--- /dev/null
+From foo@baz Wed Aug 26 04:12:09 PM CEST 2020
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Date: Wed, 19 Aug 2020 13:53:58 +1200
+Subject: gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ]
+
+When receiving an IPv4 packet inside an IPv6 GRE packet, and the
+IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would
+get corrupted. This is due to the common ip6_tnl_rcv() function assuming
+that the inner header is always IPv6. This patch checks the tunnel
+protocol for IPv4 inner packets, but still defaults to IPv6.
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -872,7 +872,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc
+ struct metadata_dst *tun_dst,
+ bool log_ecn_err)
+ {
+- return __ip6_tnl_rcv(t, skb, tpi, NULL, ip6ip6_dscp_ecn_decapsulate,
++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
++ const struct ipv6hdr *ipv6h,
++ struct sk_buff *skb);
++
++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate;
++ if (tpi->proto == htons(ETH_P_IP))
++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate;
++
++ return __ip6_tnl_rcv(t, skb, tpi, NULL, dscp_ecn_decapsulate,
+ log_ecn_err);
+ }
+ EXPORT_SYMBOL(ip6_tnl_rcv);
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 14 Aug 2020 22:53:24 -0700
+Subject: ipvlan: fix device features
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ]
+
+Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose
+NETIF_F_LLTX feature because of the incorrect handling of
+features in ipvlan_fix_features().
+
+--before--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Actual changes:
+vlan-challenged: off [fixed]
+tx-lockless: off [fixed]
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: off [fixed]
+lpaa10:~#
+
+--after--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Could not change any device features
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~#
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -187,12 +187,21 @@ static void ipvlan_port_destroy(struct n
+ kfree(port);
+ }
+
++#define IPVLAN_ALWAYS_ON_OFLOADS \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | \
++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL)
++
++#define IPVLAN_ALWAYS_ON \
++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED)
++
+ #define IPVLAN_FEATURES \
+- (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_TSO | NETIF_F_GSO_ROBUST | \
+ NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \
+ NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+
++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */
++
+ #define IPVLAN_STATE_MASK \
+ ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT))
+
+@@ -205,7 +214,9 @@ static int ipvlan_init(struct net_device
+ dev->state = (dev->state & ~IPVLAN_STATE_MASK) |
+ (phy_dev->state & IPVLAN_STATE_MASK);
+ dev->features = phy_dev->features & IPVLAN_FEATURES;
+- dev->features |= NETIF_F_LLTX;
++ dev->features |= IPVLAN_ALWAYS_ON;
++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES;
++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS;
+ dev->gso_max_size = phy_dev->gso_max_size;
+ dev->gso_max_segs = phy_dev->gso_max_segs;
+ dev->hard_header_len = phy_dev->hard_header_len;
+@@ -293,7 +304,14 @@ static netdev_features_t ipvlan_fix_feat
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+
+- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features |= NETIF_F_ALL_FOR_ALL;
++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features = netdev_increment_features(ipvlan->phy_dev->features,
++ features, features);
++ features |= IPVLAN_ALWAYS_ON;
++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON);
++
++ return features;
+ }
+
+ static void ipvlan_change_rx_flags(struct net_device *dev, int change)
+@@ -743,10 +761,9 @@ static int ipvlan_device_event(struct no
+
+ case NETDEV_FEAT_CHANGE:
+ list_for_each_entry(ipvlan, &port->ipvlans, pnode) {
+- ipvlan->dev->features = dev->features & IPVLAN_FEATURES;
+ ipvlan->dev->gso_max_size = dev->gso_max_size;
+ ipvlan->dev->gso_max_segs = dev->gso_max_segs;
+- netdev_features_change(ipvlan->dev);
++ netdev_update_features(ipvlan->dev);
+ }
+ break;
+
--- /dev/null
+From foo@baz Wed Aug 26 04:12:09 PM CEST 2020
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 15 Aug 2020 04:44:31 -0400
+Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ]
+
+We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
+we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
+we may access the wrong data.
+
+Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5053,8 +5053,8 @@ struct sk_buff *skb_vlan_untag(struct sk
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (unlikely(!skb))
+ goto err_free;
+-
+- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
+ goto err_free;
+
+ vhdr = (struct vlan_hdr *)skb->data;
--- /dev/null
+From 0828137e8f16721842468e33df0460044a0c588b Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 28 May 2020 00:58:40 +1000
+Subject: powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 0828137e8f16721842468e33df0460044a0c588b upstream.
+
+__init_FSCR() was added originally in commit 2468dcf641e4 ("powerpc:
+Add support for context switching the TAR register") (Feb 2013), and
+only set FSCR_TAR.
+
+At that point FSCR (Facility Status and Control Register) was not
+context switched, so the setting was permanent after boot.
+
+Later we added initialisation of FSCR_DSCR to __init_FSCR(), in commit
+54c9b2253d34 ("powerpc: Set DSCR bit in FSCR setup") (Mar 2013), again
+that was permanent after boot.
+
+Then commit 2517617e0de6 ("powerpc: Fix context switch DSCR on
+POWER8") (Aug 2013) added a limited context switch of FSCR, just the
+FSCR_DSCR bit was context switched based on thread.dscr_inherit. That
+commit said "This clears the H/FSCR DSCR bit initially", but it
+didn't, it left the initialisation of FSCR_DSCR in __init_FSCR().
+However the initial context switch from init_task to pid 1 would clear
+FSCR_DSCR because thread.dscr_inherit was 0.
+
+That commit also introduced the requirement that FSCR_DSCR be clear
+for user processes, so that we can take the facility unavailable
+interrupt in order to manage dscr_inherit.
+
+Then in commit 152d523e6307 ("powerpc: Create context switch helpers
+save_sprs() and restore_sprs()") (Dec 2015) FSCR was added to
+thread_struct. However it still wasn't fully context switched, we just
+took the existing value and set FSCR_DSCR if the new thread had
+dscr_inherit set. FSCR was still initialised at boot to FSCR_DSCR |
+FSCR_TAR, but that value was not propagated into the thread_struct, so
+the initial context switch set FSCR_DSCR back to 0.
+
+Finally commit b57bd2de8c6c ("powerpc: Improve FSCR init and context
+switching") (Jun 2016) added a full context switch of the FSCR, and
+added an initialisation of init_task.thread.fscr to FSCR_TAR |
+FSCR_EBB, but omitted FSCR_DSCR.
+
+The end result is that swapper runs with FSCR_DSCR set because of the
+initialisation in __init_FSCR(), but no other processes do, they use
+the value from init_task.thread.fscr.
+
+Having FSCR_DSCR set for swapper allows it to access SPR 3 from
+userspace, but swapper never runs userspace, so it has no useful
+effect. It's also confusing to have the value initialised in two
+places to two different values.
+
+So remove FSCR_DSCR from __init_FSCR(), this at least gets us to the
+point where there's a single value of FSCR, even if it's still set in
+two places.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Tested-by: Alistair Popple <alistair@popple.id.au>
+Link: https://lore.kernel.org/r/20200527145843.2761782-1-mpe@ellerman.id.au
+Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/cpu_setup_power.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/cpu_setup_power.S
++++ b/arch/powerpc/kernel/cpu_setup_power.S
+@@ -189,7 +189,7 @@ __init_LPCR_ISA300:
+
+ __init_FSCR:
+ mfspr r3,SPRN_FSCR
+- ori r3,r3,FSCR_TAR|FSCR_DSCR|FSCR_EBB
++ ori r3,r3,FSCR_TAR|FSCR_EBB
+ mtspr SPRN_FSCR,r3
+ blr
+
--- /dev/null
+powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch
+net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch
+tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch
+ipvlan-fix-device-features.patch
+gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch
--- /dev/null
+From foo@baz Wed Aug 26 04:12:09 PM CEST 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 15 Aug 2020 16:29:15 -0700
+Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ]
+
+__tipc_nl_compat_dumpit() has two callers, and it expects them to
+pass a valid nlmsghdr via arg->data. This header is artificial and
+crafted just for __tipc_nl_compat_dumpit().
+
+tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well
+as some nested attribute, TIPC_NLA_SOCK. But the other caller
+tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized
+on this call path.
+
+Fix this by just adding a similar nlmsghdr without any payload in
+tipc_nl_compat_dumpit().
+
+This bug exists since day 1, but the recent commit 6ea67769ff33
+("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it
+easier to appear.
+
+Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
+Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
+Cc: Jon Maloy <jmaloy@redhat.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Richard Alpe <richard.alpe@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -250,8 +250,9 @@ err_out:
+ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ struct tipc_nl_compat_msg *msg)
+ {
+- int err;
++ struct nlmsghdr *nlh;
+ struct sk_buff *arg;
++ int err;
+
+ if (msg->req_type && (!msg->req_size ||
+ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+@@ -280,6 +281,15 @@ static int tipc_nl_compat_dumpit(struct
+ return -ENOMEM;
+ }
+
++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI);
++ if (!nlh) {
++ kfree_skb(arg);
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return -EMSGSIZE;
++ }
++ nlmsg_end(arg, nlh);
++
+ err = __tipc_nl_compat_dumpit(cmd, msg, arg);
+ if (err) {
+ kfree_skb(msg->rep);
projects / thirdparty / kernel / stable-queue.git / commitdiff
