--- /dev/null
+From a3a939a67030c94b9012212236103d98d2f4970a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 09:05:06 -0700
+Subject: erspan: Add type I version 0 support.
+
+From: William Tu <u9012063@gmail.com>
+
+[ Upstream commit f989d546a2d5a9f001f6f8be49d98c10ab9b1897 ]
+
+The Type I ERSPAN frame format is based on the barebones
+IP + GRE(4-byte) encapsulation on top of the raw mirrored frame.
+Both type I and II use 0x88BE as protocol type. Unlike type II
+and III, no sequence number or key is required.
+To creat a type I erspan tunnel device:
+ $ ip link add dev erspan11 type erspan \
+ local 172.16.1.100 remote 172.16.1.200 \
+ erspan_ver 0
+
+Signed-off-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 17af420545a7 ("erspan: make sure erspan_base_hdr is present in skb->head")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/erspan.h | 19 +++++++++++++--
+ net/ipv4/ip_gre.c | 58 ++++++++++++++++++++++++++++++++------------
+ 2 files changed, 60 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/erspan.h b/include/net/erspan.h
+index b39643ef4c95f..0d9e86bd98934 100644
+--- a/include/net/erspan.h
++++ b/include/net/erspan.h
+@@ -2,7 +2,19 @@
+ #define __LINUX_ERSPAN_H
+
+ /*
+- * GRE header for ERSPAN encapsulation (8 octets [34:41]) -- 8 bytes
++ * GRE header for ERSPAN type I encapsulation (4 octets [34:37])
++ * 0 1 2 3
++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ * |0|0|0|0|0|00000|000000000|00000| Protocol Type for ERSPAN |
++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
++ *
++ * The Type I ERSPAN frame format is based on the barebones IP + GRE
++ * encapsulation (as described above) on top of the raw mirrored frame.
++ * There is no extra ERSPAN header.
++ *
++ *
++ * GRE header for ERSPAN type II and II encapsulation (8 octets [34:41])
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+@@ -43,7 +55,7 @@
+ * | Platform Specific Info |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+- * GRE proto ERSPAN type II = 0x88BE, type III = 0x22EB
++ * GRE proto ERSPAN type I/II = 0x88BE, type III = 0x22EB
+ */
+
+ #include <uapi/linux/erspan.h>
+@@ -139,6 +151,9 @@ static inline u8 get_hwid(const struct erspan_md2 *md2)
+
+ static inline int erspan_hdr_len(int version)
+ {
++ if (version == 0)
++ return 0;
++
+ return sizeof(struct erspan_base_hdr) +
+ (version == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE);
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index db48dec61f305..f8369580ea273 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -248,6 +248,15 @@ static void gre_err(struct sk_buff *skb, u32 info)
+ ipgre_err(skb, info, &tpi);
+ }
+
++static bool is_erspan_type1(int gre_hdr_len)
++{
++ /* Both ERSPAN type I (version 0) and type II (version 1) use
++ * protocol 0x88BE, but the type I has only 4-byte GRE header,
++ * while type II has 8-byte.
++ */
++ return gre_hdr_len == 4;
++}
++
+ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ int gre_hdr_len)
+ {
+@@ -262,17 +271,26 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ int len;
+
+ itn = net_generic(net, erspan_net_id);
+-
+ iph = ip_hdr(skb);
+- ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
+- ver = ershdr->ver;
+-
+- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+- tpi->flags | TUNNEL_KEY,
+- iph->saddr, iph->daddr, tpi->key);
++ if (is_erspan_type1(gre_hdr_len)) {
++ ver = 0;
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
++ tpi->flags | TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ } else {
++ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
++ ver = ershdr->ver;
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
++ tpi->flags | TUNNEL_KEY,
++ iph->saddr, iph->daddr, tpi->key);
++ }
+
+ if (tunnel) {
+- len = gre_hdr_len + erspan_hdr_len(ver);
++ if (is_erspan_type1(gre_hdr_len))
++ len = gre_hdr_len;
++ else
++ len = gre_hdr_len + erspan_hdr_len(ver);
++
+ if (unlikely(!pskb_may_pull(skb, len)))
+ return PACKET_REJECT;
+
+@@ -670,7 +688,10 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
+ }
+
+ /* Push ERSPAN header */
+- if (tunnel->erspan_ver == 1) {
++ if (tunnel->erspan_ver == 0) {
++ proto = htons(ETH_P_ERSPAN);
++ tunnel->parms.o_flags &= ~TUNNEL_SEQ;
++ } else if (tunnel->erspan_ver == 1) {
+ erspan_build_header(skb, ntohl(tunnel->parms.o_key),
+ tunnel->index,
+ truncate, true);
+@@ -1080,7 +1101,10 @@ static int erspan_validate(struct nlattr *tb[], struct nlattr *data[],
+ if (ret)
+ return ret;
+
+- /* ERSPAN should only have GRE sequence and key flag */
++ if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0)
++ return 0;
++
++ /* ERSPAN type II/III should only have GRE sequence and key flag */
+ if (data[IFLA_GRE_OFLAGS])
+ flags |= nla_get_be16(data[IFLA_GRE_OFLAGS]);
+ if (data[IFLA_GRE_IFLAGS])
+@@ -1188,7 +1212,7 @@ static int erspan_netlink_parms(struct net_device *dev,
+ if (data[IFLA_GRE_ERSPAN_VER]) {
+ t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+
+- if (t->erspan_ver != 1 && t->erspan_ver != 2)
++ if (t->erspan_ver > 2)
+ return -EINVAL;
+ }
+
+@@ -1273,7 +1297,11 @@ static int erspan_tunnel_init(struct net_device *dev)
+ {
+ struct ip_tunnel *tunnel = netdev_priv(dev);
+
+- tunnel->tun_hlen = 8;
++ if (tunnel->erspan_ver == 0)
++ tunnel->tun_hlen = 4; /* 4-byte GRE hdr. */
++ else
++ tunnel->tun_hlen = 8; /* 8-byte GRE hdr. */
++
+ tunnel->parms.iph.protocol = IPPROTO_GRE;
+ tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
+ erspan_hdr_len(tunnel->erspan_ver);
+@@ -1470,8 +1498,8 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ struct ip_tunnel_parm *p = &t->parms;
+ __be16 o_flags = p->o_flags;
+
+- if (t->erspan_ver == 1 || t->erspan_ver == 2) {
+- if (!t->collect_md)
++ if (t->erspan_ver <= 2) {
++ if (t->erspan_ver != 0 && !t->collect_md)
+ o_flags |= TUNNEL_KEY;
+
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+@@ -1480,7 +1508,7 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
+ if (t->erspan_ver == 1) {
+ if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+ goto nla_put_failure;
+- } else {
++ } else if (t->erspan_ver == 2) {
+ if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+ goto nla_put_failure;
+ if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+--
+2.43.0
+
--- /dev/null
+From 80b0ea7b8eda85ce3b4544f9ae6ebead34731e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 11:22:48 +0000
+Subject: erspan: make sure erspan_base_hdr is present in skb->head
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 17af420545a750f763025149fa7b833a4fc8b8f0 ]
+
+syzbot reported a problem in ip6erspan_rcv() [1]
+
+Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
+sure erspan_base_hdr is present in skb linear part (skb->head)
+before getting @ver field from it.
+
+Add the missing pskb_may_pull() calls.
+
+v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
+ because skb->head might have changed.
+
+[1]
+
+ BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
+ BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
+ BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
+ BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
+ pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
+ pskb_may_pull include/linux/skbuff.h:2756 [inline]
+ ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
+ gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
+ ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
+ ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
+ ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
+ dst_input include/net/dst.h:460 [inline]
+ ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5538 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
+ netif_receive_skb_internal net/core/dev.c:5738 [inline]
+ netif_receive_skb+0x58/0x660 net/core/dev.c:5798
+ tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
+ tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+ call_write_iter include/linux/fs.h:2108 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb63/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xe0 fs/read_write.c:652
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3804 [inline]
+ slab_alloc_node mm/slub.c:3845 [inline]
+ kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
+ __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
+ alloc_skb include/linux/skbuff.h:1318 [inline]
+ alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
+ sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
+ tun_alloc_skb drivers/net/tun.c:1525 [inline]
+ tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
+ tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+ call_write_iter include/linux/fs.h:2108 [inline]
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0xb63/0x1520 fs/read_write.c:590
+ ksys_write+0x20f/0x4c0 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __x64_sys_write+0x93/0xe0 fs/read_write.c:652
+ do_syscall_64+0xd5/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
+
+Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
+Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 5 +++++
+ net/ipv6/ip6_gre.c | 3 +++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index f8369580ea273..b8ff2179071f9 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -278,8 +278,13 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ tpi->flags | TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ } else {
++ if (unlikely(!pskb_may_pull(skb,
++ gre_hdr_len + sizeof(*ershdr))))
++ return PACKET_REJECT;
++
+ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
+ ver = ershdr->ver;
++ iph = ip_hdr(skb);
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
+ tpi->flags | TUNNEL_KEY,
+ iph->saddr, iph->daddr, tpi->key);
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 2d34bd98fccea..de707e057cd90 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -531,6 +531,9 @@ static int ip6erspan_rcv(struct sk_buff *skb,
+ struct ip6_tnl *tunnel;
+ u8 ver;
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
++ return PACKET_REJECT;
++
+ ipv6h = ipv6_hdr(skb);
+ ershdr = (struct erspan_base_hdr *)skb->data;
+ ver = ershdr->ver;
+--
+2.43.0
+
--- /dev/null
+From cd037b408d89ea602547e0e2141d3189afd71fa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:55:05 +0200
+Subject: fs: add a vfs_fchmod helper
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 9e96c8c0e94eea2f69a9705f5d0f51928ea26c17 ]
+
+Add a helper for struct file based chmode operations. To be used by
+the initramfs code soon.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/open.c | 9 +++++++--
+ include/linux/fs.h | 1 +
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/open.c b/fs/open.c
+index 9213c15d8a8d6..484b300f3e026 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -570,14 +570,19 @@ static int chmod_common(const struct path *path, umode_t mode)
+ return error;
+ }
+
++int vfs_fchmod(struct file *file, umode_t mode)
++{
++ audit_file(file);
++ return chmod_common(&file->f_path, mode);
++}
++
+ int ksys_fchmod(unsigned int fd, umode_t mode)
+ {
+ struct fd f = fdget(fd);
+ int err = -EBADF;
+
+ if (f.file) {
+- audit_file(f.file);
+- err = chmod_common(&f.file->f_path, mode);
++ err = vfs_fchmod(f.file, mode);
+ fdput(f);
+ }
+ return err;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 03de5c7134564..5e122cb506d6e 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1731,6 +1731,7 @@ int vfs_mkobj(struct dentry *, umode_t,
+ void *);
+
+ int vfs_fchown(struct file *file, uid_t user, gid_t group);
++int vfs_fchmod(struct file *file, umode_t mode);
+
+ extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+
+--
+2.43.0
+
--- /dev/null
+From 53062cace22d568d3919dda3ad90fab84f4f88de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:47:43 +0200
+Subject: fs: add a vfs_fchown helper
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit c04011fe8cbd80af1be6e12b53193bf3846750d7 ]
+
+Add a helper for struct file based chown operations. To be used by
+the initramfs code soon.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/open.c | 29 +++++++++++++++++------------
+ include/linux/fs.h | 2 ++
+ 2 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/fs/open.c b/fs/open.c
+index dcbd016112375..9213c15d8a8d6 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -708,23 +708,28 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
+ AT_SYMLINK_NOFOLLOW);
+ }
+
++int vfs_fchown(struct file *file, uid_t user, gid_t group)
++{
++ int error;
++
++ error = mnt_want_write_file(file);
++ if (error)
++ return error;
++ audit_file(file);
++ error = chown_common(&file->f_path, user, group);
++ mnt_drop_write_file(file);
++ return error;
++}
++
+ int ksys_fchown(unsigned int fd, uid_t user, gid_t group)
+ {
+ struct fd f = fdget(fd);
+ int error = -EBADF;
+
+- if (!f.file)
+- goto out;
+-
+- error = mnt_want_write_file(f.file);
+- if (error)
+- goto out_fput;
+- audit_file(f.file);
+- error = chown_common(&f.file->f_path, user, group);
+- mnt_drop_write_file(f.file);
+-out_fput:
+- fdput(f);
+-out:
++ if (f.file) {
++ error = vfs_fchown(f.file, user, group);
++ fdput(f);
++ }
+ return error;
+ }
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 272f261894b17..03de5c7134564 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1730,6 +1730,8 @@ int vfs_mkobj(struct dentry *, umode_t,
+ int (*f)(struct dentry *, umode_t, void *),
+ void *);
+
++int vfs_fchown(struct file *file, uid_t user, gid_t group);
++
+ extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+
+ #ifdef CONFIG_COMPAT
+--
+2.43.0
+
--- /dev/null
+From c8a72845f33c3e0d53275aea6be6fb35117c0b54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Mar 2024 15:15:22 -0700
+Subject: init: open /initrd.image with O_LARGEFILE
+
+From: John Sperbeck <jsperbeck@google.com>
+
+[ Upstream commit 4624b346cf67400ef46a31771011fb798dd2f999 ]
+
+If initrd data is larger than 2Gb, we'll eventually fail to write to the
+/initrd.image file when we hit that limit, unless O_LARGEFILE is set.
+
+Link: https://lkml.kernel.org/r/20240317221522.896040-1-jsperbeck@google.com
+Signed-off-by: John Sperbeck <jsperbeck@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index 1bc854fdf8302..b362b57c047d5 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -630,7 +630,7 @@ static void __init populate_initrd_image(char *err)
+
+ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
+ err);
+- file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
++ file = filp_open("/initrd.image", O_WRONLY|O_CREAT|O_LARGEFILE, 0700);
+ if (IS_ERR(file))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 742a0b50bb5cdf2a8862a88c572e2a3a651af9ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:56:19 +0200
+Subject: initramfs: switch initramfs unpacking to struct file based APIs
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit bf6419e4d5440c6d414a320506c5488857a5b001 ]
+
+There is no good reason to mess with file descriptors from in-kernel
+code, switch the initramfs unpacking to struct file based write
+instead.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/initramfs.c | 47 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/init/initramfs.c b/init/initramfs.c
+index 00a32799a38b0..1bc854fdf8302 100644
+--- a/init/initramfs.c
++++ b/init/initramfs.c
+@@ -11,13 +11,14 @@
+ #include <linux/utime.h>
+ #include <linux/file.h>
+
+-static ssize_t __init xwrite(int fd, const char *p, size_t count)
++static ssize_t __init xwrite(struct file *file, const char *p, size_t count,
++ loff_t *pos)
+ {
+ ssize_t out = 0;
+
+ /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
+ while (count) {
+- ssize_t rv = ksys_write(fd, p, count);
++ ssize_t rv = kernel_write(file, p, count, pos);
+
+ if (rv < 0) {
+ if (rv == -EINTR || rv == -EAGAIN)
+@@ -315,7 +316,8 @@ static int __init maybe_link(void)
+ return 0;
+ }
+
+-static __initdata int wfd;
++static __initdata struct file *wfile;
++static __initdata loff_t wfile_pos;
+
+ static int __init do_name(void)
+ {
+@@ -332,16 +334,17 @@ static int __init do_name(void)
+ int openflags = O_WRONLY|O_CREAT;
+ if (ml != 1)
+ openflags |= O_TRUNC;
+- wfd = ksys_open(collected, openflags, mode);
+-
+- if (wfd >= 0) {
+- ksys_fchown(wfd, uid, gid);
+- ksys_fchmod(wfd, mode);
+- if (body_len)
+- ksys_ftruncate(wfd, body_len);
+- vcollected = kstrdup(collected, GFP_KERNEL);
+- state = CopyFile;
+- }
++ wfile = filp_open(collected, openflags, mode);
++ if (IS_ERR(wfile))
++ return 0;
++ wfile_pos = 0;
++
++ vfs_fchown(wfile, uid, gid);
++ vfs_fchmod(wfile, mode);
++ if (body_len)
++ vfs_truncate(&wfile->f_path, body_len);
++ vcollected = kstrdup(collected, GFP_KERNEL);
++ state = CopyFile;
+ }
+ } else if (S_ISDIR(mode)) {
+ ksys_mkdir(collected, mode);
+@@ -363,16 +366,16 @@ static int __init do_name(void)
+ static int __init do_copy(void)
+ {
+ if (byte_count >= body_len) {
+- if (xwrite(wfd, victim, body_len) != body_len)
++ if (xwrite(wfile, victim, body_len, &wfile_pos) != body_len)
+ error("write error");
+- ksys_close(wfd);
++ fput(wfile);
+ do_utime(vcollected, mtime);
+ kfree(vcollected);
+ eat(body_len);
+ state = SkipIt;
+ return 0;
+ } else {
+- if (xwrite(wfd, victim, byte_count) != byte_count)
++ if (xwrite(wfile, victim, byte_count, &wfile_pos) != byte_count)
+ error("write error");
+ body_len -= byte_count;
+ eat(byte_count);
+@@ -620,21 +623,23 @@ static inline void clean_rootfs(void)
+ static void __init populate_initrd_image(char *err)
+ {
+ ssize_t written;
+- int fd;
++ struct file *file;
++ loff_t pos = 0;
+
+ unpack_to_rootfs(__initramfs_start, __initramfs_size);
+
+ printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n",
+ err);
+- fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
+- if (fd < 0)
++ file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700);
++ if (IS_ERR(file))
+ return;
+
+- written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start);
++ written = xwrite(file, (char *)initrd_start, initrd_end - initrd_start,
++ &pos);
+ if (written != initrd_end - initrd_start)
+ pr_err("/initrd.image: incomplete write (%zd != %ld)\n",
+ written, initrd_end - initrd_start);
+- ksys_close(fd);
++ fput(file);
+ }
+ #else
+ static void __init populate_initrd_image(char *err)
+--
+2.43.0
+
--- /dev/null
+From 4883d63eac0be55a2bb60213d4a44a5a3c31f29c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 15:53:04 +0100
+Subject: net: ravb: Always process TX descriptor ring
+
+From: Paul Barker <paul.barker.ct@bp.renesas.com>
+
+[ Upstream commit 596a4254915f94c927217fe09c33a6828f33fb25 ]
+
+The TX queue should be serviced each time the poll function is called,
+even if the full RX work budget has been consumed. This prevents
+starvation of the TX queue when RX bandwidth usage is high.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20240402145305.82148-1-paul.barker.ct@bp.renesas.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 53b9c77c7f6a7..3cc312a526d9b 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -911,12 +911,12 @@ static int ravb_poll(struct napi_struct *napi, int budget)
+ int q = napi - priv->napi;
+ int mask = BIT(q);
+ int quota = budget;
++ bool unmask;
+
+ /* Processing RX Descriptor Ring */
+ /* Clear RX interrupt */
+ ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0);
+- if (ravb_rx(ndev, "a, q))
+- goto out;
++ unmask = !ravb_rx(ndev, "a, q);
+
+ /* Processing RX Descriptor Ring */
+ spin_lock_irqsave(&priv->lock, flags);
+@@ -926,6 +926,9 @@ static int ravb_poll(struct napi_struct *napi, int budget)
+ netif_wake_subqueue(ndev, q);
+ spin_unlock_irqrestore(&priv->lock, flags);
+
++ if (!unmask)
++ goto out;
++
+ napi_complete(napi);
+
+ /* Re-enable RX/TX interrupts */
+--
+2.43.0
+
selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch
ipv6-fix-infinite-recursion-in-fib6_dump_done.patch
i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch
+staging-mmal-vchiq-allocate-and-free-components-as-r.patch
+staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch
+staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
+staging-vc04_services-fix-information-leak-in-create.patch
+fs-add-a-vfs_fchown-helper.patch
+fs-add-a-vfs_fchmod-helper.patch
+initramfs-switch-initramfs-unpacking-to-struct-file-.patch
+init-open-initrd.image-with-o_largefile.patch
+erspan-add-type-i-version-0-support.patch
+erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch
+net-ravb-always-process-tx-descriptor-ring.patch
--- /dev/null
+From 68b3cdc05ac09855ba7468f8867bb21b267fdd30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 18:41:48 +0200
+Subject: staging: mmal-vchiq: Allocate and free components as required
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+
+[ Upstream commit 8c589e1794a31e9a381916b0280260ab601e4d6e ]
+
+The existing code assumed that there would only ever be 4 components,
+and never freed the entries once used.
+Allow arbitrary creation and destruction of components.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20200623164235.29566-3-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 29 ++++++++++++-------
+ .../vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 1c180ead4a20b..9b47ba4d2d3cd 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -31,8 +31,11 @@
+ #define USE_VCHIQ_ARM
+ #include "interface/vchi/vchi.h"
+
+-/* maximum number of components supported */
+-#define VCHIQ_MMAL_MAX_COMPONENTS 4
++/*
++ * maximum number of components supported.
++ * This matches the maximum permitted by default on the VPU
++ */
++#define VCHIQ_MMAL_MAX_COMPONENTS 64
+
+ /*#define FULL_MSG_DUMP 1*/
+
+@@ -167,8 +170,6 @@ struct vchiq_mmal_instance {
+ /* protect accesses to context_map */
+ struct mutex context_map_lock;
+
+- /* component to use next */
+- int component_idx;
+ struct vchiq_mmal_component component[VCHIQ_MMAL_MAX_COMPONENTS];
+
+ /* ordered workqueue to process all bulk operations */
+@@ -1616,18 +1617,24 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ {
+ int ret;
+ int idx; /* port index */
+- struct vchiq_mmal_component *component;
++ struct vchiq_mmal_component *component = NULL;
+
+ if (mutex_lock_interruptible(&instance->vchiq_mutex))
+ return -EINTR;
+
+- if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) {
++ for (idx = 0; idx < VCHIQ_MMAL_MAX_COMPONENTS; idx++) {
++ if (!instance->component[idx].in_use) {
++ component = &instance->component[idx];
++ component->in_use = 1;
++ break;
++ }
++ }
++
++ if (!component) {
+ ret = -EINVAL; /* todo is this correct error? */
+ goto unlock;
+ }
+
+- component = &instance->component[instance->component_idx];
+-
+ ret = create_component(instance, component, name);
+ if (ret < 0) {
+ pr_err("%s: failed to create component %d (Not enough GPU mem?)\n",
+@@ -1678,8 +1685,6 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ goto release_component;
+ }
+
+- instance->component_idx++;
+-
+ *component_out = component;
+
+ mutex_unlock(&instance->vchiq_mutex);
+@@ -1689,6 +1694,8 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ release_component:
+ destroy_component(instance, component);
+ unlock:
++ if (component)
++ component->in_use = 0;
+ mutex_unlock(&instance->vchiq_mutex);
+
+ return ret;
+@@ -1710,6 +1717,8 @@ int vchiq_mmal_component_finalise(struct vchiq_mmal_instance *instance,
+
+ ret = destroy_component(instance, component);
+
++ component->in_use = 0;
++
+ mutex_unlock(&instance->vchiq_mutex);
+
+ return ret;
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index 47897e81ec586..4e34728d87e53 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -82,6 +82,7 @@ struct vchiq_mmal_port {
+ };
+
+ struct vchiq_mmal_component {
++ u32 in_use:1;
+ u32 enabled:1;
+ u32 handle; /* VideoCore handle for component */
+ u32 inputs; /* Number of input ports */
+--
+2.43.0
+
--- /dev/null
+From 4b90982f6607a780ea2f73215d8c94f8926cfb62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 17:09:02 +0200
+Subject: staging: mmal-vchiq: Fix client_component for 64 bit kernel
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+
+[ Upstream commit 22e64b486adc4785542f8002c3af4c895490f841 ]
+
+The MMAL client_component field is used with the event
+mechanism to allow the client to identify the component for
+which the event is generated.
+The field is only 32bits in size, therefore we can't use a
+pointer to the component in a 64 bit kernel.
+
+Component handles are already held in an array per VCHI
+instance, so use the array index as the client_component handle
+to avoid having to create a new IDR for this purpose.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20200629150945.10720-5-nsaenzjulienne@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 8 +++++++-
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 9b47ba4d2d3cd..23d869ba12e69 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -928,7 +928,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
+
+ /* build component create message */
+ m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
+- m.u.component_create.client_component = (u32)(unsigned long)component;
++ m.u.component_create.client_component = component->client_component;
+ strncpy(m.u.component_create.name, name,
+ sizeof(m.u.component_create.name));
+
+@@ -1635,6 +1635,12 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance,
+ goto unlock;
+ }
+
++ /* We need a handle to reference back to our component structure.
++ * Use the array index in instance->component rather than rolling
++ * another IDR.
++ */
++ component->client_component = idx;
++
+ ret = create_component(instance, component, name);
+ if (ret < 0) {
+ pr_err("%s: failed to create component %d (Not enough GPU mem?)\n",
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index 4e34728d87e53..a75c5f0a770ef 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -92,6 +92,7 @@ struct vchiq_mmal_component {
+ struct vchiq_mmal_port input[MAX_PORT_COUNT]; /* input ports */
+ struct vchiq_mmal_port output[MAX_PORT_COUNT]; /* output ports */
+ struct vchiq_mmal_port clock[MAX_PORT_COUNT]; /* clock ports */
++ u32 client_component; /* Used to ref back to client struct */
+ };
+
+ int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance);
+--
+2.43.0
+
--- /dev/null
+From 629e14d38579f6f194eee2a93564d869a60e6bbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 17:36:56 +0100
+Subject: staging: vc04_services: changen strncpy() to strscpy_pad()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf ]
+
+gcc-14 warns about this strncpy() that results in a non-terminated
+string for an overflow:
+
+In file included from include/linux/string.h:369,
+ from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20:
+In function 'strncpy',
+ inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2:
+include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation]
+
+Change it to strscpy_pad(), which produces a properly terminated and
+zero-padded string.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 23d869ba12e69..fab119c60cb12 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -929,8 +929,8 @@ static int create_component(struct vchiq_mmal_instance *instance,
+ /* build component create message */
+ m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
+ m.u.component_create.client_component = component->client_component;
+- strncpy(m.u.component_create.name, name,
+- sizeof(m.u.component_create.name));
++ strscpy_pad(m.u.component_create.name, name,
++ sizeof(m.u.component_create.name));
+
+ ret = send_synchronous_mmal_msg(instance, &m,
+ sizeof(m.u.component_create),
+--
+2.43.0
+
--- /dev/null
+From 68e4e655bfca4143c177382e1f39deff77db1503 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 21:07:43 +0300
+Subject: staging: vc04_services: fix information leak in create_component()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit f37e76abd614b68987abc8e5c22d986013349771 ]
+
+The m.u.component_create.pid field is for debugging and in the mainline
+kernel it's not used anything. However, it still needs to be set to
+something to prevent disclosing uninitialized stack data. Set it to
+zero.
+
+Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index fab119c60cb12..ad143f6019746 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -931,6 +931,7 @@ static int create_component(struct vchiq_mmal_instance *instance,
+ m.u.component_create.client_component = component->client_component;
+ strscpy_pad(m.u.component_create.name, name,
+ sizeof(m.u.component_create.name));
++ m.u.component_create.pid = 0;
+
+ ret = send_synchronous_mmal_msg(instance, &m,
+ sizeof(m.u.component_create),
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
