--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Mon, 17 Aug 2020 16:34:06 +0300
+Subject: ethtool: Account for hw_features in netlink interface
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit 2847bfed888fbb8bf4c8e8067fd6127538c2c700 ]
+
+ethtool-netlink ignores dev->hw_features and may confuse the drivers by
+asking them to enable features not in the hw_features bitmask. For
+example:
+
+1. ethtool -k eth0
+ tls-hw-tx-offload: off [fixed]
+2. ethtool -K eth0 tls-hw-tx-offload on
+ tls-hw-tx-offload: on
+3. ethtool -k eth0
+ tls-hw-tx-offload: on [fixed]
+
+Fitler out dev->hw_features from req_wanted to fix it and to resemble
+the legacy ethtool behavior.
+
+Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/features.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ethtool/features.c
++++ b/net/ethtool/features.c
+@@ -273,7 +273,8 @@ int ethnl_set_features(struct sk_buff *s
+ goto out_rtnl;
+ }
+
+- dev->wanted_features = ethnl_bitmap_to_features(req_wanted);
++ dev->wanted_features &= ~dev->hw_features;
++ dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features;
+ __netdev_update_features(dev);
+ ethnl_features_to_bitmap(new_active, dev->features);
+ mod = !bitmap_equal(old_active, new_active, NETDEV_FEATURE_COUNT);
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Mon, 17 Aug 2020 16:34:07 +0300
+Subject: ethtool: Don't omit the netlink reply if no features were changed
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit f01204ec8be7ea5e8f0230a7d4200e338d563bde ]
+
+The legacy ethtool userspace tool shows an error when no features could
+be changed. It's useful to have a netlink reply to be able to show this
+error when __netdev_update_features wasn't called, for example:
+
+1. ethtool -k eth0
+ large-receive-offload: off
+2. ethtool -K eth0 rx-fcs on
+3. ethtool -K eth0 lro on
+ Could not change any device features
+ rx-lro: off [requested on]
+4. ethtool -K eth0 lro on
+ # The output should be the same, but without this patch the kernel
+ # doesn't send the reply, and ethtool is unable to detect the error.
+
+This commit makes ethtool-netlink always return a reply when requested,
+and it still avoids unnecessary calls to __netdev_update_features if the
+wanted features haven't changed.
+
+Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/features.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/net/ethtool/features.c
++++ b/net/ethtool/features.c
+@@ -268,14 +268,11 @@ int ethnl_set_features(struct sk_buff *s
+ bitmap_and(req_wanted, req_wanted, req_mask, NETDEV_FEATURE_COUNT);
+ bitmap_andnot(new_wanted, old_wanted, req_mask, NETDEV_FEATURE_COUNT);
+ bitmap_or(req_wanted, new_wanted, req_wanted, NETDEV_FEATURE_COUNT);
+- if (bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) {
+- ret = 0;
+- goto out_rtnl;
++ if (!bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) {
++ dev->wanted_features &= ~dev->hw_features;
++ dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features;
++ __netdev_update_features(dev);
+ }
+-
+- dev->wanted_features &= ~dev->hw_features;
+- dev->wanted_features |= ethnl_bitmap_to_features(req_wanted) & dev->hw_features;
+- __netdev_update_features(dev);
+ ethnl_features_to_bitmap(new_active, dev->features);
+ mod = !bitmap_equal(old_active, new_active, NETDEV_FEATURE_COUNT);
+
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Mon, 17 Aug 2020 16:34:05 +0300
+Subject: ethtool: Fix preserving of wanted feature bits in netlink interface
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit 840110a4eae190dcbb9907d68216d5d1d9f25839 ]
+
+Currently, ethtool-netlink calculates new wanted bits as:
+(req_wanted & req_mask) | (old_active & ~req_mask)
+
+It completely discards the old wanted bits, so they are forgotten with
+the next ethtool command. Sample steps to reproduce:
+
+1. ethtool -k eth0
+ tx-tcp-segmentation: on # TSO is on from the beginning
+2. ethtool -K eth0 tx off
+ tx-tcp-segmentation: off [not requested]
+3. ethtool -k eth0
+ tx-tcp-segmentation: off [requested on]
+4. ethtool -K eth0 rx off # Some change unrelated to TSO
+5. ethtool -k eth0
+ tx-tcp-segmentation: off # "Wanted on" is forgotten
+
+This commit fixes it by changing the formula to:
+(req_wanted & req_mask) | (old_wanted & ~req_mask),
+where old_active was replaced by old_wanted to account for the wanted
+bits.
+
+The shortcut condition for the case where nothing was changed now
+compares wanted bitmasks, instead of wanted to active.
+
+Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/features.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ethtool/features.c
++++ b/net/ethtool/features.c
+@@ -224,7 +224,9 @@ int ethnl_set_features(struct sk_buff *s
+ DECLARE_BITMAP(wanted_diff_mask, NETDEV_FEATURE_COUNT);
+ DECLARE_BITMAP(active_diff_mask, NETDEV_FEATURE_COUNT);
+ DECLARE_BITMAP(old_active, NETDEV_FEATURE_COUNT);
++ DECLARE_BITMAP(old_wanted, NETDEV_FEATURE_COUNT);
+ DECLARE_BITMAP(new_active, NETDEV_FEATURE_COUNT);
++ DECLARE_BITMAP(new_wanted, NETDEV_FEATURE_COUNT);
+ DECLARE_BITMAP(req_wanted, NETDEV_FEATURE_COUNT);
+ DECLARE_BITMAP(req_mask, NETDEV_FEATURE_COUNT);
+ struct nlattr *tb[ETHTOOL_A_FEATURES_MAX + 1];
+@@ -250,6 +252,7 @@ int ethnl_set_features(struct sk_buff *s
+
+ rtnl_lock();
+ ethnl_features_to_bitmap(old_active, dev->features);
++ ethnl_features_to_bitmap(old_wanted, dev->wanted_features);
+ ret = ethnl_parse_bitset(req_wanted, req_mask, NETDEV_FEATURE_COUNT,
+ tb[ETHTOOL_A_FEATURES_WANTED],
+ netdev_features_strings, info->extack);
+@@ -261,11 +264,11 @@ int ethnl_set_features(struct sk_buff *s
+ goto out_rtnl;
+ }
+
+- /* set req_wanted bits not in req_mask from old_active */
++ /* set req_wanted bits not in req_mask from old_wanted */
+ bitmap_and(req_wanted, req_wanted, req_mask, NETDEV_FEATURE_COUNT);
+- bitmap_andnot(new_active, old_active, req_mask, NETDEV_FEATURE_COUNT);
+- bitmap_or(req_wanted, new_active, req_wanted, NETDEV_FEATURE_COUNT);
+- if (bitmap_equal(req_wanted, old_active, NETDEV_FEATURE_COUNT)) {
++ bitmap_andnot(new_wanted, old_wanted, req_mask, NETDEV_FEATURE_COUNT);
++ bitmap_or(req_wanted, new_wanted, req_wanted, NETDEV_FEATURE_COUNT);
++ if (bitmap_equal(req_wanted, old_wanted, NETDEV_FEATURE_COUNT)) {
+ ret = 0;
+ goto out_rtnl;
+ }
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Date: Wed, 19 Aug 2020 13:53:58 +1200
+Subject: gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ]
+
+When receiving an IPv4 packet inside an IPv6 GRE packet, and the
+IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would
+get corrupted. This is due to the common ip6_tnl_rcv() function assuming
+that the inner header is always IPv6. This patch checks the tunnel
+protocol for IPv4 inner packets, but still defaults to IPv6.
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -886,7 +886,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc
+ struct metadata_dst *tun_dst,
+ bool log_ecn_err)
+ {
+- return __ip6_tnl_rcv(t, skb, tpi, tun_dst, ip6ip6_dscp_ecn_decapsulate,
++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
++ const struct ipv6hdr *ipv6h,
++ struct sk_buff *skb);
++
++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate;
++ if (tpi->proto == htons(ETH_P_IP))
++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate;
++
++ return __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate,
+ log_ecn_err);
+ }
+ EXPORT_SYMBOL(ip6_tnl_rcv);
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Shay Agroskin <shayagr@amazon.com>
+Date: Wed, 19 Aug 2020 20:28:38 +0300
+Subject: net: ena: Make missed_tx stat incremental
+
+From: Shay Agroskin <shayagr@amazon.com>
+
+[ Upstream commit ccd143e5150f24b9ba15145c7221b61dd9e41021 ]
+
+Most statistics in ena driver are incremented, meaning that a stat's
+value is a sum of all increases done to it since driver/queue
+initialization.
+
+This patch makes all statistics this way, effectively making missed_tx
+statistic incremental.
+Also added a comment regarding rx_drops and tx_drops to make it
+clearer how these counters are calculated.
+
+Fixes: 11095fdb712b ("net: ena: add statistics for missed tx packets")
+Signed-off-by: Shay Agroskin <shayagr@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -3594,7 +3594,7 @@ static int check_missing_comp_in_tx_queu
+ }
+
+ u64_stats_update_begin(&tx_ring->syncp);
+- tx_ring->tx_stats.missed_tx = missed_tx;
++ tx_ring->tx_stats.missed_tx += missed_tx;
+ u64_stats_update_end(&tx_ring->syncp);
+
+ return rc;
+@@ -4519,6 +4519,9 @@ static void ena_keep_alive_wd(void *adap
+ rx_drops = ((u64)desc->rx_drops_high << 32) | desc->rx_drops_low;
+
+ u64_stats_update_begin(&adapter->syncp);
++ /* These stats are accumulated by the device, so the counters indicate
++ * all drops since last reset.
++ */
+ adapter->dev_stats.rx_drops = rx_drops;
+ u64_stats_update_end(&adapter->syncp);
+ }
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 15 Aug 2020 04:44:31 -0400
+Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ]
+
+We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
+we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
+we may access the wrong data.
+
+Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5421,8 +5421,8 @@ struct sk_buff *skb_vlan_untag(struct sk
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (unlikely(!skb))
+ goto err_free;
+-
+- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
+ goto err_free;
+
+ vhdr = (struct vlan_hdr *)skb->data;
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Sat, 22 Aug 2020 15:06:36 +0300
+Subject: net: nexthop: don't allow empty NHA_GROUP
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit eeaac3634ee0e3f35548be35275efeca888e9b23 ]
+
+Currently the nexthop code will use an empty NHA_GROUP attribute, but it
+requires at least 1 entry in order to function properly. Otherwise we
+end up derefencing null or random pointers all over the place due to not
+having any nh_grp_entry members allocated, nexthop code relies on having at
+least the first member present. Empty NHA_GROUP doesn't make any sense so
+just disallow it.
+Also add a WARN_ON for any future users of nexthop_create_group().
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 558 Comm: ip Not tainted 5.9.0-rc1+ #93
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014
+ RIP: 0010:fib_check_nexthop+0x4a/0xaa
+ Code: 0f 84 83 00 00 00 48 c7 02 80 03 f7 81 c3 40 80 fe fe 75 12 b8 ea ff ff ff 48 85 d2 74 6b 48 c7 02 40 03 f7 81 c3 48 8b 40 10 <48> 8b 80 80 00 00 00 eb 36 80 78 1a 00 74 12 b8 ea ff ff ff 48 85
+ RSP: 0018:ffff88807983ba00 EFLAGS: 00010213
+ RAX: 0000000000000000 RBX: ffff88807983bc00 RCX: 0000000000000000
+ RDX: ffff88807983bc00 RSI: 0000000000000000 RDI: ffff88807bdd0a80
+ RBP: ffff88807983baf8 R08: 0000000000000dc0 R09: 000000000000040a
+ R10: 0000000000000000 R11: ffff88807bdd0ae8 R12: 0000000000000000
+ R13: 0000000000000000 R14: ffff88807bea3100 R15: 0000000000000001
+ FS: 00007f10db393700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000080 CR3: 000000007bd0f004 CR4: 00000000003706f0
+ Call Trace:
+ fib_create_info+0x64d/0xaf7
+ fib_table_insert+0xf6/0x581
+ ? __vma_adjust+0x3b6/0x4d4
+ inet_rtm_newroute+0x56/0x70
+ rtnetlink_rcv_msg+0x1e3/0x20d
+ ? rtnl_calcit.isra.0+0xb8/0xb8
+ netlink_rcv_skb+0x5b/0xac
+ netlink_unicast+0xfa/0x17b
+ netlink_sendmsg+0x334/0x353
+ sock_sendmsg_nosec+0xf/0x3f
+ ____sys_sendmsg+0x1a0/0x1fc
+ ? copy_msghdr_from_user+0x4c/0x61
+ ___sys_sendmsg+0x63/0x84
+ ? handle_mm_fault+0xa39/0x11b5
+ ? sockfd_lookup_light+0x72/0x9a
+ __sys_sendmsg+0x50/0x6e
+ do_syscall_64+0x54/0xbe
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f10dacc0bb7
+ Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 8b 05 9a 4b 2b 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 f2 2a 00 f7 d8 64 89 02 48
+ RSP: 002b:00007ffcbe628bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffcbe628f80 RCX: 00007f10dacc0bb7
+ RDX: 0000000000000000 RSI: 00007ffcbe628c60 RDI: 0000000000000003
+ RBP: 000000005f41099c R08: 0000000000000001 R09: 0000000000000008
+ R10: 00000000000005e9 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00007ffcbe628d70 R15: 0000563a86c6e440
+ Modules linked in:
+ CR2: 0000000000000080
+
+CC: David Ahern <dsahern@gmail.com>
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Reported-by: syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/nexthop.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -402,7 +402,7 @@ static int nh_check_attr_group(struct ne
+ struct nexthop_grp *nhg;
+ unsigned int i, j;
+
+- if (len & (sizeof(struct nexthop_grp) - 1)) {
++ if (!len || len & (sizeof(struct nexthop_grp) - 1)) {
+ NL_SET_ERR_MSG(extack,
+ "Invalid length for nexthop group attribute");
+ return -EINVAL;
+@@ -1104,6 +1104,9 @@ static struct nexthop *nexthop_create_gr
+ struct nexthop *nh;
+ int i;
+
++ if (WARN_ON(!num_nh))
++ return ERR_PTR(-EINVAL);
++
+ nh = nexthop_alloc();
+ if (!nh)
+ return ERR_PTR(-ENOMEM);
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Necip Fazil Yildiran <necip@google.com>
+Date: Mon, 17 Aug 2020 15:54:48 +0000
+Subject: net: qrtr: fix usage of idr in port assignment to socket
+
+From: Necip Fazil Yildiran <necip@google.com>
+
+[ Upstream commit 8dfddfb79653df7c38a9c8c4c034f242a36acee9 ]
+
+Passing large uint32 sockaddr_qrtr.port numbers for port allocation
+triggers a warning within idr_alloc() since the port number is cast
+to int, and thus interpreted as a negative number. This leads to
+the rejection of such valid port numbers in qrtr_port_assign() as
+idr_alloc() fails.
+
+To avoid the problem, switch to idr_alloc_u32() instead.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com
+Signed-off-by: Necip Fazil Yildiran <necip@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -692,23 +692,25 @@ static void qrtr_port_remove(struct qrtr
+ */
+ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port)
+ {
++ u32 min_port;
+ int rc;
+
+ mutex_lock(&qrtr_port_lock);
+ if (!*port) {
+- rc = idr_alloc(&qrtr_ports, ipc,
+- QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET + 1,
+- GFP_ATOMIC);
+- if (rc >= 0)
+- *port = rc;
++ min_port = QRTR_MIN_EPH_SOCKET;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC);
++ if (!rc)
++ *port = min_port;
+ } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) {
+ rc = -EACCES;
+ } else if (*port == QRTR_PORT_CTRL) {
+- rc = idr_alloc(&qrtr_ports, ipc, 0, 1, GFP_ATOMIC);
++ min_port = 0;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC);
+ } else {
+- rc = idr_alloc(&qrtr_ports, ipc, *port, *port + 1, GFP_ATOMIC);
+- if (rc >= 0)
+- *port = rc;
++ min_port = *port;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC);
++ if (!rc)
++ *port = min_port;
+ }
+ mutex_unlock(&qrtr_port_lock);
+
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Wed, 19 Aug 2020 18:24:10 +0300
+Subject: net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+[ Upstream commit eda814b97dfb8d9f4808eb2f65af9bd3705c4cae ]
+
+tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call
+fails. Otherwise, we will cause a double-free bug.
+In such cases, just return the error to the caller.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -702,7 +702,7 @@ static int tcf_ct_handle_fragments(struc
+ err = ip_defrag(net, skb, user);
+ local_bh_enable();
+ if (err && err != -EINPROGRESS)
+- goto out_free;
++ return err;
+
+ if (!err) {
+ *defrag = true;
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: David Laight <David.Laight@ACULAB.COM>
+Date: Wed, 19 Aug 2020 14:40:52 +0000
+Subject: net: sctp: Fix negotiation of the number of data streams.
+
+From: David Laight <David.Laight@ACULAB.COM>
+
+[ Upstream commit ab921f3cdbec01c68705a7ade8bec628d541fc2b ]
+
+The number of output and input streams was never being reduced, eg when
+processing received INIT or INIT_ACK chunks.
+The effect is that DATA chunks can be sent with invalid stream ids
+and then discarded by the remote system.
+
+Fixes: 2075e50caf5ea ("sctp: convert to genradix")
+Signed-off-by: David Laight <david.laight@aculab.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -88,12 +88,13 @@ static int sctp_stream_alloc_out(struct
+ int ret;
+
+ if (outcnt <= stream->outcnt)
+- return 0;
++ goto out;
+
+ ret = genradix_prealloc(&stream->out, outcnt, gfp);
+ if (ret)
+ return ret;
+
++out:
+ stream->outcnt = outcnt;
+ return 0;
+ }
+@@ -104,12 +105,13 @@ static int sctp_stream_alloc_in(struct s
+ int ret;
+
+ if (incnt <= stream->incnt)
+- return 0;
++ goto out;
+
+ ret = genradix_prealloc(&stream->in, incnt, gfp);
+ if (ret)
+ return ret;
+
++out:
+ stream->incnt = incnt;
+ return 0;
+ }
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 20 Aug 2020 16:30:52 +0200
+Subject: net/smc: Prevent kernel-infoleak in __smc_diag_dump()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit ce51f63e63c52a4e1eee4dd040fb0ba0af3b43ab ]
+
+__smc_diag_dump() is potentially copying uninitialized kernel stack memory
+into socket buffers, since the compiler may leave a 4-byte hole near the
+beginning of `struct smcd_diag_dmbinfo`. Fix it by initializing `dinfo`
+with memset().
+
+Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_diag.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/smc/smc_diag.c
++++ b/net/smc/smc_diag.c
+@@ -170,13 +170,15 @@ static int __smc_diag_dump(struct sock *
+ (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
+ !list_empty(&smc->conn.lgr->list)) {
+ struct smc_connection *conn = &smc->conn;
+- struct smcd_diag_dmbinfo dinfo = {
+- .linkid = *((u32 *)conn->lgr->id),
+- .peer_gid = conn->lgr->peer_gid,
+- .my_gid = conn->lgr->smcd->local_gid,
+- .token = conn->rmb_desc->token,
+- .peer_token = conn->peer_token
+- };
++ struct smcd_diag_dmbinfo dinfo;
++
++ memset(&dinfo, 0, sizeof(dinfo));
++
++ dinfo.linkid = *((u32 *)conn->lgr->id);
++ dinfo.peer_gid = conn->lgr->peer_gid;
++ dinfo.my_gid = conn->lgr->smcd->local_gid;
++ dinfo.token = conn->rmb_desc->token;
++ dinfo.peer_token = conn->peer_token;
+
+ if (nla_put(skb, SMC_DIAG_DMBINFO, sizeof(dinfo), &dinfo) < 0)
+ goto errout;
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 15 Aug 2020 09:29:30 +0200
+Subject: net: xdp: pull ethernet header off packet after computing skb->protocol
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+[ Upstream commit f8414a8d886b613b90d9fdf7cda6feea313b1069 ]
+
+When an XDP program changes the ethernet header protocol field,
+eth_type_trans is used to recalculate skb->protocol. In order for
+eth_type_trans to work correctly, the ethernet header must actually be
+part of the skb data segment, so the code first pushes that onto the
+head of the skb. However, it subsequently forgets to pull it back off,
+making the behavior of the passed-on packet inconsistent between the
+protocol modifying case and the static protocol case. This patch fixes
+the issue by simply pulling the ethernet header back off of the skb
+head.
+
+Fixes: 297249569932 ("net: fix generic XDP to handle if eth header was mangled")
+Cc: Jesper Dangaard Brouer <brouer@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4586,6 +4586,7 @@ static u32 netif_receive_generic_xdp(str
+ (orig_bcast != is_multicast_ether_addr_64bits(eth->h_dest))) {
+ __skb_push(skb, ETH_HLEN);
+ skb->protocol = eth_type_trans(skb, skb->dev);
++ __skb_pull(skb, ETH_HLEN);
+ }
+
+ switch (act) {
--- /dev/null
+gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch
+net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch
+net-nexthop-don-t-allow-empty-nha_group.patch
+net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch
+net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch
+net-sctp-fix-negotiation-of-the-number-of-data-streams.patch
+net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch
+net-xdp-pull-ethernet-header-off-packet-after-computing-skb-protocol.patch
+tipc-call-rcu_read_lock-in-tipc_aead_encrypt_done.patch
+tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch
+net-ena-make-missed_tx-stat-incremental.patch
+ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch
+ethtool-account-for-hw_features-in-netlink-interface.patch
+ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 20 Aug 2020 15:34:47 +0800
+Subject: tipc: call rcu_read_lock() in tipc_aead_encrypt_done()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f6db9096416209474090d64d8284e7c16c3d8873 ]
+
+b->media->send_msg() requires rcu_read_lock(), as we can see
+elsewhere in tipc, tipc_bearer_xmit, tipc_bearer_xmit_skb
+and tipc_bearer_bc_xmit().
+
+Syzbot has reported this issue as:
+
+ net/tipc/bearer.c:466 suspicious rcu_dereference_check() usage!
+ Workqueue: cryptd cryptd_queue_worker
+ Call Trace:
+ tipc_l2_send_msg+0x354/0x420 net/tipc/bearer.c:466
+ tipc_aead_encrypt_done+0x204/0x3a0 net/tipc/crypto.c:761
+ cryptd_aead_crypt+0xe8/0x1d0 crypto/cryptd.c:739
+ cryptd_queue_worker+0x118/0x1b0 crypto/cryptd.c:181
+ process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
+ kthread+0x3b5/0x4a0 kernel/kthread.c:291
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
+
+So fix it by calling rcu_read_lock() in tipc_aead_encrypt_done()
+for b->media->send_msg().
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Reported-by: syzbot+47bbc6b678d317cccbe0@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/crypto.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -757,10 +757,12 @@ static void tipc_aead_encrypt_done(struc
+ switch (err) {
+ case 0:
+ this_cpu_inc(tx->stats->stat[STAT_ASYNC_OK]);
++ rcu_read_lock();
+ if (likely(test_bit(0, &b->up)))
+ b->media->send_msg(net, skb, b, &tx_ctx->dst);
+ else
+ kfree_skb(skb);
++ rcu_read_unlock();
+ break;
+ case -EINPROGRESS:
+ return;
--- /dev/null
+From foo@baz Wed Aug 26 11:53:06 AM CEST 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 15 Aug 2020 16:29:15 -0700
+Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ]
+
+__tipc_nl_compat_dumpit() has two callers, and it expects them to
+pass a valid nlmsghdr via arg->data. This header is artificial and
+crafted just for __tipc_nl_compat_dumpit().
+
+tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well
+as some nested attribute, TIPC_NLA_SOCK. But the other caller
+tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized
+on this call path.
+
+Fix this by just adding a similar nlmsghdr without any payload in
+tipc_nl_compat_dumpit().
+
+This bug exists since day 1, but the recent commit 6ea67769ff33
+("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it
+easier to appear.
+
+Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
+Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
+Cc: Jon Maloy <jmaloy@redhat.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Richard Alpe <richard.alpe@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -275,8 +275,9 @@ err_out:
+ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ struct tipc_nl_compat_msg *msg)
+ {
+- int err;
++ struct nlmsghdr *nlh;
+ struct sk_buff *arg;
++ int err;
+
+ if (msg->req_type && (!msg->req_size ||
+ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+@@ -305,6 +306,15 @@ static int tipc_nl_compat_dumpit(struct
+ return -ENOMEM;
+ }
+
++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI);
++ if (!nlh) {
++ kfree_skb(arg);
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return -EMSGSIZE;
++ }
++ nlmsg_end(arg, nlh);
++
+ err = __tipc_nl_compat_dumpit(cmd, msg, arg);
+ if (err) {
+ kfree_skb(msg->rep);
projects / thirdparty / kernel / stable-queue.git / commitdiff
