--- /dev/null
+From 03c7570c2fa986118defff7c8a354a6145d365e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 06:38:07 -0700
+Subject: bonding: set dev->needed_headroom in bond_setup_by_slave()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ]
+
+syzbot managed to crash a host by creating a bond
+with a GRE device.
+
+For non Ethernet device, bonding calls bond_setup_by_slave()
+instead of ether_setup(), and unfortunately dev->needed_headroom
+was not copied from the new added member.
+
+[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0
+[ 171.243111] ------------[ cut here ]------------
+[ 171.243112] kernel BUG at net/core/skbuff.c:112!
+[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 171.243469] gsmi: Log Shutdown Reason 0x03
+[ 171.243505] Call Trace:
+[ 171.243506] <IRQ>
+[ 171.243512] [<ffffffffa171be59>] skb_push+0x49/0x50
+[ 171.243516] [<ffffffffa184b9ea>] ipgre_header+0x2a/0xf0
+[ 171.243520] [<ffffffffa17452d7>] neigh_connected_output+0xb7/0x100
+[ 171.243524] [<ffffffffa186f1d3>] ip6_finish_output2+0x383/0x490
+[ 171.243528] [<ffffffffa186ede2>] __ip6_finish_output+0xa2/0x110
+[ 171.243531] [<ffffffffa186acbc>] ip6_finish_output+0x2c/0xa0
+[ 171.243534] [<ffffffffa186abe9>] ip6_output+0x69/0x110
+[ 171.243537] [<ffffffffa186ac90>] ? ip6_output+0x110/0x110
+[ 171.243541] [<ffffffffa189d952>] mld_sendpack+0x1b2/0x2d0
+[ 171.243544] [<ffffffffa189d290>] ? mld_send_report+0xf0/0xf0
+[ 171.243548] [<ffffffffa189c797>] mld_ifc_timer_expire+0x2d7/0x3b0
+[ 171.243551] [<ffffffffa189c4c0>] ? mld_gq_timer_expire+0x50/0x50
+[ 171.243556] [<ffffffffa0fea270>] call_timer_fn+0x30/0x130
+[ 171.243559] [<ffffffffa0fea17c>] expire_timers+0x4c/0x110
+[ 171.243563] [<ffffffffa0fea0e3>] __run_timers+0x213/0x260
+[ 171.243566] [<ffffffffa0fecb7d>] ? ktime_get+0x3d/0xa0
+[ 171.243570] [<ffffffffa0ff9c4e>] ? clockevents_program_event+0x7e/0xe0
+[ 171.243574] [<ffffffffa0f7e5d5>] ? sched_clock_cpu+0x15/0x190
+[ 171.243577] [<ffffffffa0fe973d>] run_timer_softirq+0x1d/0x40
+[ 171.243581] [<ffffffffa1c00152>] __do_softirq+0x152/0x2f0
+[ 171.243585] [<ffffffffa0f44e1f>] irq_exit+0x9f/0xb0
+[ 171.243588] [<ffffffffa1a02e1d>] smp_apic_timer_interrupt+0xfd/0x1a0
+[ 171.243591] [<ffffffffa1a01ea6>] apic_timer_interrupt+0x86/0x90
+
+Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 861d2c0a521a4..6aaf1196d9a55 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1129,6 +1129,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
+
+ bond_dev->type = slave_dev->type;
+ bond_dev->hard_header_len = slave_dev->hard_header_len;
++ bond_dev->needed_headroom = slave_dev->needed_headroom;
+ bond_dev->addr_len = slave_dev->addr_len;
+
+ memcpy(bond_dev->broadcast, slave_dev->broadcast,
+--
+2.25.1
+
--- /dev/null
+From 39f2da0b0ab6285ac5ad169c4e5a45e5f218c13c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 21:33:43 -0700
+Subject: mdio: fix mdio-thunder.c dependency & build error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7dbbcf496f2a4b6d82cfc7810a0746e160b79762 ]
+
+Fix build error by selecting MDIO_DEVRES for MDIO_THUNDER.
+Fixes this build error:
+
+ld: drivers/net/phy/mdio-thunder.o: in function `thunder_mdiobus_pci_probe':
+drivers/net/phy/mdio-thunder.c:78: undefined reference to `devm_mdiobus_alloc_size'
+
+Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: netdev@vger.kernel.org
+Cc: David Daney <david.daney@cavium.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
+index cd931cf9dcc26..e08d822338341 100644
+--- a/drivers/net/phy/Kconfig
++++ b/drivers/net/phy/Kconfig
+@@ -146,6 +146,7 @@ config MDIO_THUNDER
+ depends on 64BIT
+ depends on PCI
+ select MDIO_CAVIUM
++ select MDIO_DEVRES
+ help
+ This driver supports the MDIO interfaces found on Cavium
+ ThunderX SoCs when the MDIO bus device appears as a PCI
+--
+2.25.1
+
--- /dev/null
+From 0f1430c1d00252a33e8bb987805610e7adfbf3f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 09:38:52 +0800
+Subject: mmc: core: don't set limits.discard_granularity as 0
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 4243219141b67d7c2fdb2d8073c17c539b9263eb ]
+
+In mmc_queue_setup_discard() the mmc driver queue's discard_granularity
+might be set as 0 (when card->pref_erase > max_discard) while the mmc
+device still declares to support discard operation. This is buggy and
+triggered the following kernel warning message,
+
+WARNING: CPU: 0 PID: 135 at __blkdev_issue_discard+0x200/0x294
+CPU: 0 PID: 135 Comm: f2fs_discard-17 Not tainted 5.9.0-rc6 #1
+Hardware name: Google Kevin (DT)
+pstate: 00000005 (nzcv daif -PAN -UAO BTYPE=--)
+pc : __blkdev_issue_discard+0x200/0x294
+lr : __blkdev_issue_discard+0x54/0x294
+sp : ffff800011dd3b10
+x29: ffff800011dd3b10 x28: 0000000000000000 x27: ffff800011dd3cc4 x26: ffff800011dd3e18 x25: 000000000004e69b x24: 0000000000000c40 x23: ffff0000f1deaaf0 x22: ffff0000f2849200 x21: 00000000002734d8 x20: 0000000000000008 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000394 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 00000000000008b0 x9 : ffff800011dd3cb0 x8 : 000000000004e69b x7 : 0000000000000000 x6 : ffff0000f1926400 x5 : ffff0000f1940800 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 0000000000000008 x1 : 00000000002734d8 x0 : 0000000000000000 Call trace:
+__blkdev_issue_discard+0x200/0x294
+__submit_discard_cmd+0x128/0x374
+__issue_discard_cmd_orderly+0x188/0x244
+__issue_discard_cmd+0x2e8/0x33c
+issue_discard_thread+0xe8/0x2f0
+kthread+0x11c/0x120
+ret_from_fork+0x10/0x1c
+---[ end trace e4c8023d33dfe77a ]---
+
+This patch fixes the issue by setting discard_granularity as SECTOR_SIZE
+instead of 0 when (card->pref_erase > max_discard) is true. Now no more
+complain from __blkdev_issue_discard() for the improper value of discard
+granularity.
+
+This issue is exposed after commit b35fd7422c2f ("block: check queue's
+limits.discard_granularity in __blkdev_issue_discard()"), a "Fixes:" tag
+is also added for the commit to make sure people won't miss this patch
+after applying the change of __blkdev_issue_discard().
+
+Fixes: e056a1b5b67b ("mmc: queue: let host controllers specify maximum discard timeout")
+Fixes: b35fd7422c2f ("block: check queue's limits.discard_granularity in __blkdev_issue_discard()").
+Reported-and-tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20201002013852.51968-1-colyli@suse.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c
+index f74f9ef460cc9..218472879d9ce 100644
+--- a/drivers/mmc/core/queue.c
++++ b/drivers/mmc/core/queue.c
+@@ -143,7 +143,7 @@ static void mmc_queue_setup_discard(struct request_queue *q,
+ q->limits.discard_granularity = card->pref_erase << 9;
+ /* granularity must not be greater than max. discard */
+ if (card->pref_erase > max_discard)
+- q->limits.discard_granularity = 0;
++ q->limits.discard_granularity = SECTOR_SIZE;
+ if (mmc_can_secure_erase_trim(card))
+ queue_flag_set_unlocked(QUEUE_FLAG_SECERASE, q);
+ }
+--
+2.25.1
+
--- /dev/null
+From fe594f43982b1056f8cc19ee03884b7b32d1ae1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 16:56:14 +0800
+Subject: net: stmmac: removed enabling eee in EEE set callback
+
+From: Voon Weifeng <weifeng.voon@intel.com>
+
+[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ]
+
+EEE should be only be enabled during stmmac_mac_link_up() when the
+link are up and being set up properly. set_eee should only do settings
+configuration and disabling the eee.
+
+Without this fix, turning on EEE using ethtool will return
+"Operation not supported". This is due to the driver is in a dead loop
+waiting for eee to be advertised in the for eee to be activated but the
+driver will only configure the EEE advertisement after the eee is
+activated.
+
+Ethtool should only return "Operation not supported" if there is no EEE
+capbility in the MAC controller.
+
+Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback")
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Acked-by: Mark Gross <mgross@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index 8c71090081852..5105e1f724fb7 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -677,23 +677,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev,
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
+
+- if (!edata->eee_enabled) {
++ if (!priv->dma_cap.eee)
++ return -EOPNOTSUPP;
++
++ if (!edata->eee_enabled)
+ stmmac_disable_eee_mode(priv);
+- } else {
+- /* We are asking for enabling the EEE but it is safe
+- * to verify all by invoking the eee_init function.
+- * In case of failure it will return an error.
+- */
+- edata->eee_enabled = stmmac_eee_init(priv);
+- if (!edata->eee_enabled)
+- return -EOPNOTSUPP;
+- }
+
+ ret = phy_ethtool_set_eee(dev->phydev, edata);
+ if (ret)
+ return ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+ priv->tx_lpi_timer = edata->tx_lpi_timer;
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From e0c5b634e3f9c145cddd87dafd0463e9f9ac1020 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 11:01:04 +0200
+Subject: net: usb: ax88179_178a: fix missing stop entry in driver_info
+
+From: Wilken Gottwalt <wilken.gottwalt@mailbox.org>
+
+[ Upstream commit 9666ea66a74adfe295cb3a8760c76e1ef70f9caf ]
+
+Adds the missing .stop entry in the Belkin driver_info structure.
+
+Fixes: e20bd60bf62a ("net: usb: asix88179_178a: Add support for the Belkin B2B128")
+Signed-off-by: Wilken Gottwalt <wilken.gottwalt@mailbox.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index 875639b0e9d56..e7193a541244b 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -1736,6 +1736,7 @@ static const struct driver_info belkin_info = {
+ .status = ax88179_status,
+ .link_reset = ax88179_link_reset,
+ .reset = ax88179_reset,
++ .stop = ax88179_stop,
+ .flags = FLAG_ETHER | FLAG_FRAMING_AX,
+ .rx_fixup = ax88179_rx_fixup,
+ .tx_fixup = ax88179_tx_fixup,
+--
+2.25.1
+
--- /dev/null
+From fe7f6def8d9dfdd88781ee1bcef6ca10fac02d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 12:17:32 +0530
+Subject: perf: Fix task_function_call() error handling
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 6d6b8b9f4fceab7266ca03d194f60ec72bd4b654 ]
+
+The error handling introduced by commit:
+
+ 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()")
+
+looses any return value from smp_call_function_single() that is not
+{0, -EINVAL}. This is a problem because it will return -EXNIO when the
+target CPU is offline. Worse, in that case it'll turn into an infinite
+loop.
+
+Fixes: 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()")
+Reported-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Barret Rhoden <brho@google.com>
+Tested-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index e50b140053f9a..5807fad2c4057 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -98,7 +98,7 @@ static void remote_function(void *data)
+ * retry due to any failures in smp_call_function_single(), such as if the
+ * task_cpu() goes offline concurrently.
+ *
+- * returns @func return value or -ESRCH when the process isn't running
++ * returns @func return value or -ESRCH or -ENXIO when the process isn't running
+ */
+ static int
+ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+@@ -114,7 +114,8 @@ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+ for (;;) {
+ ret = smp_call_function_single(task_cpu(p), remote_function,
+ &data, 1);
+- ret = !ret ? data.ret : -EAGAIN;
++ if (!ret)
++ ret = data.ret;
+
+ if (ret != -EAGAIN)
+ break;
+--
+2.25.1
+
--- /dev/null
+From 530808f9bc084003192ad559de1c23b2e7d51304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 19:16:53 +0300
+Subject: platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit afdd1ebb72051e8b6b83c4d7dc542a9be0e1352d ]
+
+When FUJITSU_LAPTOP is enabled and NEW_LEDS is disabled, it results in the
+following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for LEDS_CLASS
+ Depends on [n]: NEW_LEDS [=n]
+ Selected by [y]:
+ - FUJITSU_LAPTOP [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] && INPUT [=y] && BACKLIGHT_CLASS_DEVICE [=y] && (ACPI_VIDEO [=n] || ACPI_VIDEO [=n]=n)
+
+The reason is that FUJITSU_LAPTOP selects LEDS_CLASS without depending on
+or selecting NEW_LEDS while LEDS_CLASS is subordinate to NEW_LEDS.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: d89bcc83e709 ("platform/x86: fujitsu-laptop: select LEDS_CLASS")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 09035705d0a07..4f872e62508a8 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -183,6 +183,7 @@ config FUJITSU_LAPTOP
+ depends on BACKLIGHT_CLASS_DEVICE
+ depends on ACPI_VIDEO || ACPI_VIDEO = n
+ select INPUT_SPARSEKMAP
++ select NEW_LEDS
+ select LEDS_CLASS
+ ---help---
+ This is a driver for laptops built by Fujitsu:
+--
+2.25.1
+
--- /dev/null
+From 615744cbecc16c162ef9fe7cc3a5776ce06e3ff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 22:09:04 +0100
+Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ]
+
+If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a
+type it doesn't recognise, it can BUG in a couple of places, which is
+unnecessary as it can easily get back to userspace.
+
+Fix this to print an error message instead.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index fead67b42a993..1fe203c56faf0 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1110,7 +1110,8 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default: /* we have a ticket we can't encode */
+- BUG();
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
+ continue;
+ }
+
+@@ -1226,7 +1227,6 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default:
+- BUG();
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 44ef7b1f4a0ebf3e6bd5f72de035b4752616cae6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 14:01:24 -0300
+Subject: rxrpc: Fix rxkad token xdr encoding
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ]
+
+The session key should be encoded with just the 8 data bytes and
+no length; ENCODE_DATA precedes it with a 4 byte length, which
+confuses some existing tools that try to parse this format.
+
+Add an ENCODE_BYTES macro that does not include a length, and use
+it for the key. Also adjust the expected length.
+
+Note that commit 774521f353e1d ("rxrpc: Fix an assertion in
+rxrpc_read()") had fixed a BUG by changing the length rather than
+fixing the encoding. The original length was correct.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index ad9d1b21cb0ba..fead67b42a993 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1075,7 +1075,7 @@ static long rxrpc_read(const struct key *key,
+
+ switch (token->security_index) {
+ case RXRPC_SECURITY_RXKAD:
+- toksize += 9 * 4; /* viceid, kvno, key*2 + len, begin,
++ toksize += 8 * 4; /* viceid, kvno, key*2, begin,
+ * end, primary, tktlen */
+ toksize += RND(token->kad->ticket_len);
+ break;
+@@ -1141,6 +1141,14 @@ static long rxrpc_read(const struct key *key,
+ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
+ xdr += (_l + 3) >> 2; \
+ } while(0)
++#define ENCODE_BYTES(l, s) \
++ do { \
++ u32 _l = (l); \
++ memcpy(xdr, (s), _l); \
++ if (_l & 3) \
++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
++ xdr += (_l + 3) >> 2; \
++ } while(0)
+ #define ENCODE64(x) \
+ do { \
+ __be64 y = cpu_to_be64(x); \
+@@ -1168,7 +1176,7 @@ static long rxrpc_read(const struct key *key,
+ case RXRPC_SECURITY_RXKAD:
+ ENCODE(token->kad->vice_id);
+ ENCODE(token->kad->kvno);
+- ENCODE_DATA(8, token->kad->session_key);
++ ENCODE_BYTES(8, token->kad->session_key);
+ ENCODE(token->kad->start);
+ ENCODE(token->kad->expiry);
+ ENCODE(token->kad->primary_flag);
+--
+2.25.1
+
--- /dev/null
+From 5cb078d5c282903d6e3d539a4f043b36b43ba2d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:04:51 +0100
+Subject: rxrpc: Fix server keyring leak
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ]
+
+If someone calls setsockopt() twice to set a server key keyring, the first
+keyring is leaked.
+
+Fix it to return an error instead if the server key keyring is already set.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index 1fe203c56faf0..2fe2add62a8ed 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -905,7 +905,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
+
+ _enter("");
+
+- if (optlen <= 0 || optlen > PAGE_SIZE - 1)
++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
+ return -EINVAL;
+
+ description = memdup_user_nul(optval, optlen);
+--
+2.25.1
+
--- /dev/null
+From c10f252af3f01e30f2ee3a86fe96dea21f81e967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 11:57:40 +0100
+Subject: rxrpc: Fix some missing _bh annotations on locking conn->state_lock
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fa1d113a0f96f9ab7e4fe4f8825753ba1e34a9d3 ]
+
+conn->state_lock may be taken in softirq mode, but a previous patch
+replaced an outer lock in the response-packet event handling code, and lost
+the _bh from that when doing so.
+
+Fix this by applying the _bh annotation to the state_lock locking.
+
+Fixes: a1399f8bb033 ("rxrpc: Call channels should have separate call number spaces")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/conn_event.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
+index 75ec1ad595b72..2432c118397f6 100644
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -316,18 +316,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
+ return ret;
+
+ spin_lock(&conn->channel_lock);
+- spin_lock(&conn->state_lock);
++ spin_lock_bh(&conn->state_lock);
+
+ if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
+ conn->state = RXRPC_CONN_SERVICE;
+- spin_unlock(&conn->state_lock);
++ spin_unlock_bh(&conn->state_lock);
+ for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
+ rxrpc_call_is_secure(
+ rcu_dereference_protected(
+ conn->channels[loop].call,
+ lockdep_is_held(&conn->channel_lock)));
+ } else {
+- spin_unlock(&conn->state_lock);
++ spin_unlock_bh(&conn->state_lock);
+ }
+
+ spin_unlock(&conn->channel_lock);
+--
+2.25.1
+
net-team-fix-memory-leak-in-__team_options_register.patch
openvswitch-handle-dnat-tuple-collision.patch
drm-amdgpu-prevent-double-kfree-ttm-sg.patch
+xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch
+xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch
+xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch
+net-stmmac-removed-enabling-eee-in-eee-set-callback.patch
+platform-x86-fix-kconfig-dependency-warning-for-fuji.patch
+xfrm-use-correct-address-family-in-xfrm_state_find.patch
+bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch
+mdio-fix-mdio-thunder.c-dependency-build-error.patch
+net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch
+rxrpc-fix-rxkad-token-xdr-encoding.patch
+rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch
+rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch
+rxrpc-fix-server-keyring-leak.patch
+perf-fix-task_function_call-error-handling.patch
+mmc-core-don-t-set-limits.discard_granularity-as-0.patch
--- /dev/null
+From 893ddfb8bbaa33c416cf53d650104dfad5f39400 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:50:29 +0200
+Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ]
+
+When we clone state only add_time was cloned. It missed values like
+bytes, packets. Now clone the all members of the structure.
+
+v1->v3:
+ - use memcpy to copy the entire structure
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 37104258808a8..3f21d34833cf0 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1427,7 +1427,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ x->tfcpad = orig->tfcpad;
+ x->replay_maxdiff = orig->replay_maxdiff;
+ x->replay_maxage = orig->replay_maxage;
+- x->curlft.add_time = orig->curlft.add_time;
++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft));
+ x->km.state = orig->km.state;
+ x->km.seq = orig->km.seq;
+ x->replay = orig->replay;
+--
+2.25.1
+
--- /dev/null
+From fa86f7f41d1c1d41a52ae35e8119badfa3b39c1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:49:55 +0200
+Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ]
+
+XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new.
+Migrate this attribute during XFRMA_MSG_MIGRATE
+
+v1->v2:
+ - move curleft cloning to a separate patch
+
+Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 57b8b11cf7d42..86ff111574496 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1808,21 +1808,17 @@ static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay
+ static inline int xfrm_replay_clone(struct xfrm_state *x,
+ struct xfrm_state *orig)
+ {
+- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
++
++ x->replay_esn = kmemdup(orig->replay_esn,
++ xfrm_replay_state_esn_len(orig->replay_esn),
+ GFP_KERNEL);
+ if (!x->replay_esn)
+ return -ENOMEM;
+-
+- x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
+- x->replay_esn->replay_window = orig->replay_esn->replay_window;
+-
+- x->preplay_esn = kmemdup(x->replay_esn,
+- xfrm_replay_state_esn_len(x->replay_esn),
++ x->preplay_esn = kmemdup(orig->preplay_esn,
++ xfrm_replay_state_esn_len(orig->preplay_esn),
+ GFP_KERNEL);
+- if (!x->preplay_esn) {
+- kfree(x->replay_esn);
++ if (!x->preplay_esn)
+ return -ENOMEM;
+- }
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6b45c75b907fe590aabb1db265dd7e7136ee0cb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:50:11 +0200
+Subject: xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 7aa05d304785204703a67a6aa7f1db402889a172 ]
+
+XFRMA_SEC_CTX was not cloned from the old to the new.
+Migrate this attribute during XFRMA_MSG_MIGRATE
+
+v1->v2:
+ - return -ENOMEM on error
+v2->v3:
+ - fix return type to int
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 190ca59d5ba31..37104258808a8 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1320,6 +1320,30 @@ out:
+ EXPORT_SYMBOL(xfrm_state_add);
+
+ #ifdef CONFIG_XFRM_MIGRATE
++static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security)
++{
++ struct xfrm_user_sec_ctx *uctx;
++ int size = sizeof(*uctx) + security->ctx_len;
++ int err;
++
++ uctx = kmalloc(size, GFP_KERNEL);
++ if (!uctx)
++ return -ENOMEM;
++
++ uctx->exttype = XFRMA_SEC_CTX;
++ uctx->len = size;
++ uctx->ctx_doi = security->ctx_doi;
++ uctx->ctx_alg = security->ctx_alg;
++ uctx->ctx_len = security->ctx_len;
++ memcpy(uctx + 1, security->ctx_str, security->ctx_len);
++ err = security_xfrm_state_alloc(x, uctx);
++ kfree(uctx);
++ if (err)
++ return err;
++
++ return 0;
++}
++
+ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ struct xfrm_encap_tmpl *encap)
+ {
+@@ -1376,6 +1400,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ goto error;
+ }
+
++ if (orig->security)
++ if (clone_security(x, orig->security))
++ goto error;
++
+ if (orig->coaddr) {
+ x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
+ GFP_KERNEL);
+--
+2.25.1
+
--- /dev/null
+From 5c0c1ee8a691bc558010c896eb397fbe5031a97b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:42:56 +1000
+Subject: xfrm: Use correct address family in xfrm_state_find
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ]
+
+The struct flowi must never be interpreted by itself as its size
+depends on the address family. Therefore it must always be grouped
+with its original family value.
+
+In this particular instance, the original family value is lost in
+the function xfrm_state_find. Therefore we get a bogus read when
+it's coupled with the wrong family which would occur with inter-
+family xfrm states.
+
+This patch fixes it by keeping the original family value.
+
+Note that the same bug could potentially occur in LSM through
+the xfrm_state_pol_flow_match hook. I checked the current code
+there and it seems to be safe for now as only secid is used which
+is part of struct flowi_common. But that API should be changed
+so that so that we don't get new bugs in the future. We could
+do that by replacing fl with just secid or adding a family field.
+
+Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com
+Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 3f21d34833cf0..05c275a712f11 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -909,7 +909,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ */
+ if (x->km.state == XFRM_STATE_VALID) {
+ if ((x->sel.family &&
+- !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
++ (x->sel.family != family ||
++ !xfrm_selector_match(&x->sel, fl, family))) ||
+ !security_xfrm_state_pol_flow_match(x, pol, fl))
+ return;
+
+@@ -922,7 +923,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ *acq_in_progress = 1;
+ } else if (x->km.state == XFRM_STATE_ERROR ||
+ x->km.state == XFRM_STATE_EXPIRED) {
+- if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
++ if ((!x->sel.family ||
++ (x->sel.family == family &&
++ xfrm_selector_match(&x->sel, fl, family))) &&
+ security_xfrm_state_pol_flow_match(x, pol, fl))
+ *error = -ESRCH;
+ }
+@@ -961,7 +964,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+ if (best || acquire_in_progress)
+@@ -977,7 +980,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
