--- /dev/null
+From d27fc8b083bea5681597f7b4fa3fd1211c49613f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 09:05:06 -0700
+Subject: erspan: Add type I version 0 support.
+
+From: William Tu <u9012063@gmail.com>
+
+[ Upstream commit f989d546a2d5a9f001f6f8be49d98c10ab9b1897 ]
+
+The Type I ERSPAN frame format is based on the barebones
+IP + GRE(4-byte) encapsulation on top of the raw mirrored frame.
+Both type I and II use 0x88BE as protocol type. Unlike type II
+and III, no sequence number or key is required.
+To creat a type I erspan tunnel device:
+ $ ip link add dev erspan11 type erspan \
+ local 172.16.1.100 remote 172.16.1.200 \
+ erspan_ver 0
+
+Signed-off-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 17af420545a7 ("erspan: make sure erspan_base_hdr is present in skb->head")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/erspan.h | 19 +++++++++++++--
+ net/ipv4/ip_gre.c | 58 ++++++++++++++++++++++++++++++++------------
+ 2 files changed, 60 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/erspan.h b/include/net/erspan.h
+index b39643ef4c95f..0d9e86bd98934 100644
+--- a/include/net/erspan.h
++++ b/include/net/erspan.h
+@@ -2,7 +2,19 @@
+ #define __LINUX_ERSPAN_H
+
+ /*
+- * GRE header for ERSPAN encapsulation (8 octets [34:41]) -- 8 bytes
++ * GRE header for ERSPAN type I encapsulation (4 octets [34:37])
++ * 0 1 2 3
++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |0|0|0|0|0|00000|000000000|00000| Protocol Type for ERSPAN |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ *
++ * The Type I ERSPAN frame format is based on the barebones IP + GRE
++ * encapsulation (as described above) on top of the raw mirrored frame.
++ * There is no extra ERSPAN header.
++ *
++ *
++ * GRE header for ERSPAN type II and II encapsulation (8 octets [34:41])
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+@@ -43,7 +55,7 @@
+ * | Platform Specific Info |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+- * GRE proto ERSPAN type II = 0x88BE, type III = 0x22EB
++ * GRE proto ERSPAN type I/II = 0x88BE, type III = 0x22EB
+ */
+
+ #include <uapi/linux/erspan.h>
+@@ -139,6 +151,9 @@ static inline u8 get_hwid(const struct erspan_md2 *md2)
+
+ static inline int erspan_hdr_len(int version)
+ {
++ if (version == 0)
++ return 0;
++
+ return sizeof(struct erspan_base_hdr) +
+ (version == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE);
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 38c8db78cda19..d1e90bfa84c11 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -251,6 +251,15 @@ static void gre_err(struct sk_buff *skb, u32 info)
+ ipgre_err(skb, info, &tpi);
+ }
+
++static bool is_erspan_type1(int gre_hdr_len)
++{
++ /* Both ERSPAN type I (version 0) and type II (version 1) use
++ * protocol 0x88BE, but the type I has only 4-byte GRE header,
++ * while type II has 8-byte.
++ */
++ return gre_hdr_len == 4;
++}
++
+ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ int gre_hdr_len)
+ {
+@@ -265,17 +274,26 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ int len;
+
+ itn = net_generic(net, erspan_net_id);
+-
+ iph = ip_hdr(skb);
+- ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
+- ver = ershdr->ver;
+-
+- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+- tpi->flags | TUNNEL_KEY,
+- iph->saddr, iph->daddr, tpi->key);
++ if (is_erspan_type1(gre_hdr_len)) {
++ ver = 0;
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
++ tpi->flags | TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ } else {
++ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
++ ver = ershdr->ver;
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
++ tpi->flags | TUNNEL_KEY,
++ iph->saddr, iph->daddr, tpi->key);
++ }
+
+ if (tunnel) {
+- len = gre_hdr_len + erspan_hdr_len(ver);
++ if (is_erspan_type1(gre_hdr_len))
++ len = gre_hdr_len;
++ else
++ len = gre_hdr_len + erspan_hdr_len(ver);
++
+ if (unlikely(!pskb_may_pull(skb, len)))
+ return PACKET_REJECT;
+
+@@ -746,7 +764,10 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
+ }
+
+ /* Push ERSPAN header */
+- if (tunnel->erspan_ver == 1) {
++ if (tunnel->erspan_ver == 0) {
++ proto = htons(ETH_P_ERSPAN);
++ tunnel->parms.o_flags &= ~TUNNEL_SEQ;
++ } else if (tunnel->erspan_ver == 1) {
+ erspan_build_header(skb, ntohl(tunnel->parms.o_key),
+ tunnel->index,
+ truncate, true);
+@@ -1156,7 +1177,10 @@ static int erspan_validate(struct nlattr *tb[], struct nlattr *data[],
+ if (ret)
+ return ret;
+
+- /* ERSPAN should only have GRE sequence and key flag */
++ if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0)
++ return 0;
++
++ /* ERSPAN type II/III should only have GRE sequence and key flag */
+ if (data[IFLA_GRE_OFLAGS])
+ flags |= nla_get_be16(data[IFLA_GRE_OFLAGS]);
+ if (data[IFLA_GRE_IFLAGS])
+@@ -1264,7 +1288,7 @@ static int erspan_netlink_parms(struct net_device *dev,
+ if (data[IFLA_GRE_ERSPAN_VER]) {
+ t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+
+- if (t->erspan_ver != 1 && t->erspan_ver != 2)
++ if (t->erspan_ver > 2)
+ return -EINVAL;
+ }
+
+@@ -1349,7 +1373,11 @@ static int erspan_tunnel_init(struct net_device *dev)
+ {
+ struct ip_tunnel *tunnel = netdev_priv(dev);
+
+- tunnel->tun_hlen = 8;
++ if (tunnel->erspan_ver == 0)
++ tunnel->tun_hlen = 4; /* 4-byte GRE hdr. */
++ else
++ tunnel->tun_hlen = 8; /* 8-byte GRE hdr. */
++
+ tunnel->parms.iph.protocol = IPPROTO_GRE;
+ tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
+ erspan_hdr_len(tunnel->erspan_ver);
+@@ -1552,8 +1580,8 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ struct ip_tunnel_parm *p = &t->parms;
+ __be16 o_flags = p->o_flags;
+
+- if (t->erspan_ver == 1 || t->erspan_ver == 2) {
+- if (!t->collect_md)
++ if (t->erspan_ver <= 2) {
++ if (t->erspan_ver != 0 && !t->collect_md)
+ o_flags |= TUNNEL_KEY;
+
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+@@ -1562,7 +1590,7 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ if (t->erspan_ver == 1) {
+ if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+ goto nla_put_failure;
+- } else {
++ } else if (t->erspan_ver == 2) {
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+ goto nla_put_failure;
+ if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+--
+2.43.0
+
--- /dev/null
+From ecbbe568db0e5423ef753df5424796b756167145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 11:22:48 +0000
+Subject: erspan: make sure erspan_base_hdr is present in skb->head
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 17af420545a750f763025149fa7b833a4fc8b8f0 ]
+
+syzbot reported a problem in ip6erspan_rcv() [1]
+
+Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
+sure erspan_base_hdr is present in skb linear part (skb->head)
+before getting @ver field from it.
+
+Add the missing pskb_may_pull() calls.
+
+v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
+ because skb->head might have changed.
+
+[1]
+
+ BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
+ BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
+ BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
+ BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
+ pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
+ pskb_may_pull include/linux/skbuff.h:2756 [inline]
+ ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
+ gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
+ ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
+ ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
+ ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
+ dst_input include/net/dst.h:460 [inline]
+ ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5538 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
+ netif_receive_skb_internal net/core/dev.c:5738 [inline]
+ netif_receive_skb+0x58/0x660 net/core/dev.c:5798
+ tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
+ tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+ call_write_iter include/linux/fs.h:2108 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb63/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xe0 fs/read_write.c:652
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3804 [inline]
+ slab_alloc_node mm/slub.c:3845 [inline]
+ kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
+ __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
+ alloc_skb include/linux/skbuff.h:1318 [inline]
+ alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
+ sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
+ tun_alloc_skb drivers/net/tun.c:1525 [inline]
+ tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+ call_write_iter include/linux/fs.h:2108 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb63/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xe0 fs/read_write.c:652
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
+
+Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
+Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 5 +++++
+ net/ipv6/ip6_gre.c | 3 +++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index d1e90bfa84c11..6d4b6815aa347 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -281,8 +281,13 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ tpi->flags | TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ } else {
++ if (unlikely(!pskb_may_pull(skb,
++ gre_hdr_len + sizeof(*ershdr))))
++ return PACKET_REJECT;
++
+ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
+ ver = ershdr->ver;
++ iph = ip_hdr(skb);
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+ tpi->flags | TUNNEL_KEY,
+ iph->saddr, iph->daddr, tpi->key);
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index aa8ada354a399..58e1fc8e41241 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -551,6 +551,9 @@ static int ip6erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ struct ip6_tnl *tunnel;
+ u8 ver;
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
++ return PACKET_REJECT;
++
+ ipv6h = ipv6_hdr(skb);
+ ershdr = (struct erspan_base_hdr *)skb->data;
+ ver = ershdr->ver;
+--
+2.43.0
+
--- /dev/null
+From 9c00e35277e95503317be9db68a1c81d4972579b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:55:05 +0200
+Subject: fs: add a vfs_fchmod helper
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 9e96c8c0e94eea2f69a9705f5d0f51928ea26c17 ]
+
+Add a helper for struct file based chmode operations. To be used by
+the initramfs code soon.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/open.c | 9 +++++++--
+ include/linux/fs.h | 1 +
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/open.c b/fs/open.c
+index e072e86003f56..fc634ab5af0d6 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -569,14 +569,19 @@ static int chmod_common(const struct path *path, umode_t mode)
+ return error;
+ }
+
++int vfs_fchmod(struct file *file, umode_t mode)
++{
++ audit_file(file);
++ return chmod_common(&file->f_path, mode);
++}
++
+ int ksys_fchmod(unsigned int fd, umode_t mode)
+ {
+ struct fd f = fdget(fd);
+ int err = -EBADF;
+
+ if (f.file) {
+- audit_file(f.file);
+- err = chmod_common(&f.file->f_path, mode);
++ err = vfs_fchmod(f.file, mode);
+ fdput(f);
+ }
+ return err;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 7d93d22ad1062..95e35e0740117 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1661,6 +1661,7 @@ int vfs_mkobj(struct dentry *, umode_t,
+ void *);
+
+ int vfs_fchown(struct file *file, uid_t user, gid_t group);
++int vfs_fchmod(struct file *file, umode_t mode);
+
+ extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+
+--
+2.43.0
+
--- /dev/null
+From 78f9b1f1aadf861c3aa7ae9649597a07f21808a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:47:43 +0200
+Subject: fs: add a vfs_fchown helper
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit c04011fe8cbd80af1be6e12b53193bf3846750d7 ]
+
+Add a helper for struct file based chown operations. To be used by
+the initramfs code soon.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/open.c | 29 +++++++++++++++++------------
+ include/linux/fs.h | 2 ++
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/open.c b/fs/open.c
+index 76996f920ebf5..e072e86003f56 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -707,23 +707,28 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
+ AT_SYMLINK_NOFOLLOW);
+ }
+
++int vfs_fchown(struct file *file, uid_t user, gid_t group)
++{
++ int error;
++
++ error = mnt_want_write_file(file);
++ if (error)
++ return error;
++ audit_file(file);
++ error = chown_common(&file->f_path, user, group);
++ mnt_drop_write_file(file);
++ return error;
++}
++
+ int ksys_fchown(unsigned int fd, uid_t user, gid_t group)
+ {
+ struct fd f = fdget(fd);
+ int error = -EBADF;
+
+- if (!f.file)
+- goto out;
+-
+- error = mnt_want_write_file(f.file);
+- if (error)
+- goto out_fput;
+- audit_file(f.file);
+- error = chown_common(&f.file->f_path, user, group);
+- mnt_drop_write_file(f.file);
+-out_fput:
+- fdput(f);
+-out:
++ if (f.file) {
++ error = vfs_fchown(f.file, user, group);
++ fdput(f);
++ }
+ return error;
+ }
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index e2c87c056742c..7d93d22ad1062 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1660,6 +1660,8 @@ int vfs_mkobj(struct dentry *, umode_t,
+ int (*f)(struct dentry *, umode_t, void *),
+ void *);
+
++int vfs_fchown(struct file *file, uid_t user, gid_t group);
++
+ extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 3852fbc7a54318a93c90bdeb6cb1fc5258d9f494 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Mar 2024 15:15:22 -0700
+Subject: init: open /initrd.image with O_LARGEFILE
+
+From: John Sperbeck <jsperbeck@google.com>
+
+[ Upstream commit 4624b346cf67400ef46a31771011fb798dd2f999 ]
+
+If initrd data is larger than 2Gb, we'll eventually fail to write to the
+/initrd.image file when we hit that limit, unless O_LARGEFILE is set.
+
+Link: https://lkml.kernel.org/r/20240317221522.896040-1-jsperbeck@google.com
+Signed-off-by: John Sperbeck <jsperbeck@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index e378d15a949e0..6b49c5ae78c7a 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -613,7 +613,7 @@ static void populate_initrd_image(char *err)
+
+ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
+ err);
+- file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
++ file = filp_open("/initrd.image", O_WRONLY|O_CREAT|O_LARGEFILE, 0700);
+ if (IS_ERR(file))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 031683b96a8a9a03196f5c36c547b37f208991ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2019 17:18:24 -0700
+Subject: initramfs: factor out a helper to populate the initrd image
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7c184ecd262fe64fe8cf4e099e0f7cefe88d88b2 ]
+
+This will allow for cleaner code sharing in the caller.
+
+Link: http://lkml.kernel.org/r/20190213174621.29297-5-hch@lst.de
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com> [arm64]
+Cc: Geert Uytterhoeven <geert@linux-m68k.org> [m68k]
+Cc: Steven Price <steven.price@arm.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Guan Xuetao <gxt@pku.edu.cn>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 40 +++++++++++++++++++++++-----------------
+ 1 file changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index dab8d63459f63..7103edf44436c 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -599,6 +599,28 @@ static void __init clean_rootfs(void)
+ }
+ #endif
+
++#ifdef CONFIG_BLK_DEV_RAM
++static void populate_initrd_image(char *err)
++{
++ ssize_t written;
++ int fd;
++
++ unpack_to_rootfs(__initramfs_start, __initramfs_size);
++
++ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
++ err);
++ fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
++ if (fd < 0)
++ return;
++
++ written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start);
++ if (written != initrd_end - initrd_start)
++ pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
++ written, initrd_end - initrd_start);
++ ksys_close(fd);
++}
++#endif /* CONFIG_BLK_DEV_RAM */
++
+ static int __init populate_rootfs(void)
+ {
+ /* Load the built in initramfs */
+@@ -608,7 +630,6 @@ static int __init populate_rootfs(void)
+ /* If available load the bootloader supplied initrd */
+ if (initrd_start && !IS_ENABLED(CONFIG_INITRAMFS_FORCE)) {
+ #ifdef CONFIG_BLK_DEV_RAM
+- int fd;
+ printk(KERN_INFO "Trying to unpack rootfs image as initramfs...\n");
+ err = unpack_to_rootfs((char *)initrd_start,
+ initrd_end - initrd_start);
+@@ -616,22 +637,7 @@ static int __init populate_rootfs(void)
+ goto done;
+
+ clean_rootfs();
+- unpack_to_rootfs(__initramfs_start, __initramfs_size);
+-
+- printk(KERN_INFO "rootfs image is not initramfs (%s)"
+- "; looks like an initrd\n", err);
+- fd = ksys_open("/initrd.image",
+- O_WRONLY|O_CREAT, 0700);
+- if (fd >= 0) {
+- ssize_t written = xwrite(fd, (char *)initrd_start,
+- initrd_end - initrd_start);
+-
+- if (written != initrd_end - initrd_start)
+- pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
+- written, initrd_end - initrd_start);
+-
+- ksys_close(fd);
+- }
++ populate_initrd_image(err);
+ done:
+ /* empty statement */;
+ #else
+--
+2.43.0
+
--- /dev/null
+From 10399e913a093fc2eea606cc82a773411b4e0097 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:56:19 +0200
+Subject: initramfs: switch initramfs unpacking to struct file based APIs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit bf6419e4d5440c6d414a320506c5488857a5b001 ]
+
+There is no good reason to mess with file descriptors from in-kernel
+code, switch the initramfs unpacking to struct file based write
+instead.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 47 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index 7103edf44436c..e378d15a949e0 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -11,13 +11,14 @@
+ #include <linux/utime.h>
+ #include <linux/file.h>
+
+-static ssize_t __init xwrite(int fd, const char *p, size_t count)
++static ssize_t __init xwrite(struct file *file, const char *p, size_t count,
++ loff_t *pos)
+ {
+ ssize_t out = 0;
+
+ /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
+ while (count) {
+- ssize_t rv = ksys_write(fd, p, count);
++ ssize_t rv = kernel_write(file, p, count, pos);
+
+ if (rv < 0) {
+ if (rv == -EINTR || rv == -EAGAIN)
+@@ -315,7 +316,8 @@ static int __init maybe_link(void)
+ return 0;
+ }
+
+-static __initdata int wfd;
++static __initdata struct file *wfile;
++static __initdata loff_t wfile_pos;
+
+ static int __init do_name(void)
+ {
+@@ -332,16 +334,17 @@ static int __init do_name(void)
+ int openflags = O_WRONLY|O_CREAT;
+ if (ml != 1)
+ openflags |= O_TRUNC;
+- wfd = ksys_open(collected, openflags, mode);
+-
+- if (wfd >= 0) {
+- ksys_fchown(wfd, uid, gid);
+- ksys_fchmod(wfd, mode);
+- if (body_len)
+- ksys_ftruncate(wfd, body_len);
+- vcollected = kstrdup(collected, GFP_KERNEL);
+- state = CopyFile;
+- }
++ wfile = filp_open(collected, openflags, mode);
++ if (IS_ERR(wfile))
++ return 0;
++ wfile_pos = 0;
++
++ vfs_fchown(wfile, uid, gid);
++ vfs_fchmod(wfile, mode);
++ if (body_len)
++ vfs_truncate(&wfile->f_path, body_len);
++ vcollected = kstrdup(collected, GFP_KERNEL);
++ state = CopyFile;
+ }
+ } else if (S_ISDIR(mode)) {
+ ksys_mkdir(collected, mode);
+@@ -363,16 +366,16 @@ static int __init do_name(void)
+ static int __init do_copy(void)
+ {
+ if (byte_count >= body_len) {
+- if (xwrite(wfd, victim, body_len) != body_len)
++ if (xwrite(wfile, victim, body_len, &wfile_pos) != body_len)
+ error("write error");
+- ksys_close(wfd);
++ fput(wfile);
+ do_utime(vcollected, mtime);
+ kfree(vcollected);
+ eat(body_len);
+ state = SkipIt;
+ return 0;
+ } else {
+- if (xwrite(wfd, victim, byte_count) != byte_count)
++ if (xwrite(wfile, victim, byte_count, &wfile_pos) != byte_count)
+ error("write error");
+ body_len -= byte_count;
+ eat(byte_count);
+@@ -603,21 +606,23 @@ static void __init clean_rootfs(void)
+ static void populate_initrd_image(char *err)
+ {
+ ssize_t written;
+- int fd;
++ struct file *file;
++ loff_t pos = 0;
+
+ unpack_to_rootfs(__initramfs_start, __initramfs_size);
+
+ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
+ err);
+- fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
+- if (fd < 0)
++ file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
++ if (IS_ERR(file))
+ return;
+
+- written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start);
++ written = xwrite(file, (char *)initrd_start, initrd_end - initrd_start,
++ &pos);
+ if (written != initrd_end - initrd_start)
+ pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
+ written, initrd_end - initrd_start);
+- ksys_close(fd);
++ fput(file);
+ }
+ #endif /* CONFIG_BLK_DEV_RAM */
+
+--
+2.43.0
+
selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch
ipv6-fix-infinite-recursion-in-fib6_dump_done.patch
i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch
+staging-mmal-vchiq-avoid-use-of-bool-in-structures.patch
+staging-mmal-vchiq-allocate-and-free-components-as-r.patch
+staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch
+staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
+staging-vc04_services-fix-information-leak-in-create.patch
+initramfs-factor-out-a-helper-to-populate-the-initrd.patch
+fs-add-a-vfs_fchown-helper.patch
+fs-add-a-vfs_fchmod-helper.patch
+initramfs-switch-initramfs-unpacking-to-struct-file-.patch
+init-open-initrd.image-with-o_largefile.patch
+erspan-add-type-i-version-0-support.patch
+erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch
--- /dev/null
+From b9bc79e2d7b420355f8d47179ad0cbc7bf73f170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 18:41:48 +0200
+Subject: staging: mmal-vchiq: Allocate and free components as required
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+
+[ Upstream commit 8c589e1794a31e9a381916b0280260ab601e4d6e ]
+
+The existing code assumed that there would only ever be 4 components,
+and never freed the entries once used.
+Allow arbitrary creation and destruction of components.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20200623164235.29566-3-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 29 ++++++++++++-------
+ .../vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 00c943516ba38..4f128c75c0f6c 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -31,8 +31,11 @@
+ #define USE_VCHIQ_ARM
+ #include "interface/vchi/vchi.h"
+
+-/* maximum number of components supported */
+-#define VCHIQ_MMAL_MAX_COMPONENTS 4
++/*
++ * maximum number of components supported.
++ * This matches the maximum permitted by default on the VPU
++ */
++#define VCHIQ_MMAL_MAX_COMPONENTS 64
+
+ /*#define FULL_MSG_DUMP 1*/
+
+@@ -165,8 +168,6 @@ struct vchiq_mmal_instance {
+ /* protect accesses to context_map */
+ struct mutex context_map_lock;
+
+- /* component to use next */
+- int component_idx;
+ struct vchiq_mmal_component component[VCHIQ_MMAL_MAX_COMPONENTS];
+ };
+
+@@ -1607,18 +1608,24 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ {
+ int ret;
+ int idx; /* port index */
+- struct vchiq_mmal_component *component;
++ struct vchiq_mmal_component *component = NULL;
+
+ if (mutex_lock_interruptible(&instance->vchiq_mutex))
+ return -EINTR;
+
+- if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) {
++ for (idx = 0; idx < VCHIQ_MMAL_MAX_COMPONENTS; idx++) {
++ if (!instance->component[idx].in_use) {
++ component = &instance->component[idx];
++ component->in_use = 1;
++ break;
++ }
++ }
++
++ if (!component) {
+ ret = -EINVAL; /* todo is this correct error? */
+ goto unlock;
+ }
+
+- component = &instance->component[instance->component_idx];
+-
+ ret = create_component(instance, component, name);
+ if (ret < 0)
+ goto unlock;
+@@ -1666,8 +1673,6 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ goto release_component;
+ }
+
+- instance->component_idx++;
+-
+ *component_out = component;
+
+ mutex_unlock(&instance->vchiq_mutex);
+@@ -1677,6 +1682,8 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ release_component:
+ destroy_component(instance, component);
+ unlock:
++ if (component)
++ component->in_use = 0;
+ mutex_unlock(&instance->vchiq_mutex);
+
+ return ret;
+@@ -1698,6 +1705,8 @@ int vchiq_mmal_component_finalise(struct vchiq_mmal_instance *instance,
+
+ ret = destroy_component(instance, component);
+
++ component->in_use = 0;
++
+ mutex_unlock(&instance->vchiq_mutex);
+
+ return ret;
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index b3c231e619c90..ee5eb6d4d080d 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -81,6 +81,7 @@ struct vchiq_mmal_port {
+ };
+
+ struct vchiq_mmal_component {
++ u32 in_use:1;
+ u32 enabled:1;
+ u32 handle; /* VideoCore handle for component */
+ u32 inputs; /* Number of input ports */
+--
+2.43.0
+
--- /dev/null
+From 41deae65b380841b597ddfbb30e1ea2edbe4075d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Jun 2019 21:31:39 +0200
+Subject: staging: mmal-vchiq: Avoid use of bool in structures
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+
+[ Upstream commit 640e77466e69d9c28de227bc76881f5501f532ca ]
+
+Fixes up a checkpatch error "Avoid using bool structure members
+because of possible alignment issues".
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 12 ++++++------
+ .../vc04_services/bcm2835-camera/mmal-vchiq.h | 4 ++--
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index daa2b96565529..00c943516ba38 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -845,9 +845,9 @@ static int port_info_get(struct vchiq_mmal_instance *instance,
+ goto release_msg;
+
+ if (rmsg->u.port_info_get_reply.port.is_enabled == 0)
+- port->enabled = false;
++ port->enabled = 0;
+ else
+- port->enabled = true;
++ port->enabled = 1;
+
+ /* copy the values out of the message */
+ port->handle = rmsg->u.port_info_get_reply.port_handle;
+@@ -1283,7 +1283,7 @@ static int port_disable(struct vchiq_mmal_instance *instance,
+ if (!port->enabled)
+ return 0;
+
+- port->enabled = false;
++ port->enabled = 0;
+
+ ret = port_action_port(instance, port,
+ MMAL_MSG_PORT_ACTION_TYPE_DISABLE);
+@@ -1335,7 +1335,7 @@ static int port_enable(struct vchiq_mmal_instance *instance,
+ if (ret)
+ goto done;
+
+- port->enabled = true;
++ port->enabled = 1;
+
+ if (port->buffer_cb) {
+ /* send buffer headers to videocore */
+@@ -1502,7 +1502,7 @@ int vchiq_mmal_port_connect_tunnel(struct vchiq_mmal_instance *instance,
+ pr_err("failed disconnecting src port\n");
+ goto release_unlock;
+ }
+- src->connected->enabled = false;
++ src->connected->enabled = 0;
+ src->connected = NULL;
+ }
+
+@@ -1746,7 +1746,7 @@ int vchiq_mmal_component_disable(struct vchiq_mmal_instance *instance,
+
+ ret = disable_component(instance, component);
+ if (ret == 0)
+- component->enabled = false;
++ component->enabled = 0;
+
+ mutex_unlock(&instance->vchiq_mutex);
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index b0ee1716525b4..b3c231e619c90 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -47,7 +47,7 @@ typedef void (*vchiq_mmal_buffer_cb)(
+ unsigned long length, u32 mmal_flags, s64 dts, s64 pts);
+
+ struct vchiq_mmal_port {
+- bool enabled;
++ u32 enabled:1;
+ u32 handle;
+ u32 type; /* port type, cached to use on port info set */
+ u32 index; /* port index, cached to use on port info set */
+@@ -81,7 +81,7 @@ struct vchiq_mmal_port {
+ };
+
+ struct vchiq_mmal_component {
+- bool enabled;
++ u32 enabled:1;
+ u32 handle; /* VideoCore handle for component */
+ u32 inputs; /* Number of input ports */
+ u32 outputs; /* Number of output ports */
+--
+2.43.0
+
--- /dev/null
+From 260c3004eabc0be2c154c28b5cef159d808fa670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 17:09:02 +0200
+Subject: staging: mmal-vchiq: Fix client_component for 64 bit kernel
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+
+[ Upstream commit 22e64b486adc4785542f8002c3af4c895490f841 ]
+
+The MMAL client_component field is used with the event
+mechanism to allow the client to identify the component for
+which the event is generated.
+The field is only 32bits in size, therefore we can't use a
+pointer to the component in a 64 bit kernel.
+
+Component handles are already held in an array per VCHI
+instance, so use the array index as the client_component handle
+to avoid having to create a new IDR for this purpose.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20200629150945.10720-5-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 8 +++++++-
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 4f128c75c0f6c..2794df22224ad 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -920,7 +920,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
+
+ /* build component create message */
+ m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
+- m.u.component_create.client_component = (u32)(unsigned long)component;
++ m.u.component_create.client_component = component->client_component;
+ strncpy(m.u.component_create.name, name,
+ sizeof(m.u.component_create.name));
+
+@@ -1626,6 +1626,12 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ goto unlock;
+ }
+
++ /* We need a handle to reference back to our component structure.
++ * Use the array index in instance->component rather than rolling
++ * another IDR.
++ */
++ component->client_component = idx;
++
+ ret = create_component(instance, component, name);
+ if (ret < 0)
+ goto unlock;
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index ee5eb6d4d080d..d20d5182577d6 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -91,6 +91,7 @@ struct vchiq_mmal_component {
+ struct vchiq_mmal_port input[MAX_PORT_COUNT]; /* input ports */
+ struct vchiq_mmal_port output[MAX_PORT_COUNT]; /* output ports */
+ struct vchiq_mmal_port clock[MAX_PORT_COUNT]; /* clock ports */
++ u32 client_component; /* Used to ref back to client struct */
+ };
+
+ int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance);
+--
+2.43.0
+
--- /dev/null
+From 99f4650ba8420df18cc1276efcba889217e05e8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 17:36:56 +0100
+Subject: staging: vc04_services: changen strncpy() to strscpy_pad()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf ]
+
+gcc-14 warns about this strncpy() that results in a non-terminated
+string for an overflow:
+
+In file included from include/linux/string.h:369,
+ from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20:
+In function 'strncpy',
+ inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2:
+include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation]
+
+Change it to strscpy_pad(), which produces a properly terminated and
+zero-padded string.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 2794df22224ad..5d1fb582fde60 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -921,8 +921,8 @@ static int create_component(struct vchiq_mmal_instance *instance,
+ /* build component create message */
+ m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
+ m.u.component_create.client_component = component->client_component;
+- strncpy(m.u.component_create.name, name,
+- sizeof(m.u.component_create.name));
++ strscpy_pad(m.u.component_create.name, name,
++ sizeof(m.u.component_create.name));
+
+ ret = send_synchronous_mmal_msg(instance, &m,
+ sizeof(m.u.component_create),
+--
+2.43.0
+
--- /dev/null
+From 8e132884f2b8575e7e6fd55b1f6f4c5f42dbb2c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 21:07:43 +0300
+Subject: staging: vc04_services: fix information leak in create_component()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f37e76abd614b68987abc8e5c22d986013349771 ]
+
+The m.u.component_create.pid field is for debugging and in the mainline
+kernel it's not used anything. However, it still needs to be set to
+something to prevent disclosing uninitialized stack data. Set it to
+zero.
+
+Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 5d1fb582fde60..a6ba608fed938 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -923,6 +923,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
+ m.u.component_create.client_component = component->client_component;
+ strscpy_pad(m.u.component_create.name, name,
+ sizeof(m.u.component_create.name));
++ m.u.component_create.pid = 0;
+
+ ret = send_synchronous_mmal_msg(instance, &m,
+ sizeof(m.u.component_create),
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
