--- /dev/null
+From 2217b982624680d19a80ebb4600d05c8586c4f96 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 8 Aug 2020 11:37:13 -0700
+Subject: binfmt_flat: revert "binfmt_flat: don't offset the data start"
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2217b982624680d19a80ebb4600d05c8586c4f96 upstream.
+
+binfmt_flat loader uses the gap between text and data to store data
+segment pointers for the libraries. Even in the absence of shared
+libraries it stores at least one pointer to the executable's own data
+segment. Text and data can go back to back in the flat binary image and
+without offsetting data segment last few instructions in the text
+segment may get corrupted by the data segment pointer.
+
+Fix it by reverting commit a2357223c50a ("binfmt_flat: don't offset the
+data start").
+
+Cc: stable@vger.kernel.org
+Fixes: a2357223c50a ("binfmt_flat: don't offset the data start")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_flat.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -571,7 +571,7 @@ static int load_flat_file(struct linux_b
+ goto err;
+ }
+
+- len = data_len + extra;
++ len = data_len + extra + MAX_SHARED_LIBS * sizeof(unsigned long);
+ len = PAGE_ALIGN(len);
+ realdatastart = vm_mmap(NULL, 0, len,
+ PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0);
+@@ -585,7 +585,9 @@ static int load_flat_file(struct linux_b
+ vm_munmap(textpos, text_len);
+ goto err;
+ }
+- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN);
++ datapos = ALIGN(realdatastart +
++ MAX_SHARED_LIBS * sizeof(unsigned long),
++ FLAT_DATA_ALIGN);
+
+ pr_debug("Allocated data+bss+stack (%u bytes): %lx\n",
+ data_len + bss_len + stack_len, datapos);
+@@ -615,7 +617,7 @@ static int load_flat_file(struct linux_b
+ memp_size = len;
+ } else {
+
+- len = text_len + data_len + extra;
++ len = text_len + data_len + extra + MAX_SHARED_LIBS * sizeof(u32);
+ len = PAGE_ALIGN(len);
+ textpos = vm_mmap(NULL, 0, len,
+ PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0);
+@@ -630,7 +632,9 @@ static int load_flat_file(struct linux_b
+ }
+
+ realdatastart = textpos + ntohl(hdr->data_start);
+- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN);
++ datapos = ALIGN(realdatastart +
++ MAX_SHARED_LIBS * sizeof(u32),
++ FLAT_DATA_ALIGN);
+
+ reloc = (__be32 __user *)
+ (datapos + (ntohl(hdr->reloc_start) - text_len));
+@@ -647,9 +651,8 @@ static int load_flat_file(struct linux_b
+ (text_len + full_data
+ - sizeof(struct flat_hdr)),
+ 0);
+- if (datapos != realdatastart)
+- memmove((void *)datapos, (void *)realdatastart,
+- full_data);
++ memmove((void *) datapos, (void *) realdatastart,
++ full_data);
+ #else
+ /*
+ * This is used on MMU systems mainly for testing.
+@@ -705,7 +708,8 @@ static int load_flat_file(struct linux_b
+ if (IS_ERR_VALUE(result)) {
+ ret = result;
+ pr_err("Unable to read code+data+bss, errno %d\n", ret);
+- vm_munmap(textpos, text_len + data_len + extra);
++ vm_munmap(textpos, text_len + data_len + extra +
++ MAX_SHARED_LIBS * sizeof(u32));
+ goto err;
+ }
+ }
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Date: Wed, 19 Aug 2020 13:53:58 +1200
+Subject: gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ]
+
+When receiving an IPv4 packet inside an IPv6 GRE packet, and the
+IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would
+get corrupted. This is due to the common ip6_tnl_rcv() function assuming
+that the inner header is always IPv6. This patch checks the tunnel
+protocol for IPv4 inner packets, but still defaults to IPv6.
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -860,7 +860,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc
+ struct metadata_dst *tun_dst,
+ bool log_ecn_err)
+ {
+- return __ip6_tnl_rcv(t, skb, tpi, tun_dst, ip6ip6_dscp_ecn_decapsulate,
++ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
++ const struct ipv6hdr *ipv6h,
++ struct sk_buff *skb);
++
++ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate;
++ if (tpi->proto == htons(ETH_P_IP))
++ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate;
++
++ return __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate,
+ log_ecn_err);
+ }
+ EXPORT_SYMBOL(ip6_tnl_rcv);
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Fri, 14 Aug 2020 22:53:24 -0700
+Subject: ipvlan: fix device features
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit d0f5c7076e01fef6fcb86988d9508bf3ce258bd4 ]
+
+Processing NETDEV_FEAT_CHANGE causes IPvlan links to lose
+NETIF_F_LLTX feature because of the incorrect handling of
+features in ipvlan_fix_features().
+
+--before--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Actual changes:
+vlan-challenged: off [fixed]
+tx-lockless: off [fixed]
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: off [fixed]
+lpaa10:~#
+
+--after--
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~# ethtool -K ipvl0 tso off
+Cannot change tcp-segmentation-offload
+Could not change any device features
+lpaa10:~# ethtool -k ipvl0 | grep tx-lockless
+tx-lockless: on [fixed]
+lpaa10:~#
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -106,12 +106,21 @@ static void ipvlan_port_destroy(struct n
+ kfree(port);
+ }
+
++#define IPVLAN_ALWAYS_ON_OFLOADS \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | \
++ NETIF_F_GSO_ROBUST | NETIF_F_GSO_SOFTWARE | NETIF_F_GSO_ENCAP_ALL)
++
++#define IPVLAN_ALWAYS_ON \
++ (IPVLAN_ALWAYS_ON_OFLOADS | NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED)
++
+ #define IPVLAN_FEATURES \
+- (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
++ (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_TSO | NETIF_F_GSO_ROBUST | \
+ NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \
+ NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+
++ /* NETIF_F_GSO_ENCAP_ALL NETIF_F_GSO_SOFTWARE Newly added */
++
+ #define IPVLAN_STATE_MASK \
+ ((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT))
+
+@@ -125,7 +134,9 @@ static int ipvlan_init(struct net_device
+ dev->state = (dev->state & ~IPVLAN_STATE_MASK) |
+ (phy_dev->state & IPVLAN_STATE_MASK);
+ dev->features = phy_dev->features & IPVLAN_FEATURES;
+- dev->features |= NETIF_F_LLTX | NETIF_F_VLAN_CHALLENGED;
++ dev->features |= IPVLAN_ALWAYS_ON;
++ dev->vlan_features = phy_dev->vlan_features & IPVLAN_FEATURES;
++ dev->vlan_features |= IPVLAN_ALWAYS_ON_OFLOADS;
+ dev->hw_enc_features |= dev->features;
+ dev->gso_max_size = phy_dev->gso_max_size;
+ dev->gso_max_segs = phy_dev->gso_max_segs;
+@@ -225,7 +236,14 @@ static netdev_features_t ipvlan_fix_feat
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+
+- return features & (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features |= NETIF_F_ALL_FOR_ALL;
++ features &= (ipvlan->sfeatures | ~IPVLAN_FEATURES);
++ features = netdev_increment_features(ipvlan->phy_dev->features,
++ features, features);
++ features |= IPVLAN_ALWAYS_ON;
++ features &= (IPVLAN_FEATURES | IPVLAN_ALWAYS_ON);
++
++ return features;
+ }
+
+ static void ipvlan_change_rx_flags(struct net_device *dev, int change)
+@@ -732,10 +750,9 @@ static int ipvlan_device_event(struct no
+
+ case NETDEV_FEAT_CHANGE:
+ list_for_each_entry(ipvlan, &port->ipvlans, pnode) {
+- ipvlan->dev->features = dev->features & IPVLAN_FEATURES;
+ ipvlan->dev->gso_max_size = dev->gso_max_size;
+ ipvlan->dev->gso_max_segs = dev->gso_max_segs;
+- netdev_features_change(ipvlan->dev);
++ netdev_update_features(ipvlan->dev);
+ }
+ break;
+
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Shay Agroskin <shayagr@amazon.com>
+Date: Wed, 19 Aug 2020 20:28:38 +0300
+Subject: net: ena: Make missed_tx stat incremental
+
+From: Shay Agroskin <shayagr@amazon.com>
+
+[ Upstream commit ccd143e5150f24b9ba15145c7221b61dd9e41021 ]
+
+Most statistics in ena driver are incremented, meaning that a stat's
+value is a sum of all increases done to it since driver/queue
+initialization.
+
+This patch makes all statistics this way, effectively making missed_tx
+statistic incremental.
+Also added a comment regarding rx_drops and tx_drops to make it
+clearer how these counters are calculated.
+
+Fixes: 11095fdb712b ("net: ena: add statistics for missed tx packets")
+Signed-off-by: Shay Agroskin <shayagr@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2924,7 +2924,7 @@ static int check_missing_comp_in_tx_queu
+ }
+
+ u64_stats_update_begin(&tx_ring->syncp);
+- tx_ring->tx_stats.missed_tx = missed_tx;
++ tx_ring->tx_stats.missed_tx += missed_tx;
+ u64_stats_update_end(&tx_ring->syncp);
+
+ return rc;
+@@ -3848,6 +3848,9 @@ static void ena_keep_alive_wd(void *adap
+ rx_drops = ((u64)desc->rx_drops_high << 32) | desc->rx_drops_low;
+
+ u64_stats_update_begin(&adapter->syncp);
++ /* These stats are accumulated by the device, so the counters indicate
++ * all drops since last reset.
++ */
+ adapter->dev_stats.rx_drops = rx_drops;
+ u64_stats_update_end(&adapter->syncp);
+ }
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 15 Aug 2020 04:44:31 -0400
+Subject: net: Fix potential wrong skb->protocol in skb_vlan_untag()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ]
+
+We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
+we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
+we may access the wrong data.
+
+Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5317,8 +5317,8 @@ struct sk_buff *skb_vlan_untag(struct sk
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (unlikely(!skb))
+ goto err_free;
+-
+- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
++ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
++ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
+ goto err_free;
+
+ vhdr = (struct vlan_hdr *)skb->data;
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Sat, 22 Aug 2020 15:06:36 +0300
+Subject: net: nexthop: don't allow empty NHA_GROUP
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit eeaac3634ee0e3f35548be35275efeca888e9b23 ]
+
+Currently the nexthop code will use an empty NHA_GROUP attribute, but it
+requires at least 1 entry in order to function properly. Otherwise we
+end up derefencing null or random pointers all over the place due to not
+having any nh_grp_entry members allocated, nexthop code relies on having at
+least the first member present. Empty NHA_GROUP doesn't make any sense so
+just disallow it.
+Also add a WARN_ON for any future users of nexthop_create_group().
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 558 Comm: ip Not tainted 5.9.0-rc1+ #93
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014
+ RIP: 0010:fib_check_nexthop+0x4a/0xaa
+ Code: 0f 84 83 00 00 00 48 c7 02 80 03 f7 81 c3 40 80 fe fe 75 12 b8 ea ff ff ff 48 85 d2 74 6b 48 c7 02 40 03 f7 81 c3 48 8b 40 10 <48> 8b 80 80 00 00 00 eb 36 80 78 1a 00 74 12 b8 ea ff ff ff 48 85
+ RSP: 0018:ffff88807983ba00 EFLAGS: 00010213
+ RAX: 0000000000000000 RBX: ffff88807983bc00 RCX: 0000000000000000
+ RDX: ffff88807983bc00 RSI: 0000000000000000 RDI: ffff88807bdd0a80
+ RBP: ffff88807983baf8 R08: 0000000000000dc0 R09: 000000000000040a
+ R10: 0000000000000000 R11: ffff88807bdd0ae8 R12: 0000000000000000
+ R13: 0000000000000000 R14: ffff88807bea3100 R15: 0000000000000001
+ FS: 00007f10db393700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000080 CR3: 000000007bd0f004 CR4: 00000000003706f0
+ Call Trace:
+ fib_create_info+0x64d/0xaf7
+ fib_table_insert+0xf6/0x581
+ ? __vma_adjust+0x3b6/0x4d4
+ inet_rtm_newroute+0x56/0x70
+ rtnetlink_rcv_msg+0x1e3/0x20d
+ ? rtnl_calcit.isra.0+0xb8/0xb8
+ netlink_rcv_skb+0x5b/0xac
+ netlink_unicast+0xfa/0x17b
+ netlink_sendmsg+0x334/0x353
+ sock_sendmsg_nosec+0xf/0x3f
+ ____sys_sendmsg+0x1a0/0x1fc
+ ? copy_msghdr_from_user+0x4c/0x61
+ ___sys_sendmsg+0x63/0x84
+ ? handle_mm_fault+0xa39/0x11b5
+ ? sockfd_lookup_light+0x72/0x9a
+ __sys_sendmsg+0x50/0x6e
+ do_syscall_64+0x54/0xbe
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f10dacc0bb7
+ Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 8b 05 9a 4b 2b 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 f2 2a 00 f7 d8 64 89 02 48
+ RSP: 002b:00007ffcbe628bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffcbe628f80 RCX: 00007f10dacc0bb7
+ RDX: 0000000000000000 RSI: 00007ffcbe628c60 RDI: 0000000000000003
+ RBP: 000000005f41099c R08: 0000000000000001 R09: 0000000000000008
+ R10: 00000000000005e9 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00007ffcbe628d70 R15: 0000563a86c6e440
+ Modules linked in:
+ CR2: 0000000000000080
+
+CC: David Ahern <dsahern@gmail.com>
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Reported-by: syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/nexthop.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -403,7 +403,7 @@ static int nh_check_attr_group(struct ne
+ struct nexthop_grp *nhg;
+ unsigned int i, j;
+
+- if (len & (sizeof(struct nexthop_grp) - 1)) {
++ if (!len || len & (sizeof(struct nexthop_grp) - 1)) {
+ NL_SET_ERR_MSG(extack,
+ "Invalid length for nexthop group attribute");
+ return -EINVAL;
+@@ -1105,6 +1105,9 @@ static struct nexthop *nexthop_create_gr
+ struct nexthop *nh;
+ int i;
+
++ if (WARN_ON(!num_nh))
++ return ERR_PTR(-EINVAL);
++
+ nh = nexthop_alloc();
+ if (!nh)
+ return ERR_PTR(-ENOMEM);
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Necip Fazil Yildiran <necip@google.com>
+Date: Mon, 17 Aug 2020 15:54:48 +0000
+Subject: net: qrtr: fix usage of idr in port assignment to socket
+
+From: Necip Fazil Yildiran <necip@google.com>
+
+[ Upstream commit 8dfddfb79653df7c38a9c8c4c034f242a36acee9 ]
+
+Passing large uint32 sockaddr_qrtr.port numbers for port allocation
+triggers a warning within idr_alloc() since the port number is cast
+to int, and thus interpreted as a negative number. This leads to
+the rejection of such valid port numbers in qrtr_port_assign() as
+idr_alloc() fails.
+
+To avoid the problem, switch to idr_alloc_u32() instead.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com
+Signed-off-by: Necip Fazil Yildiran <necip@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -547,23 +547,25 @@ static void qrtr_port_remove(struct qrtr
+ */
+ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port)
+ {
++ u32 min_port;
+ int rc;
+
+ mutex_lock(&qrtr_port_lock);
+ if (!*port) {
+- rc = idr_alloc(&qrtr_ports, ipc,
+- QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET + 1,
+- GFP_ATOMIC);
+- if (rc >= 0)
+- *port = rc;
++ min_port = QRTR_MIN_EPH_SOCKET;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC);
++ if (!rc)
++ *port = min_port;
+ } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) {
+ rc = -EACCES;
+ } else if (*port == QRTR_PORT_CTRL) {
+- rc = idr_alloc(&qrtr_ports, ipc, 0, 1, GFP_ATOMIC);
++ min_port = 0;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC);
+ } else {
+- rc = idr_alloc(&qrtr_ports, ipc, *port, *port + 1, GFP_ATOMIC);
+- if (rc >= 0)
+- *port = rc;
++ min_port = *port;
++ rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC);
++ if (!rc)
++ *port = min_port;
+ }
+ mutex_unlock(&qrtr_port_lock);
+
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Wed, 19 Aug 2020 18:24:10 +0300
+Subject: net/sched: act_ct: Fix skb double-free in tcf_ct_handle_fragments() error flow
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+[ Upstream commit eda814b97dfb8d9f4808eb2f65af9bd3705c4cae ]
+
+tcf_ct_handle_fragments() shouldn't free the skb when ip_defrag() call
+fails. Otherwise, we will cause a double-free bug.
+In such cases, just return the error to the caller.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -186,7 +186,7 @@ static int tcf_ct_handle_fragments(struc
+ memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+ err = nf_ct_frag6_gather(net, skb, user);
+ if (err && err != -EINPROGRESS)
+- goto out_free;
++ return err;
+ #else
+ err = -EOPNOTSUPP;
+ goto out_free;
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: David Laight <David.Laight@ACULAB.COM>
+Date: Wed, 19 Aug 2020 14:40:52 +0000
+Subject: net: sctp: Fix negotiation of the number of data streams.
+
+From: David Laight <David.Laight@ACULAB.COM>
+
+[ Upstream commit ab921f3cdbec01c68705a7ade8bec628d541fc2b ]
+
+The number of output and input streams was never being reduced, eg when
+processing received INIT or INIT_ACK chunks.
+The effect is that DATA chunks can be sent with invalid stream ids
+and then discarded by the remote system.
+
+Fixes: 2075e50caf5ea ("sctp: convert to genradix")
+Signed-off-by: David Laight <david.laight@aculab.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -88,12 +88,13 @@ static int sctp_stream_alloc_out(struct
+ int ret;
+
+ if (outcnt <= stream->outcnt)
+- return 0;
++ goto out;
+
+ ret = genradix_prealloc(&stream->out, outcnt, gfp);
+ if (ret)
+ return ret;
+
++out:
+ stream->outcnt = outcnt;
+ return 0;
+ }
+@@ -104,12 +105,13 @@ static int sctp_stream_alloc_in(struct s
+ int ret;
+
+ if (incnt <= stream->incnt)
+- return 0;
++ goto out;
+
+ ret = genradix_prealloc(&stream->in, incnt, gfp);
+ if (ret)
+ return ret;
+
++out:
+ stream->incnt = incnt;
+ return 0;
+ }
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 20 Aug 2020 16:30:52 +0200
+Subject: net/smc: Prevent kernel-infoleak in __smc_diag_dump()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit ce51f63e63c52a4e1eee4dd040fb0ba0af3b43ab ]
+
+__smc_diag_dump() is potentially copying uninitialized kernel stack memory
+into socket buffers, since the compiler may leave a 4-byte hole near the
+beginning of `struct smcd_diag_dmbinfo`. Fix it by initializing `dinfo`
+with memset().
+
+Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_diag.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/smc/smc_diag.c
++++ b/net/smc/smc_diag.c
+@@ -170,13 +170,15 @@ static int __smc_diag_dump(struct sock *
+ (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
+ !list_empty(&smc->conn.lgr->list)) {
+ struct smc_connection *conn = &smc->conn;
+- struct smcd_diag_dmbinfo dinfo = {
+- .linkid = *((u32 *)conn->lgr->id),
+- .peer_gid = conn->lgr->peer_gid,
+- .my_gid = conn->lgr->smcd->local_gid,
+- .token = conn->rmb_desc->token,
+- .peer_token = conn->peer_token
+- };
++ struct smcd_diag_dmbinfo dinfo;
++
++ memset(&dinfo, 0, sizeof(dinfo));
++
++ dinfo.linkid = *((u32 *)conn->lgr->id);
++ dinfo.peer_gid = conn->lgr->peer_gid;
++ dinfo.my_gid = conn->lgr->smcd->local_gid;
++ dinfo.token = conn->rmb_desc->token;
++ dinfo.peer_token = conn->peer_token;
+
+ if (nla_put(skb, SMC_DIAG_DMBINFO, sizeof(dinfo), &dinfo) < 0)
+ goto errout;
--- /dev/null
+From 0828137e8f16721842468e33df0460044a0c588b Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 28 May 2020 00:58:40 +1000
+Subject: powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 0828137e8f16721842468e33df0460044a0c588b upstream.
+
+__init_FSCR() was added originally in commit 2468dcf641e4 ("powerpc:
+Add support for context switching the TAR register") (Feb 2013), and
+only set FSCR_TAR.
+
+At that point FSCR (Facility Status and Control Register) was not
+context switched, so the setting was permanent after boot.
+
+Later we added initialisation of FSCR_DSCR to __init_FSCR(), in commit
+54c9b2253d34 ("powerpc: Set DSCR bit in FSCR setup") (Mar 2013), again
+that was permanent after boot.
+
+Then commit 2517617e0de6 ("powerpc: Fix context switch DSCR on
+POWER8") (Aug 2013) added a limited context switch of FSCR, just the
+FSCR_DSCR bit was context switched based on thread.dscr_inherit. That
+commit said "This clears the H/FSCR DSCR bit initially", but it
+didn't, it left the initialisation of FSCR_DSCR in __init_FSCR().
+However the initial context switch from init_task to pid 1 would clear
+FSCR_DSCR because thread.dscr_inherit was 0.
+
+That commit also introduced the requirement that FSCR_DSCR be clear
+for user processes, so that we can take the facility unavailable
+interrupt in order to manage dscr_inherit.
+
+Then in commit 152d523e6307 ("powerpc: Create context switch helpers
+save_sprs() and restore_sprs()") (Dec 2015) FSCR was added to
+thread_struct. However it still wasn't fully context switched, we just
+took the existing value and set FSCR_DSCR if the new thread had
+dscr_inherit set. FSCR was still initialised at boot to FSCR_DSCR |
+FSCR_TAR, but that value was not propagated into the thread_struct, so
+the initial context switch set FSCR_DSCR back to 0.
+
+Finally commit b57bd2de8c6c ("powerpc: Improve FSCR init and context
+switching") (Jun 2016) added a full context switch of the FSCR, and
+added an initialisation of init_task.thread.fscr to FSCR_TAR |
+FSCR_EBB, but omitted FSCR_DSCR.
+
+The end result is that swapper runs with FSCR_DSCR set because of the
+initialisation in __init_FSCR(), but no other processes do, they use
+the value from init_task.thread.fscr.
+
+Having FSCR_DSCR set for swapper allows it to access SPR 3 from
+userspace, but swapper never runs userspace, so it has no useful
+effect. It's also confusing to have the value initialised in two
+places to two different values.
+
+So remove FSCR_DSCR from __init_FSCR(), this at least gets us to the
+point where there's a single value of FSCR, even if it's still set in
+two places.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Tested-by: Alistair Popple <alistair@popple.id.au>
+Link: https://lore.kernel.org/r/20200527145843.2761782-1-mpe@ellerman.id.au
+Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/cpu_setup_power.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/cpu_setup_power.S
++++ b/arch/powerpc/kernel/cpu_setup_power.S
+@@ -184,7 +184,7 @@ __init_LPCR_ISA300:
+
+ __init_FSCR:
+ mfspr r3,SPRN_FSCR
+- ori r3,r3,FSCR_TAR|FSCR_DSCR|FSCR_EBB
++ ori r3,r3,FSCR_TAR|FSCR_EBB
+ mtspr SPRN_FSCR,r3
+ blr
+
--- /dev/null
+powerpc-64s-don-t-init-fscr_dscr-in-__init_fscr.patch
+binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch
+gre6-fix-reception-with-ip6_tnl_f_rcv_dscp_copy.patch
+net-fix-potential-wrong-skb-protocol-in-skb_vlan_untag.patch
+net-nexthop-don-t-allow-empty-nha_group.patch
+net-qrtr-fix-usage-of-idr-in-port-assignment-to-socket.patch
+net-sctp-fix-negotiation-of-the-number-of-data-streams.patch
+net-smc-prevent-kernel-infoleak-in-__smc_diag_dump.patch
+tipc-fix-uninit-skb-data-in-tipc_nl_compat_dumpit.patch
+net-ena-make-missed_tx-stat-incremental.patch
+net-sched-act_ct-fix-skb-double-free-in-tcf_ct_handle_fragments-error-flow.patch
+ipvlan-fix-device-features.patch
--- /dev/null
+From foo@baz Wed Aug 26 03:58:58 PM CEST 2020
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 15 Aug 2020 16:29:15 -0700
+Subject: tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ]
+
+__tipc_nl_compat_dumpit() has two callers, and it expects them to
+pass a valid nlmsghdr via arg->data. This header is artificial and
+crafted just for __tipc_nl_compat_dumpit().
+
+tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well
+as some nested attribute, TIPC_NLA_SOCK. But the other caller
+tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized
+on this call path.
+
+Fix this by just adding a similar nlmsghdr without any payload in
+tipc_nl_compat_dumpit().
+
+This bug exists since day 1, but the recent commit 6ea67769ff33
+("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it
+easier to appear.
+
+Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
+Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
+Cc: Jon Maloy <jmaloy@redhat.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Cc: Richard Alpe <richard.alpe@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -255,8 +255,9 @@ err_out:
+ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ struct tipc_nl_compat_msg *msg)
+ {
+- int err;
++ struct nlmsghdr *nlh;
+ struct sk_buff *arg;
++ int err;
+
+ if (msg->req_type && (!msg->req_size ||
+ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+@@ -285,6 +286,15 @@ static int tipc_nl_compat_dumpit(struct
+ return -ENOMEM;
+ }
+
++ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI);
++ if (!nlh) {
++ kfree_skb(arg);
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return -EMSGSIZE;
++ }
++ nlmsg_end(arg, nlh);
++
+ err = __tipc_nl_compat_dumpit(cmd, msg, arg);
+ if (err) {
+ kfree_skb(msg->rep);
projects / thirdparty / kernel / stable-queue.git / commitdiff
