From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2024 10:11:29 +0000 (+0200)
Subject: 6.10-stable patches
X-Git-Tag: v4.19.322~129
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e06064e255561398e0831a8b595f53a14ccaa6f;p=thirdparty%2Fkernel%2Fstable-queue.git

6.10-stable patches

added patches:
	asoc-dapm-fix-uaf-for-snd_soc_pcm_runtime-object.patch
	kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch
	net-ethernet-ti-am65-cpsw-fix-xdp_drop-xdp_tx-and-xdp_redirect.patch
	net-microchip-vcap-fix-use-after-free-error-in-kunit-test.patch
---

diff --git a/queue-6.10/asoc-dapm-fix-uaf-for-snd_soc_pcm_runtime-object.patch b/queue-6.10/asoc-dapm-fix-uaf-for-snd_soc_pcm_runtime-object.patch
new file mode 100644
index 00000000000..178d1aa8283
--- /dev/null
+++ b/queue-6.10/asoc-dapm-fix-uaf-for-snd_soc_pcm_runtime-object.patch
@@ -0,0 +1,58 @@
+From b4a90b543d9f62d3ac34ec1ab97fc5334b048565 Mon Sep 17 00:00:00 2001
+From: robelin <robelin@nvidia.com>
+Date: Fri, 23 Aug 2024 14:43:41 +0000
+Subject: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
+
+From: robelin <robelin@nvidia.com>
+
+commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream.
+
+When using kernel with the following extra config,
+
+  - CONFIG_KASAN=y
+  - CONFIG_KASAN_GENERIC=y
+  - CONFIG_KASAN_INLINE=y
+  - CONFIG_KASAN_VMALLOC=y
+  - CONFIG_FRAME_WARN=4096
+
+kernel detects that snd_pcm_suspend_all() access a freed
+'snd_soc_pcm_runtime' object when the system is suspended, which
+leads to a use-after-free bug:
+
+[   52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
+[   52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
+
+[   52.047785] Call trace:
+[   52.047787]  dump_backtrace+0x0/0x3c0
+[   52.047794]  show_stack+0x34/0x50
+[   52.047797]  dump_stack_lvl+0x68/0x8c
+[   52.047802]  print_address_description.constprop.0+0x74/0x2c0
+[   52.047809]  kasan_report+0x210/0x230
+[   52.047815]  __asan_report_load1_noabort+0x3c/0x50
+[   52.047820]  snd_pcm_suspend_all+0x1a8/0x270
+[   52.047824]  snd_soc_suspend+0x19c/0x4e0
+
+The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
+making any access. So we need to always set 'substream->runtime' to NULL
+everytime we kfree() it.
+
+Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables")
+Signed-off-by: robelin <robelin@nvidia.com>
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -4066,6 +4066,7 @@ static int snd_soc_dai_link_event(struct
+ 
+ 	case SND_SOC_DAPM_POST_PMD:
+ 		kfree(substream->runtime);
++		substream->runtime = NULL;
+ 		break;
+ 
+ 	default:
diff --git a/queue-6.10/kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch b/queue-6.10/kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch
new file mode 100644
index 00000000000..0427f568a75
--- /dev/null
+++ b/queue-6.10/kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch
@@ -0,0 +1,80 @@
+From 4bcdd831d9d01e0fb64faea50732b59b2ee88da1 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 23 Jul 2024 16:20:55 -0700
+Subject: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 4bcdd831d9d01e0fb64faea50732b59b2ee88da1 upstream.
+
+Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
+leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
+reads guest memory.
+
+Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
+via sync_regs(), which already holds SRCU.  I.e. trying to precisely use
+kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
+problems.  Acquiring SRCU isn't all that expensive, so for simplicity,
+grab it unconditionally for KVM_SET_VCPU_EVENTS.
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
+ -----------------------------
+ include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by repro/1071:
+  #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]
+
+ stack backtrace:
+ CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ Call Trace:
+  <TASK>
+  dump_stack_lvl+0x7f/0x90
+  lockdep_rcu_suspicious+0x13f/0x1a0
+  kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
+  kvm_vcpu_read_guest+0x3e/0x90 [kvm]
+  nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
+  load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
+  vmx_leave_nested+0x30/0x40 [kvm_intel]
+  kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
+  kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
+  ? mark_held_locks+0x49/0x70
+  ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
+  ? kvm_vcpu_ioctl+0x497/0x970 [kvm]
+  kvm_vcpu_ioctl+0x497/0x970 [kvm]
+  ? lock_acquire+0xba/0x2d0
+  ? find_held_lock+0x2b/0x80
+  ? do_user_addr_fault+0x40c/0x6f0
+  ? lock_release+0xb7/0x270
+  __x64_sys_ioctl+0x82/0xb0
+  do_syscall_64+0x6c/0x170
+  entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ RIP: 0033:0x7ff11eb1b539
+  </TASK>
+
+Fixes: f7e570780efc ("KVM: x86: Forcibly leave nested virt when SMM state is toggled")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240723232055.3643811-1-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6040,7 +6040,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi
+ 		if (copy_from_user(&events, argp, sizeof(struct kvm_vcpu_events)))
+ 			break;
+ 
++		kvm_vcpu_srcu_read_lock(vcpu);
+ 		r = kvm_vcpu_ioctl_x86_set_vcpu_events(vcpu, &events);
++		kvm_vcpu_srcu_read_unlock(vcpu);
+ 		break;
+ 	}
+ 	case KVM_GET_DEBUGREGS: {
diff --git a/queue-6.10/net-ethernet-ti-am65-cpsw-fix-xdp_drop-xdp_tx-and-xdp_redirect.patch b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-xdp_drop-xdp_tx-and-xdp_redirect.patch
new file mode 100644
index 00000000000..2ff9e4f9e5b
--- /dev/null
+++ b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-xdp_drop-xdp_tx-and-xdp_redirect.patch
@@ -0,0 +1,226 @@
+From 5e24db550bd6f484d2c7687ee488708260e1f84a Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@kernel.org>
+Date: Thu, 29 Aug 2024 15:03:19 +0300
+Subject: net: ethernet: ti: am65-cpsw: fix XDP_DROP, XDP_TX and XDP_REDIRECT
+
+From: Roger Quadros <rogerq@kernel.org>
+
+commit 5e24db550bd6f484d2c7687ee488708260e1f84a upstream.
+
+The following XDP_DROP test from [1] stalls the interface after
+250 packets.
+~# xdb-bench drop -m native eth0
+This is because new RX requests are never queued. Fix that.
+
+The below XDP_TX test from [1] fails with a warning
+[  499.947381] XDP_WARN: xdp_update_frame_from_buff(line:277): Driver BUG: missing reserved tailroom
+~# xdb-bench tx -m native eth0
+Fix that by using PAGE_SIZE during xdp_init_buf().
+
+In XDP_REDIRECT case only 1 packet was processed in rx_poll.
+Fix it to process up to budget packets.
+
+Fix all XDP error cases to call trace_xdp_exception() and drop the packet
+in am65_cpsw_run_xdp().
+
+[1] xdp-tools suite https://github.com/xdp-project/xdp-tools
+
+Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Acked-by: Julien Panis <jpanis@baylibre.com>
+Reviewed-by: MD Danish Anwar <danishanwar@ti.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c |   62 +++++++++++++++++--------------
+ 1 file changed, 34 insertions(+), 28 deletions(-)
+
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -156,12 +156,13 @@
+ #define AM65_CPSW_CPPI_TX_PKT_TYPE 0x7
+ 
+ /* XDP */
+-#define AM65_CPSW_XDP_CONSUMED 2
+-#define AM65_CPSW_XDP_REDIRECT 1
++#define AM65_CPSW_XDP_CONSUMED BIT(1)
++#define AM65_CPSW_XDP_REDIRECT BIT(0)
+ #define AM65_CPSW_XDP_PASS     0
+ 
+ /* Include headroom compatible with both skb and xdpf */
+-#define AM65_CPSW_HEADROOM (max(NET_SKB_PAD, XDP_PACKET_HEADROOM) + NET_IP_ALIGN)
++#define AM65_CPSW_HEADROOM_NA (max(NET_SKB_PAD, XDP_PACKET_HEADROOM) + NET_IP_ALIGN)
++#define AM65_CPSW_HEADROOM ALIGN(AM65_CPSW_HEADROOM_NA, sizeof(long))
+ 
+ static void am65_cpsw_port_set_sl_mac(struct am65_cpsw_port *slave,
+ 				      const u8 *dev_addr)
+@@ -933,7 +934,7 @@ static int am65_cpsw_xdp_tx_frame(struct
+ 	host_desc = k3_cppi_desc_pool_alloc(tx_chn->desc_pool);
+ 	if (unlikely(!host_desc)) {
+ 		ndev->stats.tx_dropped++;
+-		return -ENOMEM;
++		return AM65_CPSW_XDP_CONSUMED;	/* drop */
+ 	}
+ 
+ 	am65_cpsw_nuss_set_buf_type(tx_chn, host_desc, buf_type);
+@@ -942,7 +943,7 @@ static int am65_cpsw_xdp_tx_frame(struct
+ 				 pkt_len, DMA_TO_DEVICE);
+ 	if (unlikely(dma_mapping_error(tx_chn->dma_dev, dma_buf))) {
+ 		ndev->stats.tx_dropped++;
+-		ret = -ENOMEM;
++		ret = AM65_CPSW_XDP_CONSUMED;	/* drop */
+ 		goto pool_free;
+ 	}
+ 
+@@ -977,6 +978,7 @@ static int am65_cpsw_xdp_tx_frame(struct
+ 		/* Inform BQL */
+ 		netdev_tx_completed_queue(netif_txq, 1, pkt_len);
+ 		ndev->stats.tx_errors++;
++		ret = AM65_CPSW_XDP_CONSUMED; /* drop */
+ 		goto dma_unmap;
+ 	}
+ 
+@@ -1004,6 +1006,7 @@ static int am65_cpsw_run_xdp(struct am65
+ 	struct bpf_prog *prog;
+ 	struct page *page;
+ 	u32 act;
++	int err;
+ 
+ 	prog = READ_ONCE(port->xdp_prog);
+ 	if (!prog)
+@@ -1023,14 +1026,14 @@ static int am65_cpsw_run_xdp(struct am65
+ 
+ 		xdpf = xdp_convert_buff_to_frame(xdp);
+ 		if (unlikely(!xdpf))
+-			break;
++			goto drop;
+ 
+ 		__netif_tx_lock(netif_txq, cpu);
+-		ret = am65_cpsw_xdp_tx_frame(ndev, tx_chn, xdpf,
++		err = am65_cpsw_xdp_tx_frame(ndev, tx_chn, xdpf,
+ 					     AM65_CPSW_TX_BUF_TYPE_XDP_TX);
+ 		__netif_tx_unlock(netif_txq);
+-		if (ret)
+-			break;
++		if (err)
++			goto drop;
+ 
+ 		ndev->stats.rx_bytes += *len;
+ 		ndev->stats.rx_packets++;
+@@ -1038,7 +1041,7 @@ static int am65_cpsw_run_xdp(struct am65
+ 		goto out;
+ 	case XDP_REDIRECT:
+ 		if (unlikely(xdp_do_redirect(ndev, xdp, prog)))
+-			break;
++			goto drop;
+ 
+ 		ndev->stats.rx_bytes += *len;
+ 		ndev->stats.rx_packets++;
+@@ -1048,6 +1051,7 @@ static int am65_cpsw_run_xdp(struct am65
+ 		bpf_warn_invalid_xdp_action(ndev, prog, act);
+ 		fallthrough;
+ 	case XDP_ABORTED:
++drop:
+ 		trace_xdp_exception(ndev, prog, act);
+ 		fallthrough;
+ 	case XDP_DROP:
+@@ -1056,7 +1060,6 @@ static int am65_cpsw_run_xdp(struct am65
+ 
+ 	page = virt_to_head_page(xdp->data);
+ 	am65_cpsw_put_page(rx_chn, page, true, desc_idx);
+-
+ out:
+ 	return ret;
+ }
+@@ -1095,7 +1098,7 @@ static void am65_cpsw_nuss_rx_csum(struc
+ }
+ 
+ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_common *common,
+-				     u32 flow_idx, int cpu)
++				     u32 flow_idx, int cpu, int *xdp_state)
+ {
+ 	struct am65_cpsw_rx_chn *rx_chn = &common->rx_chns;
+ 	u32 buf_dma_len, pkt_len, port_id = 0, csum_info;
+@@ -1114,6 +1117,7 @@ static int am65_cpsw_nuss_rx_packets(str
+ 	void **swdata;
+ 	u32 *psdata;
+ 
++	*xdp_state = AM65_CPSW_XDP_PASS;
+ 	ret = k3_udma_glue_pop_rx_chn(rx_chn->rx_chn, flow_idx, &desc_dma);
+ 	if (ret) {
+ 		if (ret != -ENODATA)
+@@ -1161,15 +1165,13 @@ static int am65_cpsw_nuss_rx_packets(str
+ 	}
+ 
+ 	if (port->xdp_prog) {
+-		xdp_init_buff(&xdp, AM65_CPSW_MAX_PACKET_SIZE, &port->xdp_rxq);
+-
+-		xdp_prepare_buff(&xdp, page_addr, skb_headroom(skb),
++		xdp_init_buff(&xdp, PAGE_SIZE, &port->xdp_rxq);
++		xdp_prepare_buff(&xdp, page_addr, AM65_CPSW_HEADROOM,
+ 				 pkt_len, false);
+-
+-		ret = am65_cpsw_run_xdp(common, port, &xdp, desc_idx,
+-					cpu, &pkt_len);
+-		if (ret != AM65_CPSW_XDP_PASS)
+-			return ret;
++		*xdp_state = am65_cpsw_run_xdp(common, port, &xdp, desc_idx,
++					       cpu, &pkt_len);
++		if (*xdp_state != AM65_CPSW_XDP_PASS)
++			goto allocate;
+ 
+ 		/* Compute additional headroom to be reserved */
+ 		headroom = (xdp.data - xdp.data_hard_start) - skb_headroom(skb);
+@@ -1193,9 +1195,13 @@ static int am65_cpsw_nuss_rx_packets(str
+ 	stats->rx_bytes += pkt_len;
+ 	u64_stats_update_end(&stats->syncp);
+ 
++allocate:
+ 	new_page = page_pool_dev_alloc_pages(rx_chn->page_pool);
+-	if (unlikely(!new_page))
++	if (unlikely(!new_page)) {
++		dev_err(dev, "page alloc failed\n");
+ 		return -ENOMEM;
++	}
++
+ 	rx_chn->pages[desc_idx] = new_page;
+ 
+ 	if (netif_dormant(ndev)) {
+@@ -1229,8 +1235,9 @@ static int am65_cpsw_nuss_rx_poll(struct
+ 	struct am65_cpsw_common *common = am65_cpsw_napi_to_common(napi_rx);
+ 	int flow = AM65_CPSW_MAX_RX_FLOWS;
+ 	int cpu = smp_processor_id();
+-	bool xdp_redirect = false;
++	int xdp_state_or = 0;
+ 	int cur_budget, ret;
++	int xdp_state;
+ 	int num_rx = 0;
+ 
+ 	/* process every flow */
+@@ -1238,12 +1245,11 @@ static int am65_cpsw_nuss_rx_poll(struct
+ 		cur_budget = budget - num_rx;
+ 
+ 		while (cur_budget--) {
+-			ret = am65_cpsw_nuss_rx_packets(common, flow, cpu);
+-			if (ret) {
+-				if (ret == AM65_CPSW_XDP_REDIRECT)
+-					xdp_redirect = true;
++			ret = am65_cpsw_nuss_rx_packets(common, flow, cpu,
++							&xdp_state);
++			xdp_state_or |= xdp_state;
++			if (ret)
+ 				break;
+-			}
+ 			num_rx++;
+ 		}
+ 
+@@ -1251,7 +1257,7 @@ static int am65_cpsw_nuss_rx_poll(struct
+ 			break;
+ 	}
+ 
+-	if (xdp_redirect)
++	if (xdp_state_or & AM65_CPSW_XDP_REDIRECT)
+ 		xdp_do_flush();
+ 
+ 	dev_dbg(common->dev, "%s num_rx:%d %d\n", __func__, num_rx, budget);
diff --git a/queue-6.10/net-microchip-vcap-fix-use-after-free-error-in-kunit-test.patch b/queue-6.10/net-microchip-vcap-fix-use-after-free-error-in-kunit-test.patch
new file mode 100644
index 00000000000..6a1dc540a35
--- /dev/null
+++ b/queue-6.10/net-microchip-vcap-fix-use-after-free-error-in-kunit-test.patch
@@ -0,0 +1,49 @@
+From a3c1e45156ad39f225cd7ddae0f81230a3b1e657 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jens=20Emil=20Schulz=20=C3=98stergaard?=
+ <jensemil.schulzostergaard@microchip.com>
+Date: Thu, 29 Aug 2024 11:52:54 +0200
+Subject: net: microchip: vcap: Fix use-after-free error in kunit test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Emil Schulz Ãstergaard <jensemil.schulzostergaard@microchip.com>
+
+commit a3c1e45156ad39f225cd7ddae0f81230a3b1e657 upstream.
+
+This is a clear use-after-free error. We remove it, and rely on checking
+the return code of vcap_del_rule.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/kernel-janitors/7bffefc6-219a-4f71-baa0-ad4526e5c198@kili.mountain/
+Fixes: c956b9b318d9 ("net: microchip: sparx5: Adding KUNIT tests of key/action values in VCAP API")
+Signed-off-by: Jens Emil Schulz Ãstergaard <jensemil.schulzostergaard@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c |   14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -1442,18 +1442,8 @@ static void vcap_api_encode_rule_test(st
+ 	vcap_enable_lookups(&test_vctrl, &test_netdev, 0, 0,
+ 			    rule->cookie, false);
+ 
+-	vcap_free_rule(rule);
+-
+-	/* Check that the rule has been freed: tricky to access since this
+-	 * memory should not be accessible anymore
+-	 */
+-	KUNIT_EXPECT_PTR_NE(test, NULL, rule);
+-	ret = list_empty(&rule->keyfields);
+-	KUNIT_EXPECT_EQ(test, true, ret);
+-	ret = list_empty(&rule->actionfields);
+-	KUNIT_EXPECT_EQ(test, true, ret);
+-
+-	vcap_del_rule(&test_vctrl, &test_netdev, id);
++	ret = vcap_del_rule(&test_vctrl, &test_netdev, id);
++	KUNIT_EXPECT_EQ(test, 0, ret);
+ }
+ 
+ static void vcap_api_set_rule_counter_test(struct kunit *test)
diff --git a/queue-6.10/series b/queue-6.10/series
index cce8fb225e6..2c42aedb859 100644
--- a/queue-6.10/series
+++ b/queue-6.10/series
@@ -2,3 +2,7 @@ libfs-fix-get_stashed_dentry.patch
 sch-netem-fix-use-after-free-in-netem_dequeue.patch
 xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch
 net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch
+net-microchip-vcap-fix-use-after-free-error-in-kunit-test.patch
+net-ethernet-ti-am65-cpsw-fix-xdp_drop-xdp_tx-and-xdp_redirect.patch
+asoc-dapm-fix-uaf-for-snd_soc_pcm_runtime-object.patch
+kvm-x86-acquire-kvm-srcu-when-handling-kvm_set_vcpu_events.patch