From: Sasha Levin Date: Sun, 7 Apr 2024 12:53:29 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.15.154~74 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=42fd80fb66a023145b7e8b83a041cda63d947e03;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/erspan-add-type-i-version-0-support.patch b/queue-5.4/erspan-add-type-i-version-0-support.patch new file mode 100644 index 00000000000..b917f40bb75 --- /dev/null +++ b/queue-5.4/erspan-add-type-i-version-0-support.patch @@ -0,0 +1,195 @@ +From a3a939a67030c94b9012212236103d98d2f4970a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 09:05:06 -0700 +Subject: erspan: Add type I version 0 support. + +From: William Tu + +[ Upstream commit f989d546a2d5a9f001f6f8be49d98c10ab9b1897 ] + +The Type I ERSPAN frame format is based on the barebones +IP + GRE(4-byte) encapsulation on top of the raw mirrored frame. +Both type I and II use 0x88BE as protocol type. Unlike type II +and III, no sequence number or key is required. +To creat a type I erspan tunnel device: + $ ip link add dev erspan11 type erspan \ + local 172.16.1.100 remote 172.16.1.200 \ + erspan_ver 0 + +Signed-off-by: William Tu +Signed-off-by: David S. Miller +Stable-dep-of: 17af420545a7 ("erspan: make sure erspan_base_hdr is present in skb->head") +Signed-off-by: Sasha Levin +--- + include/net/erspan.h | 19 +++++++++++++-- + net/ipv4/ip_gre.c | 58 ++++++++++++++++++++++++++++++++------------ + 2 files changed, 60 insertions(+), 17 deletions(-) + +diff --git a/include/net/erspan.h b/include/net/erspan.h +index b39643ef4c95f..0d9e86bd98934 100644 +--- a/include/net/erspan.h ++++ b/include/net/erspan.h +@@ -2,7 +2,19 @@ + #define __LINUX_ERSPAN_H + + /* +- * GRE header for ERSPAN encapsulation (8 octets [34:41]) -- 8 bytes ++ * GRE header for ERSPAN type I encapsulation (4 octets [34:37]) ++ * 0 1 2 3 ++ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ++ * |0|0|0|0|0|00000|000000000|00000| Protocol Type for ERSPAN | ++ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ++ * ++ * The Type I ERSPAN frame format is based on the barebones IP + GRE ++ * encapsulation (as described above) on top of the raw mirrored frame. ++ * There is no extra ERSPAN header. ++ * ++ * ++ * GRE header for ERSPAN type II and II encapsulation (8 octets [34:41]) + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +@@ -43,7 +55,7 @@ + * | Platform Specific Info | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * +- * GRE proto ERSPAN type II = 0x88BE, type III = 0x22EB ++ * GRE proto ERSPAN type I/II = 0x88BE, type III = 0x22EB + */ + + #include +@@ -139,6 +151,9 @@ static inline u8 get_hwid(const struct erspan_md2 *md2) + + static inline int erspan_hdr_len(int version) + { ++ if (version == 0) ++ return 0; ++ + return sizeof(struct erspan_base_hdr) + + (version == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index db48dec61f305..f8369580ea273 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -248,6 +248,15 @@ static void gre_err(struct sk_buff *skb, u32 info) + ipgre_err(skb, info, &tpi); + } + ++static bool is_erspan_type1(int gre_hdr_len) ++{ ++ /* Both ERSPAN type I (version 0) and type II (version 1) use ++ * protocol 0x88BE, but the type I has only 4-byte GRE header, ++ * while type II has 8-byte. ++ */ ++ return gre_hdr_len == 4; ++} ++ + static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + int gre_hdr_len) + { +@@ -262,17 +271,26 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + int len; + + itn = net_generic(net, erspan_net_id); +- + iph = ip_hdr(skb); +- ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); +- ver = ershdr->ver; +- +- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, +- tpi->flags | TUNNEL_KEY, +- iph->saddr, iph->daddr, tpi->key); ++ if (is_erspan_type1(gre_hdr_len)) { ++ ver = 0; ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, ++ tpi->flags | TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ } else { ++ ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); ++ ver = ershdr->ver; ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, ++ tpi->flags | TUNNEL_KEY, ++ iph->saddr, iph->daddr, tpi->key); ++ } + + if (tunnel) { +- len = gre_hdr_len + erspan_hdr_len(ver); ++ if (is_erspan_type1(gre_hdr_len)) ++ len = gre_hdr_len; ++ else ++ len = gre_hdr_len + erspan_hdr_len(ver); ++ + if (unlikely(!pskb_may_pull(skb, len))) + return PACKET_REJECT; + +@@ -670,7 +688,10 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb, + } + + /* Push ERSPAN header */ +- if (tunnel->erspan_ver == 1) { ++ if (tunnel->erspan_ver == 0) { ++ proto = htons(ETH_P_ERSPAN); ++ tunnel->parms.o_flags &= ~TUNNEL_SEQ; ++ } else if (tunnel->erspan_ver == 1) { + erspan_build_header(skb, ntohl(tunnel->parms.o_key), + tunnel->index, + truncate, true); +@@ -1080,7 +1101,10 @@ static int erspan_validate(struct nlattr *tb[], struct nlattr *data[], + if (ret) + return ret; + +- /* ERSPAN should only have GRE sequence and key flag */ ++ if (nla_get_u8(data[IFLA_GRE_ERSPAN_VER]) == 0) ++ return 0; ++ ++ /* ERSPAN type II/III should only have GRE sequence and key flag */ + if (data[IFLA_GRE_OFLAGS]) + flags |= nla_get_be16(data[IFLA_GRE_OFLAGS]); + if (data[IFLA_GRE_IFLAGS]) +@@ -1188,7 +1212,7 @@ static int erspan_netlink_parms(struct net_device *dev, + if (data[IFLA_GRE_ERSPAN_VER]) { + t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]); + +- if (t->erspan_ver != 1 && t->erspan_ver != 2) ++ if (t->erspan_ver > 2) + return -EINVAL; + } + +@@ -1273,7 +1297,11 @@ static int erspan_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + +- tunnel->tun_hlen = 8; ++ if (tunnel->erspan_ver == 0) ++ tunnel->tun_hlen = 4; /* 4-byte GRE hdr. */ ++ else ++ tunnel->tun_hlen = 8; /* 8-byte GRE hdr. */ ++ + tunnel->parms.iph.protocol = IPPROTO_GRE; + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen + + erspan_hdr_len(tunnel->erspan_ver); +@@ -1470,8 +1498,8 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + struct ip_tunnel_parm *p = &t->parms; + __be16 o_flags = p->o_flags; + +- if (t->erspan_ver == 1 || t->erspan_ver == 2) { +- if (!t->collect_md) ++ if (t->erspan_ver <= 2) { ++ if (t->erspan_ver != 0 && !t->collect_md) + o_flags |= TUNNEL_KEY; + + if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver)) +@@ -1480,7 +1508,7 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev) + if (t->erspan_ver == 1) { + if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index)) + goto nla_put_failure; +- } else { ++ } else if (t->erspan_ver == 2) { + if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir)) + goto nla_put_failure; + if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid)) +-- +2.43.0 + diff --git a/queue-5.4/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch b/queue-5.4/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch new file mode 100644 index 00000000000..1256ea1134f --- /dev/null +++ b/queue-5.4/erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch @@ -0,0 +1,128 @@ +From 80b0ea7b8eda85ce3b4544f9ae6ebead34731e40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Mar 2024 11:22:48 +0000 +Subject: erspan: make sure erspan_base_hdr is present in skb->head + +From: Eric Dumazet + +[ Upstream commit 17af420545a750f763025149fa7b833a4fc8b8f0 ] + +syzbot reported a problem in ip6erspan_rcv() [1] + +Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make +sure erspan_base_hdr is present in skb linear part (skb->head) +before getting @ver field from it. + +Add the missing pskb_may_pull() calls. + +v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() + because skb->head might have changed. + +[1] + + BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] + BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] + BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] + BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 + pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] + pskb_may_pull include/linux/skbuff.h:2756 [inline] + ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] + gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 + ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 + ip6_input_finish net/ipv6/ip6_input.c:483 [inline] + NF_HOOK include/linux/netfilter.h:314 [inline] + ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 + ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 + dst_input include/net/dst.h:460 [inline] + ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:314 [inline] + ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 + __netif_receive_skb_one_core net/core/dev.c:5538 [inline] + __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 + netif_receive_skb_internal net/core/dev.c:5738 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5798 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 + tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 + call_write_iter include/linux/fs.h:2108 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb63/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xe0 fs/read_write.c:652 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1318 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 + tun_alloc_skb drivers/net/tun.c:1525 [inline] + tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 + tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 + call_write_iter include/linux/fs.h:2108 [inline] + new_sync_write fs/read_write.c:497 [inline] + vfs_write+0xb63/0x1520 fs/read_write.c:590 + ksys_write+0x20f/0x4c0 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0x93/0xe0 fs/read_write.c:652 + do_syscall_64+0xd5/0x1f0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0 + +Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup") +Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/ +Signed-off-by: Eric Dumazet +Cc: Lorenzo Bianconi +Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 5 +++++ + net/ipv6/ip6_gre.c | 3 +++ + 2 files changed, 8 insertions(+) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index f8369580ea273..b8ff2179071f9 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -278,8 +278,13 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, + tpi->flags | TUNNEL_NO_KEY, + iph->saddr, iph->daddr, 0); + } else { ++ if (unlikely(!pskb_may_pull(skb, ++ gre_hdr_len + sizeof(*ershdr)))) ++ return PACKET_REJECT; ++ + ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len); + ver = ershdr->ver; ++ iph = ip_hdr(skb); + tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, + tpi->flags | TUNNEL_KEY, + iph->saddr, iph->daddr, tpi->key); +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 2d34bd98fccea..de707e057cd90 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -531,6 +531,9 @@ static int ip6erspan_rcv(struct sk_buff *skb, + struct ip6_tnl *tunnel; + u8 ver; + ++ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr)))) ++ return PACKET_REJECT; ++ + ipv6h = ipv6_hdr(skb); + ershdr = (struct erspan_base_hdr *)skb->data; + ver = ershdr->ver; +-- +2.43.0 + diff --git a/queue-5.4/fs-add-a-vfs_fchmod-helper.patch b/queue-5.4/fs-add-a-vfs_fchmod-helper.patch new file mode 100644 index 00000000000..ed735f4d00a --- /dev/null +++ b/queue-5.4/fs-add-a-vfs_fchmod-helper.patch @@ -0,0 +1,62 @@ +From cd037b408d89ea602547e0e2141d3189afd71fa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:55:05 +0200 +Subject: fs: add a vfs_fchmod helper + +From: Christoph Hellwig + +[ Upstream commit 9e96c8c0e94eea2f69a9705f5d0f51928ea26c17 ] + +Add a helper for struct file based chmode operations. To be used by +the initramfs code soon. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + fs/open.c | 9 +++++++-- + include/linux/fs.h | 1 + + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/open.c b/fs/open.c +index 9213c15d8a8d6..484b300f3e026 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -570,14 +570,19 @@ static int chmod_common(const struct path *path, umode_t mode) + return error; + } + ++int vfs_fchmod(struct file *file, umode_t mode) ++{ ++ audit_file(file); ++ return chmod_common(&file->f_path, mode); ++} ++ + int ksys_fchmod(unsigned int fd, umode_t mode) + { + struct fd f = fdget(fd); + int err = -EBADF; + + if (f.file) { +- audit_file(f.file); +- err = chmod_common(&f.file->f_path, mode); ++ err = vfs_fchmod(f.file, mode); + fdput(f); + } + return err; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 03de5c7134564..5e122cb506d6e 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1731,6 +1731,7 @@ int vfs_mkobj(struct dentry *, umode_t, + void *); + + int vfs_fchown(struct file *file, uid_t user, gid_t group); ++int vfs_fchmod(struct file *file, umode_t mode); + + extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + +-- +2.43.0 + diff --git a/queue-5.4/fs-add-a-vfs_fchown-helper.patch b/queue-5.4/fs-add-a-vfs_fchown-helper.patch new file mode 100644 index 00000000000..9e053b425b7 --- /dev/null +++ b/queue-5.4/fs-add-a-vfs_fchown-helper.patch @@ -0,0 +1,82 @@ +From 53062cace22d568d3919dda3ad90fab84f4f88de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:47:43 +0200 +Subject: fs: add a vfs_fchown helper + +From: Christoph Hellwig + +[ Upstream commit c04011fe8cbd80af1be6e12b53193bf3846750d7 ] + +Add a helper for struct file based chown operations. To be used by +the initramfs code soon. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + fs/open.c | 29 +++++++++++++++++------------ + include/linux/fs.h | 2 ++ + 2 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/fs/open.c b/fs/open.c +index dcbd016112375..9213c15d8a8d6 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -708,23 +708,28 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group + AT_SYMLINK_NOFOLLOW); + } + ++int vfs_fchown(struct file *file, uid_t user, gid_t group) ++{ ++ int error; ++ ++ error = mnt_want_write_file(file); ++ if (error) ++ return error; ++ audit_file(file); ++ error = chown_common(&file->f_path, user, group); ++ mnt_drop_write_file(file); ++ return error; ++} ++ + int ksys_fchown(unsigned int fd, uid_t user, gid_t group) + { + struct fd f = fdget(fd); + int error = -EBADF; + +- if (!f.file) +- goto out; +- +- error = mnt_want_write_file(f.file); +- if (error) +- goto out_fput; +- audit_file(f.file); +- error = chown_common(&f.file->f_path, user, group); +- mnt_drop_write_file(f.file); +-out_fput: +- fdput(f); +-out: ++ if (f.file) { ++ error = vfs_fchown(f.file, user, group); ++ fdput(f); ++ } + return error; + } + +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 272f261894b17..03de5c7134564 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1730,6 +1730,8 @@ int vfs_mkobj(struct dentry *, umode_t, + int (*f)(struct dentry *, umode_t, void *), + void *); + ++int vfs_fchown(struct file *file, uid_t user, gid_t group); ++ + extern long vfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg); + + #ifdef CONFIG_COMPAT +-- +2.43.0 + diff --git a/queue-5.4/init-open-initrd.image-with-o_largefile.patch b/queue-5.4/init-open-initrd.image-with-o_largefile.patch new file mode 100644 index 00000000000..88fa311e037 --- /dev/null +++ b/queue-5.4/init-open-initrd.image-with-o_largefile.patch @@ -0,0 +1,41 @@ +From c8a72845f33c3e0d53275aea6be6fb35117c0b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Mar 2024 15:15:22 -0700 +Subject: init: open /initrd.image with O_LARGEFILE + +From: John Sperbeck + +[ Upstream commit 4624b346cf67400ef46a31771011fb798dd2f999 ] + +If initrd data is larger than 2Gb, we'll eventually fail to write to the +/initrd.image file when we hit that limit, unless O_LARGEFILE is set. + +Link: https://lkml.kernel.org/r/20240317221522.896040-1-jsperbeck@google.com +Signed-off-by: John Sperbeck +Cc: Jens Axboe +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index 1bc854fdf8302..b362b57c047d5 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -630,7 +630,7 @@ static void __init populate_initrd_image(char *err) + + printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n", + err); +- file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700); ++ file = filp_open("/initrd.image", O_WRONLY|O_CREAT|O_LARGEFILE, 0700); + if (IS_ERR(file)) + return; + +-- +2.43.0 + diff --git a/queue-5.4/initramfs-switch-initramfs-unpacking-to-struct-file-.patch b/queue-5.4/initramfs-switch-initramfs-unpacking-to-struct-file-.patch new file mode 100644 index 00000000000..1eb91244d32 --- /dev/null +++ b/queue-5.4/initramfs-switch-initramfs-unpacking-to-struct-file-.patch @@ -0,0 +1,132 @@ +From 742a0b50bb5cdf2a8862a88c572e2a3a651af9ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 08:56:19 +0200 +Subject: initramfs: switch initramfs unpacking to struct file based APIs + +From: Christoph Hellwig + +[ Upstream commit bf6419e4d5440c6d414a320506c5488857a5b001 ] + +There is no good reason to mess with file descriptors from in-kernel +code, switch the initramfs unpacking to struct file based write +instead. + +Signed-off-by: Christoph Hellwig +Acked-by: Linus Torvalds +Stable-dep-of: 4624b346cf67 ("init: open /initrd.image with O_LARGEFILE") +Signed-off-by: Sasha Levin +--- + init/initramfs.c | 47 ++++++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/init/initramfs.c b/init/initramfs.c +index 00a32799a38b0..1bc854fdf8302 100644 +--- a/init/initramfs.c ++++ b/init/initramfs.c +@@ -11,13 +11,14 @@ + #include + #include + +-static ssize_t __init xwrite(int fd, const char *p, size_t count) ++static ssize_t __init xwrite(struct file *file, const char *p, size_t count, ++ loff_t *pos) + { + ssize_t out = 0; + + /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */ + while (count) { +- ssize_t rv = ksys_write(fd, p, count); ++ ssize_t rv = kernel_write(file, p, count, pos); + + if (rv < 0) { + if (rv == -EINTR || rv == -EAGAIN) +@@ -315,7 +316,8 @@ static int __init maybe_link(void) + return 0; + } + +-static __initdata int wfd; ++static __initdata struct file *wfile; ++static __initdata loff_t wfile_pos; + + static int __init do_name(void) + { +@@ -332,16 +334,17 @@ static int __init do_name(void) + int openflags = O_WRONLY|O_CREAT; + if (ml != 1) + openflags |= O_TRUNC; +- wfd = ksys_open(collected, openflags, mode); +- +- if (wfd >= 0) { +- ksys_fchown(wfd, uid, gid); +- ksys_fchmod(wfd, mode); +- if (body_len) +- ksys_ftruncate(wfd, body_len); +- vcollected = kstrdup(collected, GFP_KERNEL); +- state = CopyFile; +- } ++ wfile = filp_open(collected, openflags, mode); ++ if (IS_ERR(wfile)) ++ return 0; ++ wfile_pos = 0; ++ ++ vfs_fchown(wfile, uid, gid); ++ vfs_fchmod(wfile, mode); ++ if (body_len) ++ vfs_truncate(&wfile->f_path, body_len); ++ vcollected = kstrdup(collected, GFP_KERNEL); ++ state = CopyFile; + } + } else if (S_ISDIR(mode)) { + ksys_mkdir(collected, mode); +@@ -363,16 +366,16 @@ static int __init do_name(void) + static int __init do_copy(void) + { + if (byte_count >= body_len) { +- if (xwrite(wfd, victim, body_len) != body_len) ++ if (xwrite(wfile, victim, body_len, &wfile_pos) != body_len) + error("write error"); +- ksys_close(wfd); ++ fput(wfile); + do_utime(vcollected, mtime); + kfree(vcollected); + eat(body_len); + state = SkipIt; + return 0; + } else { +- if (xwrite(wfd, victim, byte_count) != byte_count) ++ if (xwrite(wfile, victim, byte_count, &wfile_pos) != byte_count) + error("write error"); + body_len -= byte_count; + eat(byte_count); +@@ -620,21 +623,23 @@ static inline void clean_rootfs(void) + static void __init populate_initrd_image(char *err) + { + ssize_t written; +- int fd; ++ struct file *file; ++ loff_t pos = 0; + + unpack_to_rootfs(__initramfs_start, __initramfs_size); + + printk(KERN_INFO "rootfs image is not initramfs (%s); looks like an initrd\n", + err); +- fd = ksys_open("/initrd.image", O_WRONLY | O_CREAT, 0700); +- if (fd < 0) ++ file = filp_open("/initrd.image", O_WRONLY | O_CREAT, 0700); ++ if (IS_ERR(file)) + return; + +- written = xwrite(fd, (char *)initrd_start, initrd_end - initrd_start); ++ written = xwrite(file, (char *)initrd_start, initrd_end - initrd_start, ++ &pos); + if (written != initrd_end - initrd_start) + pr_err("/initrd.image: incomplete write (%zd != %ld)\n", + written, initrd_end - initrd_start); +- ksys_close(fd); ++ fput(file); + } + #else + static void __init populate_initrd_image(char *err) +-- +2.43.0 + diff --git a/queue-5.4/net-ravb-always-process-tx-descriptor-ring.patch b/queue-5.4/net-ravb-always-process-tx-descriptor-ring.patch new file mode 100644 index 00000000000..592bc2b7f76 --- /dev/null +++ b/queue-5.4/net-ravb-always-process-tx-descriptor-ring.patch @@ -0,0 +1,55 @@ +From 4883d63eac0be55a2bb60213d4a44a5a3c31f29c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Apr 2024 15:53:04 +0100 +Subject: net: ravb: Always process TX descriptor ring + +From: Paul Barker + +[ Upstream commit 596a4254915f94c927217fe09c33a6828f33fb25 ] + +The TX queue should be serviced each time the poll function is called, +even if the full RX work budget has been consumed. This prevents +starvation of the TX queue when RX bandwidth usage is high. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Paul Barker +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20240402145305.82148-1-paul.barker.ct@bp.renesas.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 53b9c77c7f6a7..3cc312a526d9b 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -911,12 +911,12 @@ static int ravb_poll(struct napi_struct *napi, int budget) + int q = napi - priv->napi; + int mask = BIT(q); + int quota = budget; ++ bool unmask; + + /* Processing RX Descriptor Ring */ + /* Clear RX interrupt */ + ravb_write(ndev, ~(mask | RIS0_RESERVED), RIS0); +- if (ravb_rx(ndev, "a, q)) +- goto out; ++ unmask = !ravb_rx(ndev, "a, q); + + /* Processing RX Descriptor Ring */ + spin_lock_irqsave(&priv->lock, flags); +@@ -926,6 +926,9 @@ static int ravb_poll(struct napi_struct *napi, int budget) + netif_wake_subqueue(ndev, q); + spin_unlock_irqrestore(&priv->lock, flags); + ++ if (!unmask) ++ goto out; ++ + napi_complete(napi); + + /* Re-enable RX/TX interrupts */ +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 1403a168c07..f560f66a458 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -154,3 +154,14 @@ net-stmmac-fix-rx-queue-priority-assignment.patch selftests-reuseaddr_conflict-add-missing-new-line-at-the-end-of-the-output.patch ipv6-fix-infinite-recursion-in-fib6_dump_done.patch i40e-fix-vf-may-be-used-uninitialized-in-this-function-warning.patch +staging-mmal-vchiq-allocate-and-free-components-as-r.patch +staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch +staging-vc04_services-changen-strncpy-to-strscpy_pad.patch +staging-vc04_services-fix-information-leak-in-create.patch +fs-add-a-vfs_fchown-helper.patch +fs-add-a-vfs_fchmod-helper.patch +initramfs-switch-initramfs-unpacking-to-struct-file-.patch +init-open-initrd.image-with-o_largefile.patch +erspan-add-type-i-version-0-support.patch +erspan-make-sure-erspan_base_hdr-is-present-in-skb-h.patch +net-ravb-always-process-tx-descriptor-ring.patch diff --git a/queue-5.4/staging-mmal-vchiq-allocate-and-free-components-as-r.patch b/queue-5.4/staging-mmal-vchiq-allocate-and-free-components-as-r.patch new file mode 100644 index 00000000000..175ceef1029 --- /dev/null +++ b/queue-5.4/staging-mmal-vchiq-allocate-and-free-components-as-r.patch @@ -0,0 +1,123 @@ +From 68b3cdc05ac09855ba7468f8867bb21b267fdd30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:41:48 +0200 +Subject: staging: mmal-vchiq: Allocate and free components as required + +From: Dave Stevenson + +[ Upstream commit 8c589e1794a31e9a381916b0280260ab601e4d6e ] + +The existing code assumed that there would only ever be 4 components, +and never freed the entries once used. +Allow arbitrary creation and destruction of components. + +Signed-off-by: Dave Stevenson +Signed-off-by: Jacopo Mondi +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20200623164235.29566-3-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + .../vc04_services/bcm2835-camera/mmal-vchiq.c | 29 ++++++++++++------- + .../vc04_services/bcm2835-camera/mmal-vchiq.h | 1 + + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 1c180ead4a20b..9b47ba4d2d3cd 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -31,8 +31,11 @@ + #define USE_VCHIQ_ARM + #include "interface/vchi/vchi.h" + +-/* maximum number of components supported */ +-#define VCHIQ_MMAL_MAX_COMPONENTS 4 ++/* ++ * maximum number of components supported. ++ * This matches the maximum permitted by default on the VPU ++ */ ++#define VCHIQ_MMAL_MAX_COMPONENTS 64 + + /*#define FULL_MSG_DUMP 1*/ + +@@ -167,8 +170,6 @@ struct vchiq_mmal_instance { + /* protect accesses to context_map */ + struct mutex context_map_lock; + +- /* component to use next */ +- int component_idx; + struct vchiq_mmal_component component[VCHIQ_MMAL_MAX_COMPONENTS]; + + /* ordered workqueue to process all bulk operations */ +@@ -1616,18 +1617,24 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + { + int ret; + int idx; /* port index */ +- struct vchiq_mmal_component *component; ++ struct vchiq_mmal_component *component = NULL; + + if (mutex_lock_interruptible(&instance->vchiq_mutex)) + return -EINTR; + +- if (instance->component_idx == VCHIQ_MMAL_MAX_COMPONENTS) { ++ for (idx = 0; idx < VCHIQ_MMAL_MAX_COMPONENTS; idx++) { ++ if (!instance->component[idx].in_use) { ++ component = &instance->component[idx]; ++ component->in_use = 1; ++ break; ++ } ++ } ++ ++ if (!component) { + ret = -EINVAL; /* todo is this correct error? */ + goto unlock; + } + +- component = &instance->component[instance->component_idx]; +- + ret = create_component(instance, component, name); + if (ret < 0) { + pr_err("%s: failed to create component %d (Not enough GPU mem?)\n", +@@ -1678,8 +1685,6 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + goto release_component; + } + +- instance->component_idx++; +- + *component_out = component; + + mutex_unlock(&instance->vchiq_mutex); +@@ -1689,6 +1694,8 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + release_component: + destroy_component(instance, component); + unlock: ++ if (component) ++ component->in_use = 0; + mutex_unlock(&instance->vchiq_mutex); + + return ret; +@@ -1710,6 +1717,8 @@ int vchiq_mmal_component_finalise(struct vchiq_mmal_instance *instance, + + ret = destroy_component(instance, component); + ++ component->in_use = 0; ++ + mutex_unlock(&instance->vchiq_mutex); + + return ret; +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +index 47897e81ec586..4e34728d87e53 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +@@ -82,6 +82,7 @@ struct vchiq_mmal_port { + }; + + struct vchiq_mmal_component { ++ u32 in_use:1; + u32 enabled:1; + u32 handle; /* VideoCore handle for component */ + u32 inputs; /* Number of input ports */ +-- +2.43.0 + diff --git a/queue-5.4/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch b/queue-5.4/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch new file mode 100644 index 00000000000..0ac3bc2dc7a --- /dev/null +++ b/queue-5.4/staging-mmal-vchiq-fix-client_component-for-64-bit-k.patch @@ -0,0 +1,72 @@ +From 4b90982f6607a780ea2f73215d8c94f8926cfb62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:09:02 +0200 +Subject: staging: mmal-vchiq: Fix client_component for 64 bit kernel + +From: Dave Stevenson + +[ Upstream commit 22e64b486adc4785542f8002c3af4c895490f841 ] + +The MMAL client_component field is used with the event +mechanism to allow the client to identify the component for +which the event is generated. +The field is only 32bits in size, therefore we can't use a +pointer to the component in a 64 bit kernel. + +Component handles are already held in an array per VCHI +instance, so use the array index as the client_component handle +to avoid having to create a new IDR for this purpose. + +Signed-off-by: Dave Stevenson +Signed-off-by: Jacopo Mondi +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20200629150945.10720-5-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 8 +++++++- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 9b47ba4d2d3cd..23d869ba12e69 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -928,7 +928,7 @@ static int create_component(struct vchiq_mmal_instance *instance, + + /* build component create message */ + m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE; +- m.u.component_create.client_component = (u32)(unsigned long)component; ++ m.u.component_create.client_component = component->client_component; + strncpy(m.u.component_create.name, name, + sizeof(m.u.component_create.name)); + +@@ -1635,6 +1635,12 @@ int vchiq_mmal_component_init(struct vchiq_mmal_instance *instance, + goto unlock; + } + ++ /* We need a handle to reference back to our component structure. ++ * Use the array index in instance->component rather than rolling ++ * another IDR. ++ */ ++ component->client_component = idx; ++ + ret = create_component(instance, component, name); + if (ret < 0) { + pr_err("%s: failed to create component %d (Not enough GPU mem?)\n", +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +index 4e34728d87e53..a75c5f0a770ef 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h +@@ -92,6 +92,7 @@ struct vchiq_mmal_component { + struct vchiq_mmal_port input[MAX_PORT_COUNT]; /* input ports */ + struct vchiq_mmal_port output[MAX_PORT_COUNT]; /* output ports */ + struct vchiq_mmal_port clock[MAX_PORT_COUNT]; /* clock ports */ ++ u32 client_component; /* Used to ref back to client struct */ + }; + + int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance); +-- +2.43.0 + diff --git a/queue-5.4/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch b/queue-5.4/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch new file mode 100644 index 00000000000..c6996418c20 --- /dev/null +++ b/queue-5.4/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch @@ -0,0 +1,49 @@ +From 629e14d38579f6f194eee2a93564d869a60e6bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 17:36:56 +0100 +Subject: staging: vc04_services: changen strncpy() to strscpy_pad() + +From: Arnd Bergmann + +[ Upstream commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf ] + +gcc-14 warns about this strncpy() that results in a non-terminated +string for an overflow: + +In file included from include/linux/string.h:369, + from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20: +In function 'strncpy', + inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2: +include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation] + +Change it to strscpy_pad(), which produces a properly terminated and +zero-padded string. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: f37e76abd614 ("staging: vc04_services: fix information leak in create_component()") +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index 23d869ba12e69..fab119c60cb12 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -929,8 +929,8 @@ static int create_component(struct vchiq_mmal_instance *instance, + /* build component create message */ + m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE; + m.u.component_create.client_component = component->client_component; +- strncpy(m.u.component_create.name, name, +- sizeof(m.u.component_create.name)); ++ strscpy_pad(m.u.component_create.name, name, ++ sizeof(m.u.component_create.name)); + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), +-- +2.43.0 + diff --git a/queue-5.4/staging-vc04_services-fix-information-leak-in-create.patch b/queue-5.4/staging-vc04_services-fix-information-leak-in-create.patch new file mode 100644 index 00000000000..b5974cc7a28 --- /dev/null +++ b/queue-5.4/staging-vc04_services-fix-information-leak-in-create.patch @@ -0,0 +1,39 @@ +From 68e4e655bfca4143c177382e1f39deff77db1503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 21:07:43 +0300 +Subject: staging: vc04_services: fix information leak in create_component() + +From: Dan Carpenter + +[ Upstream commit f37e76abd614b68987abc8e5c22d986013349771 ] + +The m.u.component_create.pid field is for debugging and in the mainline +kernel it's not used anything. However, it still needs to be set to +something to prevent disclosing uninitialized stack data. Set it to +zero. + +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +index fab119c60cb12..ad143f6019746 100644 +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -931,6 +931,7 @@ static int create_component(struct vchiq_mmal_instance *instance, + m.u.component_create.client_component = component->client_component; + strscpy_pad(m.u.component_create.name, name, + sizeof(m.u.component_create.name)); ++ m.u.component_create.pid = 0; + + ret = send_synchronous_mmal_msg(instance, &m, + sizeof(m.u.component_create), +-- +2.43.0 +