--- /dev/null
+From b783de399d681bc9ff5b3079debb1138f8740b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 06:38:07 -0700
+Subject: bonding: set dev->needed_headroom in bond_setup_by_slave()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ]
+
+syzbot managed to crash a host by creating a bond
+with a GRE device.
+
+For non Ethernet device, bonding calls bond_setup_by_slave()
+instead of ether_setup(), and unfortunately dev->needed_headroom
+was not copied from the new added member.
+
+[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0
+[ 171.243111] ------------[ cut here ]------------
+[ 171.243112] kernel BUG at net/core/skbuff.c:112!
+[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 171.243469] gsmi: Log Shutdown Reason 0x03
+[ 171.243505] Call Trace:
+[ 171.243506] <IRQ>
+[ 171.243512] [<ffffffffa171be59>] skb_push+0x49/0x50
+[ 171.243516] [<ffffffffa184b9ea>] ipgre_header+0x2a/0xf0
+[ 171.243520] [<ffffffffa17452d7>] neigh_connected_output+0xb7/0x100
+[ 171.243524] [<ffffffffa186f1d3>] ip6_finish_output2+0x383/0x490
+[ 171.243528] [<ffffffffa186ede2>] __ip6_finish_output+0xa2/0x110
+[ 171.243531] [<ffffffffa186acbc>] ip6_finish_output+0x2c/0xa0
+[ 171.243534] [<ffffffffa186abe9>] ip6_output+0x69/0x110
+[ 171.243537] [<ffffffffa186ac90>] ? ip6_output+0x110/0x110
+[ 171.243541] [<ffffffffa189d952>] mld_sendpack+0x1b2/0x2d0
+[ 171.243544] [<ffffffffa189d290>] ? mld_send_report+0xf0/0xf0
+[ 171.243548] [<ffffffffa189c797>] mld_ifc_timer_expire+0x2d7/0x3b0
+[ 171.243551] [<ffffffffa189c4c0>] ? mld_gq_timer_expire+0x50/0x50
+[ 171.243556] [<ffffffffa0fea270>] call_timer_fn+0x30/0x130
+[ 171.243559] [<ffffffffa0fea17c>] expire_timers+0x4c/0x110
+[ 171.243563] [<ffffffffa0fea0e3>] __run_timers+0x213/0x260
+[ 171.243566] [<ffffffffa0fecb7d>] ? ktime_get+0x3d/0xa0
+[ 171.243570] [<ffffffffa0ff9c4e>] ? clockevents_program_event+0x7e/0xe0
+[ 171.243574] [<ffffffffa0f7e5d5>] ? sched_clock_cpu+0x15/0x190
+[ 171.243577] [<ffffffffa0fe973d>] run_timer_softirq+0x1d/0x40
+[ 171.243581] [<ffffffffa1c00152>] __do_softirq+0x152/0x2f0
+[ 171.243585] [<ffffffffa0f44e1f>] irq_exit+0x9f/0xb0
+[ 171.243588] [<ffffffffa1a02e1d>] smp_apic_timer_interrupt+0xfd/0x1a0
+[ 171.243591] [<ffffffffa1a01ea6>] apic_timer_interrupt+0x86/0x90
+
+Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index aaf75d5e6e480..5811235a64c89 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1132,6 +1132,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
+
+ bond_dev->type = slave_dev->type;
+ bond_dev->hard_header_len = slave_dev->hard_header_len;
++ bond_dev->needed_headroom = slave_dev->needed_headroom;
+ bond_dev->addr_len = slave_dev->addr_len;
+
+ memcpy(bond_dev->broadcast, slave_dev->broadcast,
+--
+2.25.1
+
--- /dev/null
+From c95b2efd325f48edac0506be72362728d93a7f78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 16:56:14 +0800
+Subject: net: stmmac: removed enabling eee in EEE set callback
+
+From: Voon Weifeng <weifeng.voon@intel.com>
+
+[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ]
+
+EEE should be only be enabled during stmmac_mac_link_up() when the
+link are up and being set up properly. set_eee should only do settings
+configuration and disabling the eee.
+
+Without this fix, turning on EEE using ethtool will return
+"Operation not supported". This is due to the driver is in a dead loop
+waiting for eee to be advertised in the for eee to be activated but the
+driver will only configure the EEE advertisement after the eee is
+activated.
+
+Ethtool should only return "Operation not supported" if there is no EEE
+capbility in the MAC controller.
+
+Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback")
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Acked-by: Mark Gross <mgross@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index fbf701e5f1e9f..6fe441696882d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -616,23 +616,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev,
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
+
+- if (!edata->eee_enabled) {
++ if (!priv->dma_cap.eee)
++ return -EOPNOTSUPP;
++
++ if (!edata->eee_enabled)
+ stmmac_disable_eee_mode(priv);
+- } else {
+- /* We are asking for enabling the EEE but it is safe
+- * to verify all by invoking the eee_init function.
+- * In case of failure it will return an error.
+- */
+- edata->eee_enabled = stmmac_eee_init(priv);
+- if (!edata->eee_enabled)
+- return -EOPNOTSUPP;
+- }
+
+ ret = phy_ethtool_set_eee(dev->phydev, edata);
+ if (ret)
+ return ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+ priv->tx_lpi_timer = edata->tx_lpi_timer;
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From d52983c3522099cf0fa106231460e791c2ce172d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 22:09:04 +0100
+Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ]
+
+If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a
+type it doesn't recognise, it can BUG in a couple of places, which is
+unnecessary as it can easily get back to userspace.
+
+Fix this to print an error message instead.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
+index 543d200f4fa14..20549c13eb13d 100644
+--- a/net/rxrpc/ar-key.c
++++ b/net/rxrpc/ar-key.c
+@@ -1114,7 +1114,8 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default: /* we have a ticket we can't encode */
+- BUG();
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
+ continue;
+ }
+
+@@ -1235,7 +1236,6 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default:
+- BUG();
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 565b3e6accc8a5eb9894ef503f54e7bbffa7d616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 14:01:24 -0300
+Subject: rxrpc: Fix rxkad token xdr encoding
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ]
+
+The session key should be encoded with just the 8 data bytes and
+no length; ENCODE_DATA precedes it with a 4 byte length, which
+confuses some existing tools that try to parse this format.
+
+Add an ENCODE_BYTES macro that does not include a length, and use
+it for the key. Also adjust the expected length.
+
+Note that commit 774521f353e1d ("rxrpc: Fix an assertion in
+rxrpc_read()") had fixed a BUG by changing the length rather than
+fixing the encoding. The original length was correct.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-key.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
+index 91d43ab3a9610..543d200f4fa14 100644
+--- a/net/rxrpc/ar-key.c
++++ b/net/rxrpc/ar-key.c
+@@ -1149,6 +1149,14 @@ static long rxrpc_read(const struct key *key,
+ goto fault; \
+ xdr += (_l + 3) >> 2; \
+ } while(0)
++#define ENCODE_BYTES(l, s) \
++ do { \
++ u32 _l = (l); \
++ memcpy(xdr, (s), _l); \
++ if (_l & 3) \
++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
++ xdr += (_l + 3) >> 2; \
++ } while(0)
+ #define ENCODE64(x) \
+ do { \
+ __be64 y = cpu_to_be64(x); \
+@@ -1177,7 +1185,7 @@ static long rxrpc_read(const struct key *key,
+ case RXRPC_SECURITY_RXKAD:
+ ENCODE(token->kad->vice_id);
+ ENCODE(token->kad->kvno);
+- ENCODE_DATA(8, token->kad->session_key);
++ ENCODE_BYTES(8, token->kad->session_key);
+ ENCODE(token->kad->start);
+ ENCODE(token->kad->expiry);
+ ENCODE(token->kad->primary_flag);
+--
+2.25.1
+
--- /dev/null
+From 038c4f6683920927a5b8b66a07e47a2cb7c927ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:04:51 +0100
+Subject: rxrpc: Fix server keyring leak
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ]
+
+If someone calls setsockopt() twice to set a server key keyring, the first
+keyring is leaked.
+
+Fix it to return an error instead if the server key keyring is already set.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
+index 20549c13eb13d..ea615e53eab28 100644
+--- a/net/rxrpc/ar-key.c
++++ b/net/rxrpc/ar-key.c
+@@ -897,7 +897,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
+
+ _enter("");
+
+- if (optlen <= 0 || optlen > PAGE_SIZE - 1)
++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
+ return -EINVAL;
+
+ description = kmalloc(optlen + 1, GFP_KERNEL);
+--
+2.25.1
+
team-set-dev-needed_headroom-in-team_setup_by_port.patch
net-team-fix-memory-leak-in-__team_options_register.patch
mtd-nand-provide-nand_cleanup-function-to-free-nand-.patch
+xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch
+xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch
+net-stmmac-removed-enabling-eee-in-eee-set-callback.patch
+xfrm-use-correct-address-family-in-xfrm_state_find.patch
+bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch
+rxrpc-fix-rxkad-token-xdr-encoding.patch
+rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch
+rxrpc-fix-server-keyring-leak.patch
--- /dev/null
+From 0b3b59a4815d0c35f132099b2988f14855ca34a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:50:29 +0200
+Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ]
+
+When we clone state only add_time was cloned. It missed values like
+bytes, packets. Now clone the all members of the structure.
+
+v1->v3:
+ - use memcpy to copy the entire structure
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index d3595f1d00f25..a3114abe74f20 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1207,7 +1207,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig)
+ x->tfcpad = orig->tfcpad;
+ x->replay_maxdiff = orig->replay_maxdiff;
+ x->replay_maxage = orig->replay_maxage;
+- x->curlft.add_time = orig->curlft.add_time;
++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft));
+ x->km.state = orig->km.state;
+ x->km.seq = orig->km.seq;
+ x->replay = orig->replay;
+--
+2.25.1
+
--- /dev/null
+From 324ca99617985de382a2cedf5f6943f5c43f53b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:49:55 +0200
+Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ]
+
+XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new.
+Migrate this attribute during XFRMA_MSG_MIGRATE
+
+v1->v2:
+ - move curleft cloning to a separate patch
+
+Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 89685c7bc7c0f..7a9c18deaa512 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1730,21 +1730,17 @@ static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay
+ static inline int xfrm_replay_clone(struct xfrm_state *x,
+ struct xfrm_state *orig)
+ {
+- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
++
++ x->replay_esn = kmemdup(orig->replay_esn,
++ xfrm_replay_state_esn_len(orig->replay_esn),
+ GFP_KERNEL);
+ if (!x->replay_esn)
+ return -ENOMEM;
+-
+- x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
+- x->replay_esn->replay_window = orig->replay_esn->replay_window;
+-
+- x->preplay_esn = kmemdup(x->replay_esn,
+- xfrm_replay_state_esn_len(x->replay_esn),
++ x->preplay_esn = kmemdup(orig->preplay_esn,
++ xfrm_replay_state_esn_len(orig->preplay_esn),
+ GFP_KERNEL);
+- if (!x->preplay_esn) {
+- kfree(x->replay_esn);
++ if (!x->preplay_esn)
+ return -ENOMEM;
+- }
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 2bdda036343451243c222e1641e1ba46c7dc8498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:42:56 +1000
+Subject: xfrm: Use correct address family in xfrm_state_find
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ]
+
+The struct flowi must never be interpreted by itself as its size
+depends on the address family. Therefore it must always be grouped
+with its original family value.
+
+In this particular instance, the original family value is lost in
+the function xfrm_state_find. Therefore we get a bogus read when
+it's coupled with the wrong family which would occur with inter-
+family xfrm states.
+
+This patch fixes it by keeping the original family value.
+
+Note that the same bug could potentially occur in LSM through
+the xfrm_state_pol_flow_match hook. I checked the current code
+there and it seems to be safe for now as only secid is used which
+is part of struct flowi_common. But that API should be changed
+so that so that we don't get new bugs in the future. We could
+do that by replacing fl with just secid or adding a family field.
+
+Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com
+Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index a3114abe74f20..5bb5950d6276b 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -742,7 +742,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ */
+ if (x->km.state == XFRM_STATE_VALID) {
+ if ((x->sel.family &&
+- !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
++ (x->sel.family != family ||
++ !xfrm_selector_match(&x->sel, fl, family))) ||
+ !security_xfrm_state_pol_flow_match(x, pol, fl))
+ return;
+
+@@ -755,7 +756,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ *acq_in_progress = 1;
+ } else if (x->km.state == XFRM_STATE_ERROR ||
+ x->km.state == XFRM_STATE_EXPIRED) {
+- if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
++ if ((!x->sel.family ||
++ (x->sel.family == family &&
++ xfrm_selector_match(&x->sel, fl, family))) &&
+ security_xfrm_state_pol_flow_match(x, pol, fl))
+ *error = -ESRCH;
+ }
+@@ -791,7 +794,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+ if (best || acquire_in_progress)
+@@ -807,7 +810,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
