--- /dev/null
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Tue, 15 Dec 2020 10:08:10 +0100
+Subject: ethtool: fix error paths in ethnl_set_channels()
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit ef72cd3c5ce168829c6684ecb2cae047d3493690 ]
+
+Fix two error paths in ethnl_set_channels() to avoid lock-up caused
+but unreleased RTNL.
+
+Fixes: e19c591eafad ("ethtool: set device channel counts with CHANNELS_SET request")
+Reported-by: LiLiang <liali@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Link: https://lore.kernel.org/r/20201215090810.801777-1-ivecera@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/channels.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ethtool/channels.c
++++ b/net/ethtool/channels.c
+@@ -194,8 +194,9 @@ int ethnl_set_channels(struct sk_buff *s
+ if (netif_is_rxfh_configured(dev) &&
+ !ethtool_get_max_rxfh_channel(dev, &max_rx_in_use) &&
+ (channels.combined_count + channels.rx_count) <= max_rx_in_use) {
++ ret = -EINVAL;
+ GENL_SET_ERR_MSG(info, "requested channel counts are too low for existing indirection table settings");
+- return -EINVAL;
++ goto out_ops;
+ }
+
+ /* Disabling channels, query zero-copy AF_XDP sockets */
+@@ -203,8 +204,9 @@ int ethnl_set_channels(struct sk_buff *s
+ min(channels.rx_count, channels.tx_count);
+ for (i = from_channel; i < old_total; i++)
+ if (xsk_get_pool_from_qid(dev, i)) {
++ ret = -EINVAL;
+ GENL_SET_ERR_MSG(info, "requested channel counts are too low for existing zerocopy AF_XDP sockets");
+- return -EINVAL;
++ goto out_ops;
+ }
+
+ ret = dev->ethtool_ops->set_channels(dev, &channels);
--- /dev/null
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Mon, 14 Dec 2020 14:25:01 +0100
+Subject: ethtool: fix string set id check
+
+From: Michal Kubecek <mkubecek@suse.cz>
+
+[ Upstream commit efb796f5571f030743e1d9c662cdebdad724f8c5 ]
+
+Syzbot reported a shift of a u32 by more than 31 in strset_parse_request()
+which is undefined behavior. This is caused by range check of string set id
+using variable ret (which is always 0 at this point) instead of id (string
+set id from request).
+
+Fixes: 71921690f974 ("ethtool: provide string sets with STRSET_GET request")
+Reported-by: syzbot+96523fb438937cd01220@syzkaller.appspotmail.com
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Link: https://lore.kernel.org/r/b54ed5c5fd972a59afea3e1badfb36d86df68799.1607952208.git.mkubecek@suse.cz
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/strset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ethtool/strset.c
++++ b/net/ethtool/strset.c
+@@ -182,7 +182,7 @@ static int strset_parse_request(struct e
+ ret = strset_get_id(attr, &id, extack);
+ if (ret < 0)
+ return ret;
+- if (ret >= ETH_SS_COUNT) {
++ if (id >= ETH_SS_COUNT) {
+ NL_SET_ERR_MSG_ATTR(extack, attr,
+ "unknown string set id");
+ return -EOPNOTSUPP;
--- /dev/null
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 16 Dec 2020 12:48:32 +0100
+Subject: mptcp: fix security context on server socket
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 0c14846032f2c0a3b63234e1fc2759f4155b6067 ]
+
+Currently MPTCP is not propagating the security context
+from the ingress request socket to newly created msk
+at clone time.
+
+Address the issue invoking the missing security helper.
+
+Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2081,6 +2081,8 @@ struct sock *mptcp_sk_clone(const struct
+ sock_reset_flag(nsk, SOCK_RCU_FREE);
+ /* will be fully established after successful MPC subflow creation */
+ inet_sk_state_store(nsk, TCP_SYN_RECV);
++
++ security_inet_csk_clone(nsk, req);
+ bh_unlock_sock(nsk);
+
+ /* keep a single reference */
--- /dev/null
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 16 Dec 2020 19:33:29 +0100
+Subject: net/sched: sch_taprio: reset child qdiscs before freeing them
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 44d4775ca51805b376a8db5b34f650434a08e556 ]
+
+syzkaller shows that packets can still be dequeued while taprio_destroy()
+is running. Let sch_taprio use the reset() function to cancel the advance
+timer and drop all skbs from the child qdiscs.
+
+Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
+Link: https://syzkaller.appspot.com/bug?id=f362872379bf8f0017fb667c1ab158f2d1e764ae
+Reported-by: syzbot+8971da381fb5a31f542d@syzkaller.appspotmail.com
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://lore.kernel.org/r/63b6d79b0e830ebb0283e020db4df3cdfdfb2b94.1608142843.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -1596,6 +1596,21 @@ free_sched:
+ return err;
+ }
+
++static void taprio_reset(struct Qdisc *sch)
++{
++ struct taprio_sched *q = qdisc_priv(sch);
++ struct net_device *dev = qdisc_dev(sch);
++ int i;
++
++ hrtimer_cancel(&q->advance_timer);
++ if (q->qdiscs) {
++ for (i = 0; i < dev->num_tx_queues && q->qdiscs[i]; i++)
++ qdisc_reset(q->qdiscs[i]);
++ }
++ sch->qstats.backlog = 0;
++ sch->q.qlen = 0;
++}
++
+ static void taprio_destroy(struct Qdisc *sch)
+ {
+ struct taprio_sched *q = qdisc_priv(sch);
+@@ -1606,7 +1621,6 @@ static void taprio_destroy(struct Qdisc
+ list_del(&q->taprio_list);
+ spin_unlock(&taprio_list_lock);
+
+- hrtimer_cancel(&q->advance_timer);
+
+ taprio_disable_offload(dev, q, NULL);
+
+@@ -1953,6 +1967,7 @@ static struct Qdisc_ops taprio_qdisc_ops
+ .init = taprio_init,
+ .change = taprio_change,
+ .destroy = taprio_destroy,
++ .reset = taprio_reset,
+ .peek = taprio_peek,
+ .dequeue = taprio_dequeue,
+ .enqueue = taprio_enqueue,
--- /dev/null
+net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
+mptcp-fix-security-context-on-server-socket.patch
+ethtool-fix-error-paths-in-ethnl_set_channels.patch
+ethtool-fix-string-set-id-check.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
