From: Greg Kroah-Hartman Date: Tue, 13 Aug 2024 10:48:44 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.105~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ad2c39592e6a2a7bf248bfeb84c728bd645f4ea;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: fix-gcc-4.9-build-issue-in-5.10.y.patch kbuild-fix-s-c-in-x86-stack-protector-scripts.patch netfilter-nf_tables-prefer-nft_chain_validate.patch netfilter-nf_tables-set-element-extended-ack-reporting-support.patch netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch --- diff --git a/queue-5.4/fix-gcc-4.9-build-issue-in-5.10.y.patch b/queue-5.4/fix-gcc-4.9-build-issue-in-5.10.y.patch new file mode 100644 index 00000000000..07105da415c --- /dev/null +++ b/queue-5.4/fix-gcc-4.9-build-issue-in-5.10.y.patch @@ -0,0 +1,36 @@ +From jariruusu@protonmail.com Tue Aug 13 12:30:55 2024 +From: Jari Ruusu +Date: Fri, 26 Jul 2024 09:53:18 +0000 +Subject: Fix gcc 4.9 build issue in 5.4.y +To: Greg Kroah-Hartman +Cc: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" +Message-ID: <93RnVgeI76u-tf0ZRdROl_JVVqqx-rtQnV4mOqGR_Rb5OmiWCMXC6MSYfnkTPp_615nKq8H-5nfzNt4I9MXPjUPzXBLp625jtGUJSGPsGBo=@protonmail.com> + +From: Jari Ruusu + +Some older systems still compile kernels with old gcc version. +These warnings and errors show up when compiling with gcc 4.9.2 + + error: "__GCC4_has_attribute___uninitialized__" is not defined [-Werror=undef] + +Upstream won't need this because newer kernels are not compilable with gcc 4.9. + +Subject: gcc-4.9 warning/error fix for 5.10.223-rc1 +Fixes: fd7eea27a3ae ("Compiler Attributes: Add __uninitialized macro") +Signed-off-by: Jari Ruusu +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler_attributes.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/compiler_attributes.h ++++ b/include/linux/compiler_attributes.h +@@ -40,6 +40,7 @@ + # define __GCC4_has_attribute___noclone__ 1 + # define __GCC4_has_attribute___nonstring__ 0 + # define __GCC4_has_attribute___no_sanitize_address__ (__GNUC_MINOR__ >= 8) ++# define __GCC4_has_attribute___uninitialized__ 0 + # define __GCC4_has_attribute___fallthrough__ 0 + #endif + diff --git a/queue-5.4/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch b/queue-5.4/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch new file mode 100644 index 00000000000..40005f6b246 --- /dev/null +++ b/queue-5.4/kbuild-fix-s-c-in-x86-stack-protector-scripts.patch @@ -0,0 +1,60 @@ +From 3415b10a03945b0da4a635e146750dfe5ce0f448 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Fri, 26 Jul 2024 11:05:00 -0700 +Subject: kbuild: Fix '-S -c' in x86 stack protector scripts + +From: Nathan Chancellor + +commit 3415b10a03945b0da4a635e146750dfe5ce0f448 upstream. + +After a recent change in clang to stop consuming all instances of '-S' +and '-c' [1], the stack protector scripts break due to the kernel's use +of -Werror=unused-command-line-argument to catch cases where flags are +not being properly consumed by the compiler driver: + + $ echo | clang -o - -x c - -S -c -Werror=unused-command-line-argument + clang: error: argument unused during compilation: '-c' [-Werror,-Wunused-command-line-argument] + +This results in CONFIG_STACKPROTECTOR getting disabled because +CONFIG_CC_HAS_SANE_STACKPROTECTOR is no longer set. + +'-c' and '-S' both instruct the compiler to stop at different stages of +the pipeline ('-S' after compiling, '-c' after assembling), so having +them present together in the same command makes little sense. In this +case, the test wants to stop before assembling because it is looking at +the textual assembly output of the compiler for either '%fs' or '%gs', +so remove '-c' from the list of arguments to resolve the error. + +All versions of GCC continue to work after this change, along with +versions of clang that do or do not contain the change mentioned above. + +Cc: stable@vger.kernel.org +Fixes: 4f7fd4d7a791 ("[PATCH] Add the -fstack-protector option to the CFLAGS") +Fixes: 60a5317ff0f4 ("x86: implement x86_32 stack protector") +Link: https://github.com/llvm/llvm-project/commit/6461e537815f7fa68cef06842505353cf5600e9c [1] +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +[nathan: Fixed conflict in 32-bit version due to lack of 3fb0fdb3bbe7] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gcc-x86_32-has-stack-protector.sh | 2 +- + scripts/gcc-x86_64-has-stack-protector.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/gcc-x86_32-has-stack-protector.sh ++++ b/scripts/gcc-x86_32-has-stack-protector.sh +@@ -1,4 +1,4 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m32 -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -m32 -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" +--- a/scripts/gcc-x86_64-has-stack-protector.sh ++++ b/scripts/gcc-x86_64-has-stack-protector.sh +@@ -1,4 +1,4 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + +-echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -m64 -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" ++echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -m64 -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" diff --git a/queue-5.4/netfilter-nf_tables-prefer-nft_chain_validate.patch b/queue-5.4/netfilter-nf_tables-prefer-nft_chain_validate.patch new file mode 100644 index 00000000000..1c6194022d5 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-prefer-nft_chain_validate.patch @@ -0,0 +1,191 @@ +From pablo@netfilter.org Mon Aug 12 12:28:57 2024 +From: Pablo Neira Ayuso +Date: Mon, 12 Aug 2024 12:28:48 +0200 +Subject: netfilter: nf_tables: prefer nft_chain_validate +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Message-ID: <20240812102848.392437-4-pablo@netfilter.org> + +From: Florian Westphal + +commit cff3bd012a9512ac5ed858d38e6ed65f6391008c upstream. + +nft_chain_validate already performs loop detection because a cycle will +result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE). + +It also follows maps via ->validate callback in nft_lookup, so there +appears no reason to iterate the maps again. + +nf_tables_check_loops() and all its helper functions can be removed. +This improves ruleset load time significantly, from 23s down to 12s. + +This also fixes a crash bug. Old loop detection code can result in +unbounded recursion: + +BUG: TASK stack guard page was hit at .... +Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN +CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1 +[..] + +with a suitable ruleset during validation of register stores. + +I can't see any actual reason to attempt to check for this from +nft_validate_register_store(), at this point the transaction is still in +progress, so we don't have a full picture of the rule graph. + +For nf-next it might make sense to either remove it or make this depend +on table->validate_state in case we could catch an error earlier +(for improved error reporting to userspace). + +Fixes: 20a69341f2d0 ("netfilter: nf_tables: add netlink set API") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 114 ++++-------------------------------------- + 1 file changed, 13 insertions(+), 101 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2829,6 +2829,15 @@ static void nf_tables_rule_release(const + nf_tables_rule_destroy(ctx, rule); + } + ++/** nft_chain_validate - loop detection and hook validation ++ * ++ * @ctx: context containing call depth and base chain ++ * @chain: chain to validate ++ * ++ * Walk through the rules of the given chain and chase all jumps/gotos ++ * and set lookups until either the jump limit is hit or all reachable ++ * chains have been validated. ++ */ + int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + { + struct nft_expr *expr, *last; +@@ -2847,6 +2856,9 @@ int nft_chain_validate(const struct nft_ + if (!expr->ops->validate) + continue; + ++ /* This may call nft_chain_validate() recursively, ++ * callers that do so must increment ctx->level. ++ */ + err = expr->ops->validate(ctx, expr, &data); + if (err < 0) + return err; +@@ -7811,106 +7823,6 @@ int nft_chain_validate_hooks(const struc + } + EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); + +-/* +- * Loop detection - walk through the ruleset beginning at the destination chain +- * of a new jump until either the source chain is reached (loop) or all +- * reachable chains have been traversed. +- * +- * The loop check is performed whenever a new jump verdict is added to an +- * expression or verdict map or a verdict map is bound to a new chain. +- */ +- +-static int nf_tables_check_loops(const struct nft_ctx *ctx, +- const struct nft_chain *chain); +- +-static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, +- struct nft_set *set, +- const struct nft_set_iter *iter, +- struct nft_set_elem *elem) +-{ +- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); +- const struct nft_data *data; +- +- if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && +- *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) +- return 0; +- +- data = nft_set_ext_data(ext); +- switch (data->verdict.code) { +- case NFT_JUMP: +- case NFT_GOTO: +- return nf_tables_check_loops(ctx, data->verdict.chain); +- default: +- return 0; +- } +-} +- +-static int nf_tables_check_loops(const struct nft_ctx *ctx, +- const struct nft_chain *chain) +-{ +- const struct nft_rule *rule; +- const struct nft_expr *expr, *last; +- struct nft_set *set; +- struct nft_set_binding *binding; +- struct nft_set_iter iter; +- +- if (ctx->chain == chain) +- return -ELOOP; +- +- list_for_each_entry(rule, &chain->rules, list) { +- nft_rule_for_each_expr(expr, last, rule) { +- struct nft_immediate_expr *priv; +- const struct nft_data *data; +- int err; +- +- if (strcmp(expr->ops->type->name, "immediate")) +- continue; +- +- priv = nft_expr_priv(expr); +- if (priv->dreg != NFT_REG_VERDICT) +- continue; +- +- data = &priv->data; +- switch (data->verdict.code) { +- case NFT_JUMP: +- case NFT_GOTO: +- err = nf_tables_check_loops(ctx, +- data->verdict.chain); +- if (err < 0) +- return err; +- default: +- break; +- } +- } +- } +- +- list_for_each_entry(set, &ctx->table->sets, list) { +- if (!nft_is_active_next(ctx->net, set)) +- continue; +- if (!(set->flags & NFT_SET_MAP) || +- set->dtype != NFT_DATA_VERDICT) +- continue; +- +- list_for_each_entry(binding, &set->bindings, list) { +- if (!(binding->flags & NFT_SET_MAP) || +- binding->chain != chain) +- continue; +- +- iter.genmask = nft_genmask_next(ctx->net); +- iter.skip = 0; +- iter.count = 0; +- iter.err = 0; +- iter.fn = nf_tables_loop_check_setelem; +- +- set->ops->walk(ctx, set, &iter); +- if (iter.err < 0) +- return iter.err; +- } +- } +- +- return 0; +-} +- + /** + * nft_parse_u32_check - fetch u32 attribute and check for maximum value + * +@@ -8046,7 +7958,7 @@ static int nft_validate_register_store(c + if (data != NULL && + (data->verdict.code == NFT_GOTO || + data->verdict.code == NFT_JUMP)) { +- err = nf_tables_check_loops(ctx, data->verdict.chain); ++ err = nft_chain_validate(ctx, data->verdict.chain); + if (err < 0) + return err; + } diff --git a/queue-5.4/netfilter-nf_tables-set-element-extended-ack-reporting-support.patch b/queue-5.4/netfilter-nf_tables-set-element-extended-ack-reporting-support.patch new file mode 100644 index 00000000000..23c06329139 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-set-element-extended-ack-reporting-support.patch @@ -0,0 +1,60 @@ +From pablo@netfilter.org Mon Aug 12 12:28:56 2024 +From: Pablo Neira Ayuso +Date: Mon, 12 Aug 2024 12:28:46 +0200 +Subject: netfilter: nf_tables: set element extended ACK reporting support +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Message-ID: <20240812102848.392437-2-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +commit b53c116642502b0c85ecef78bff4f826a7dd4145 upstream. + +Report the element that causes problems via netlink extended ACK for set +element commands. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4670,8 +4670,10 @@ static int nf_tables_getsetelem(struct n + + nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { + err = nft_get_set_elem(&ctx, set, attr); +- if (err < 0) ++ if (err < 0) { ++ NL_SET_BAD_ATTR(extack, attr); + break; ++ } + } + + return err; +@@ -5063,8 +5065,10 @@ static int nf_tables_newsetelem(struct n + + nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { + err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); +- if (err < 0) ++ if (err < 0) { ++ NL_SET_BAD_ATTR(extack, attr); + return err; ++ } + } + + if (nft_net->validate_state == NFT_VALIDATE_DO) +@@ -5264,9 +5268,10 @@ static int nf_tables_delsetelem(struct n + + nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { + err = nft_del_setelem(&ctx, set, attr); +- if (err < 0) ++ if (err < 0) { ++ NL_SET_BAD_ATTR(extack, attr); + break; +- ++ } + set->ndeact++; + } + return err; diff --git a/queue-5.4/netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch b/queue-5.4/netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch new file mode 100644 index 00000000000..4a1f189508f --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch @@ -0,0 +1,191 @@ +From pablo@netfilter.org Mon Aug 12 12:28:56 2024 +From: Pablo Neira Ayuso +Date: Mon, 12 Aug 2024 12:28:47 +0200 +Subject: netfilter: nf_tables: use timestamp to check for set element timeout +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Message-ID: <20240812102848.392437-3-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +commit 7395dfacfff65e9938ac0889dafa1ab01e987d15 upstream + +Add a timestamp field at the beginning of the transaction, store it +in the nftables per-netns area. + +Update set backend .insert, .deactivate and sync gc path to use the +timestamp, this avoids that an element expires while control plane +transaction is still unfinished. + +.lookup and .update, which are used from packet path, still use the +current time to check if the element has expired. And .get path and dump +also since this runs lockless under rcu read size lock. Then, there is +async gc which also needs to check the current time since it runs +asynchronously from a workqueue. + +[ NB: rbtree GC updates has been excluded because GC is asynchronous. ] + +Fixes: c3e1b005ed1c ("netfilter: nf_tables: add set element timeout support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 21 +++++++++++++++++++-- + net/netfilter/nf_tables_api.c | 1 + + net/netfilter/nft_set_hash.c | 8 +++++++- + net/netfilter/nft_set_rbtree.c | 6 ++++-- + 4 files changed, 31 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + struct module; + +@@ -656,10 +657,16 @@ static inline struct nft_expr *nft_set_e + return nft_set_ext(ext, NFT_SET_EXT_EXPR); + } + +-static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) ++static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext, ++ u64 tstamp) + { + return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) && +- time_is_before_eq_jiffies64(*nft_set_ext_expiration(ext)); ++ time_after_eq64(tstamp, *nft_set_ext_expiration(ext)); ++} ++ ++static inline bool nft_set_elem_expired(const struct nft_set_ext *ext) ++{ ++ return __nft_set_elem_expired(ext, get_jiffies_64()); + } + + static inline struct nft_set_ext *nft_set_elem_ext(const struct nft_set *set, +@@ -1482,9 +1489,19 @@ struct nftables_pernet { + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; ++ u64 tstamp; + unsigned int base_seq; + u8 validate_state; + unsigned int gc_seq; + }; + ++extern unsigned int nf_tables_net_id; ++ ++static inline u64 nft_net_tstamp(const struct net *net) ++{ ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return nft_net->tstamp; ++} ++ + #endif /* _NET_NF_TABLES_H */ +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7758,6 +7758,7 @@ static bool nf_tables_valid_genid(struct + bool genid_ok; + + mutex_lock(&nft_net->commit_mutex); ++ nft_net->tstamp = get_jiffies_64(); + + genid_ok = genid == 0 || nft_net->base_seq == genid; + if (!genid_ok) +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -38,6 +38,7 @@ struct nft_rhash_cmp_arg { + const struct nft_set *set; + const u32 *key; + u8 genmask; ++ u64 tstamp; + }; + + static inline u32 nft_rhash_key(const void *data, u32 len, u32 seed) +@@ -64,7 +65,7 @@ static inline int nft_rhash_cmp(struct r + return 1; + if (nft_set_elem_is_dead(&he->ext)) + return 1; +- if (nft_set_elem_expired(&he->ext)) ++ if (__nft_set_elem_expired(&he->ext, x->tstamp)) + return 1; + if (!nft_set_elem_active(&he->ext, x->genmask)) + return 1; +@@ -88,6 +89,7 @@ static bool nft_rhash_lookup(const struc + .genmask = nft_genmask_cur(net), + .set = set, + .key = key, ++ .tstamp = get_jiffies_64(), + }; + + he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); +@@ -106,6 +108,7 @@ static void *nft_rhash_get(const struct + .genmask = nft_genmask_cur(net), + .set = set, + .key = elem->key.val.data, ++ .tstamp = get_jiffies_64(), + }; + + he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); +@@ -129,6 +132,7 @@ static bool nft_rhash_update(struct nft_ + .genmask = NFT_GENMASK_ANY, + .set = set, + .key = key, ++ .tstamp = get_jiffies_64(), + }; + + he = rhashtable_lookup(&priv->ht, &arg, nft_rhash_params); +@@ -172,6 +176,7 @@ static int nft_rhash_insert(const struct + .genmask = nft_genmask_next(net), + .set = set, + .key = elem->key.val.data, ++ .tstamp = nft_net_tstamp(net), + }; + struct nft_rhash_elem *prev; + +@@ -214,6 +219,7 @@ static void *nft_rhash_deactivate(const + .genmask = nft_genmask_next(net), + .set = set, + .key = elem->key.val.data, ++ .tstamp = nft_net_tstamp(net), + }; + + rcu_read_lock(); +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -315,6 +315,7 @@ static int __nft_rbtree_insert(const str + struct nft_rbtree *priv = nft_set_priv(set); + u8 cur_genmask = nft_genmask_cur(net); + u8 genmask = nft_genmask_next(net); ++ u64 tstamp = nft_net_tstamp(net); + int d, err; + + /* Descend the tree to search for an existing element greater than the +@@ -362,7 +363,7 @@ static int __nft_rbtree_insert(const str + /* perform garbage collection to avoid bogus overlap reports + * but skip new elements in this transaction. + */ +- if (nft_set_elem_expired(&rbe->ext) && ++ if (__nft_set_elem_expired(&rbe->ext, tstamp) && + nft_set_elem_active(&rbe->ext, cur_genmask)) { + err = nft_rbtree_gc_elem(set, priv, rbe); + if (err < 0) +@@ -537,6 +538,7 @@ static void *nft_rbtree_deactivate(const + const struct rb_node *parent = priv->root.rb_node; + struct nft_rbtree_elem *rbe, *this = elem->priv; + u8 genmask = nft_genmask_next(net); ++ u64 tstamp = nft_net_tstamp(net); + int d; + + while (parent != NULL) { +@@ -557,7 +559,7 @@ static void *nft_rbtree_deactivate(const + nft_rbtree_interval_end(this)) { + parent = parent->rb_right; + continue; +- } else if (nft_set_elem_expired(&rbe->ext)) { ++ } else if (__nft_set_elem_expired(&rbe->ext, tstamp)) { + break; + } else if (!nft_set_elem_active(&rbe->ext, genmask)) { + parent = parent->rb_left; diff --git a/queue-5.4/series b/queue-5.4/series index 8d098fc6a05..7218bd2ec61 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -246,3 +246,8 @@ tracing-fix-overflow-in-get_free_elt.patch x86-mtrr-check-if-fixed-mtrrs-exist-before-saving-them.patch drm-bridge-analogix_dp-properly-handle-zero-sized-aux-transactions.patch drm-mgag200-set-ddc-timeout-in-milliseconds.patch +fix-gcc-4.9-build-issue-in-5.10.y.patch +kbuild-fix-s-c-in-x86-stack-protector-scripts.patch +netfilter-nf_tables-set-element-extended-ack-reporting-support.patch +netfilter-nf_tables-use-timestamp-to-check-for-set-element-timeout.patch +netfilter-nf_tables-prefer-nft_chain_validate.patch