpoll_send_skb.patch b/queue-5.4/netpoll-hold-rcu-read-lock-in-__netpoll_send_skb.patch new file mode 100644 index 0000000000..99ce59a87e --- /dev/null +++ b/queue-5.4/netpoll-hold-rcu-read-lock-in-__netpoll_send_skb.patch @@ -0,0 +1,76 @@ +From b1ec35b994b13796e58cd41b27032ac8295ce165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 05:16:18 -0800 +Subject: netpoll: hold rcu read lock in __netpoll_send_skb() + +From: Breno Leitao + +[ Upstream commit 505ead7ab77f289f12d8a68ac83da068e4d4408b ] + +The function __netpoll_send_skb() is being invoked without holding the +RCU read lock. This oversight triggers a warning message when +CONFIG_PROVE_RCU_LIST is enabled: + + net/core/netpoll.c:330 suspicious rcu_dereference_check() usage! + + netpoll_send_skb + netpoll_send_udp + write_ext_msg + console_flush_all + console_unlock + vprintk_emit + +To prevent npinfo from disappearing unexpectedly, ensure that +__netpoll_send_skb() is protected with the RCU read lock. + +Fixes: 2899656b494dcd1 ("netpoll: take rcu_read_lock_bh() in netpoll_send_skb_on_dev()") +Signed-off-by: Breno Leitao +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250306-netpoll_rcu_v2-v2-1-bc4f5c51742a@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/netpoll.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 408fc07007900..940d371f5f3b5 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -326,6 +326,7 @@ static int netpoll_owner_active(struct net_device *dev) + static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + netdev_tx_t status = NETDEV_TX_BUSY; ++ netdev_tx_t ret = NET_XMIT_DROP; + struct net_device *dev; + unsigned long tries; + /* It is up to the caller to keep npinfo alive. */ +@@ -334,11 +335,12 @@ static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + lockdep_assert_irqs_disabled(); + + dev = np->dev; ++ rcu_read_lock(); + npinfo = rcu_dereference_bh(dev->npinfo); + + if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) { + dev_kfree_skb_irq(skb); +- return NET_XMIT_DROP; ++ goto out; + } + + /* don't get messages out of order, and no recursion */ +@@ -377,7 +379,10 @@ static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + skb_queue_tail(&npinfo->txq, skb); + schedule_delayed_work(&npinfo->tx_work,0); + } +- return NETDEV_TX_OK; ++ ret = NETDEV_TX_OK; ++out: ++ rcu_read_unlock(); ++ return ret; + } + + netdev_tx_t netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) +-- +2.39.5 + diff --git a/queue-5.4/netpoll-move-netpoll_send_skb-out-of-line.patch b/queue-5.4/netpoll-move-netpoll_send_skb-out-of-line.patch new file mode 100644 index 0000000000..8018187ba7 --- /dev/null +++ b/queue-5.4/netpoll-move-netpoll_send_skb-out-of-line.patch @@ -0,0 +1,75 @@ +From 8ea5eb3b6aedcce6235a30d88439d146ed3ad120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 09:32:19 -0700 +Subject: netpoll: move netpoll_send_skb() out of line + +From: Eric Dumazet + +[ Upstream commit fb1eee476b0d3be3e58dac1a3a96f726c6278bed ] + +There is no need to inline this helper, as we intend to add more +code in this function. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 505ead7ab77f ("netpoll: hold rcu read lock in __netpoll_send_skb()") +Signed-off-by: Sasha Levin +--- + include/linux/netpoll.h | 9 +-------- + net/core/netpoll.c | 13 +++++++++++-- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h +index f5202a59c0274..2db513437d2c0 100644 +--- a/include/linux/netpoll.h ++++ b/include/linux/netpoll.h +@@ -63,14 +63,7 @@ int netpoll_setup(struct netpoll *np); + void __netpoll_cleanup(struct netpoll *np); + void __netpoll_free(struct netpoll *np); + void netpoll_cleanup(struct netpoll *np); +-void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb); +-static inline void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) +-{ +- unsigned long flags; +- local_irq_save(flags); +- __netpoll_send_skb(np, skb); +- local_irq_restore(flags); +-} ++void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb); + + #ifdef CONFIG_NETPOLL + static inline void *netpoll_poll_lock(struct napi_struct *napi) +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 69f80b531a1c3..5eefbb2e145a4 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -323,7 +323,7 @@ static int netpoll_owner_active(struct net_device *dev) + } + + /* call with IRQ disabled */ +-void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) ++static void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + netdev_tx_t status = NETDEV_TX_BUSY; + struct net_device *dev; +@@ -378,7 +378,16 @@ void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + schedule_delayed_work(&npinfo->tx_work,0); + } + } +-EXPORT_SYMBOL(__netpoll_send_skb); ++ ++void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ __netpoll_send_skb(np, skb); ++ local_irq_restore(flags); ++} ++EXPORT_SYMBOL(netpoll_send_skb); + + void netpoll_send_udp(struct netpoll *np, const char *msg, int len) + { +-- +2.39.5 + diff --git a/queue-5.4/netpoll-netpoll_send_skb-returns-transmit-status.patch b/queue-5.4/netpoll-netpoll_send_skb-returns-transmit-status.patch new file mode 100644 index 0000000000..a008348c0e --- /dev/null +++ b/queue-5.4/netpoll-netpoll_send_skb-returns-transmit-status.patch @@ -0,0 +1,80 @@ +From 12bd9db6698504a8880a563f77c31c46f5d9dc64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 09:32:20 -0700 +Subject: netpoll: netpoll_send_skb() returns transmit status + +From: Eric Dumazet + +[ Upstream commit 1ddabdfaf70c202b88925edd74c66f4707dbd92e ] + +Some callers want to know if the packet has been sent or +dropped, to inform upper stacks. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 505ead7ab77f ("netpoll: hold rcu read lock in __netpoll_send_skb()") +Signed-off-by: Sasha Levin +--- + include/linux/netpoll.h | 2 +- + net/core/netpoll.c | 11 +++++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h +index 2db513437d2c0..f8f5270a891d0 100644 +--- a/include/linux/netpoll.h ++++ b/include/linux/netpoll.h +@@ -63,7 +63,7 @@ int netpoll_setup(struct netpoll *np); + void __netpoll_cleanup(struct netpoll *np); + void __netpoll_free(struct netpoll *np); + void netpoll_cleanup(struct netpoll *np); +-void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb); ++netdev_tx_t netpoll_send_skb(struct netpoll *np, struct sk_buff *skb); + + #ifdef CONFIG_NETPOLL + static inline void *netpoll_poll_lock(struct napi_struct *napi) +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 5eefbb2e145a4..408fc07007900 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -323,7 +323,7 @@ static int netpoll_owner_active(struct net_device *dev) + } + + /* call with IRQ disabled */ +-static void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) ++static netdev_tx_t __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + netdev_tx_t status = NETDEV_TX_BUSY; + struct net_device *dev; +@@ -338,7 +338,7 @@ static void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + + if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) { + dev_kfree_skb_irq(skb); +- return; ++ return NET_XMIT_DROP; + } + + /* don't get messages out of order, and no recursion */ +@@ -377,15 +377,18 @@ static void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + skb_queue_tail(&npinfo->txq, skb); + schedule_delayed_work(&npinfo->tx_work,0); + } ++ return NETDEV_TX_OK; + } + +-void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) ++netdev_tx_t netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + unsigned long flags; ++ netdev_tx_t ret; + + local_irq_save(flags); +- __netpoll_send_skb(np, skb); ++ ret = __netpoll_send_skb(np, skb); + local_irq_restore(flags); ++ return ret; + } + EXPORT_SYMBOL(netpoll_send_skb); + +-- +2.39.5 + diff --git a/queue-5.4/netpoll-remove-dev-argument-from-netpoll_send_skb_on.patch b/queue-5.4/netpoll-remove-dev-argument-from-netpoll_send_skb_on.patch new file mode 100644 index 0000000000..1b5c91c6cf --- /dev/null +++ b/queue-5.4/netpoll-remove-dev-argument-from-netpoll_send_skb_on.patch @@ -0,0 +1,83 @@ +From d19a7bdec4fe8c3877d9c69c056ab212990f4fe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 09:32:18 -0700 +Subject: netpoll: remove dev argument from netpoll_send_skb_on_dev() + +From: Eric Dumazet + +[ Upstream commit 307f660d056b5eb8f5bb2328fac3915ab75b5007 ] + +netpoll_send_skb_on_dev() can get the device pointer directly from np->dev + +Rename it to __netpoll_send_skb() + +Following patch will move netpoll_send_skb() out-of-line. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 505ead7ab77f ("netpoll: hold rcu read lock in __netpoll_send_skb()") +Signed-off-by: Sasha Levin +--- + include/linux/netpoll.h | 5 ++--- + net/core/netpoll.c | 10 ++++++---- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h +index 3ff0303672842..f5202a59c0274 100644 +--- a/include/linux/netpoll.h ++++ b/include/linux/netpoll.h +@@ -63,13 +63,12 @@ int netpoll_setup(struct netpoll *np); + void __netpoll_cleanup(struct netpoll *np); + void __netpoll_free(struct netpoll *np); + void netpoll_cleanup(struct netpoll *np); +-void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, +- struct net_device *dev); ++void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb); + static inline void netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + unsigned long flags; + local_irq_save(flags); +- netpoll_send_skb_on_dev(np, skb, np->dev); ++ __netpoll_send_skb(np, skb); + local_irq_restore(flags); + } + +diff --git a/net/core/netpoll.c b/net/core/netpoll.c +index 35a3277ee3567..69f80b531a1c3 100644 +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -323,17 +323,19 @@ static int netpoll_owner_active(struct net_device *dev) + } + + /* call with IRQ disabled */ +-void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, +- struct net_device *dev) ++void __netpoll_send_skb(struct netpoll *np, struct sk_buff *skb) + { + netdev_tx_t status = NETDEV_TX_BUSY; ++ struct net_device *dev; + unsigned long tries; + /* It is up to the caller to keep npinfo alive. */ + struct netpoll_info *npinfo; + + lockdep_assert_irqs_disabled(); + +- npinfo = rcu_dereference_bh(np->dev->npinfo); ++ dev = np->dev; ++ npinfo = rcu_dereference_bh(dev->npinfo); ++ + if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) { + dev_kfree_skb_irq(skb); + return; +@@ -376,7 +378,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb, + schedule_delayed_work(&npinfo->tx_work,0); + } + } +-EXPORT_SYMBOL(netpoll_send_skb_on_dev); ++EXPORT_SYMBOL(__netpoll_send_skb); + + void netpoll_send_udp(struct netpoll *np, const char *msg, int len) + { +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-bcm281xx-fix-incorrect-regmap-max_registers-.patch b/queue-5.4/pinctrl-bcm281xx-fix-incorrect-regmap-max_registers-.patch new file mode 100644 index 0000000000..f0970727c9 --- /dev/null +++ b/queue-5.4/pinctrl-bcm281xx-fix-incorrect-regmap-max_registers-.patch @@ -0,0 +1,40 @@ +From b94b3c7f93309fce5ef728651bcff097f0bbaad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 21:02:41 +0100 +Subject: pinctrl: bcm281xx: Fix incorrect regmap max_registers value + +From: Artur Weber + +[ Upstream commit 68283c1cb573143c0b7515e93206f3503616bc10 ] + +The max_registers value does not take into consideration the stride; +currently, it's set to the number of the last pin, but this does not +accurately represent the final register. + +Fix this by multiplying the current value by 4. + +Fixes: 54b1aa5a5b16 ("ARM: pinctrl: Add Broadcom Capri pinctrl driver") +Signed-off-by: Artur Weber +Link: https://lore.kernel.org/20250207-bcm21664-pinctrl-v1-2-e7cfac9b2d3b@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/bcm/pinctrl-bcm281xx.c b/drivers/pinctrl/bcm/pinctrl-bcm281xx.c +index bc3b232a727a5..3452005342ad6 100644 +--- a/drivers/pinctrl/bcm/pinctrl-bcm281xx.c ++++ b/drivers/pinctrl/bcm/pinctrl-bcm281xx.c +@@ -981,7 +981,7 @@ static const struct regmap_config bcm281xx_pinctrl_regmap_config = { + .reg_bits = 32, + .reg_stride = 4, + .val_bits = 32, +- .max_register = BCM281XX_PIN_VC_CAM3_SDA, ++ .max_register = BCM281XX_PIN_VC_CAM3_SDA * 4, + }; + + static int bcm281xx_pinctrl_get_groups_count(struct pinctrl_dev *pctldev) +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 4b5c2bcc62..a9e6063c68 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -5,3 +5,16 @@ revert-sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch revert-sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch +pinctrl-bcm281xx-fix-incorrect-regmap-max_registers-.patch +netpoll-fix-use-correct-return-type-for-ndo_start_xm.patch +netpoll-remove-dev-argument-from-netpoll_send_skb_on.patch +netpoll-move-netpoll_send_skb-out-of-line.patch +netpoll-netpoll_send_skb-returns-transmit-status.patch +netpoll-hold-rcu-read-lock-in-__netpoll_send_skb.patch +drivers-hv-replace-binary-semaphore-with-mutex.patch +drivers-hv-vmbus-don-t-release-fb_mmio-resource-in-v.patch +netfilter-nf_conncount-fully-initialize-struct-nf_co.patch +ipvs-prevent-integer-overflow-in-do_ip_vs_get_ctl.patch +net_sched-prevent-creation-of-classes-with-tc_h_root.patch +netfilter-nft_exthdr-fix-offset-with-ipv4_find_optio.patch +net-mlx5e-prevent-bridge-link-show-failure-for-non-e.patch