From 4110cd0db3f41753451032161483f9682a0187d9 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 30 Dec 2020 16:04:22 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	ethtool-fix-error-paths-in-ethnl_set_channels.patch
	ethtool-fix-string-set-id-check.patch
	mptcp-fix-security-context-on-server-socket.patch
	net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
---
 ...ix-error-paths-in-ethnl_set_channels.patch | 47 ++++++++++++++
 .../ethtool-fix-string-set-id-check.patch     | 35 ++++++++++
 ...ix-security-context-on-server-socket.patch | 35 ++++++++++
 ...set-child-qdiscs-before-freeing-them.patch | 65 +++++++++++++++++++
 queue-5.10/series                             |  4 ++
 5 files changed, 186 insertions(+)
 create mode 100644 queue-5.10/ethtool-fix-error-paths-in-ethnl_set_channels.patch
 create mode 100644 queue-5.10/ethtool-fix-string-set-id-check.patch
 create mode 100644 queue-5.10/mptcp-fix-security-context-on-server-socket.patch
 create mode 100644 queue-5.10/net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
 create mode 100644 queue-5.10/series

diff --git a/queue-5.10/ethtool-fix-error-paths-in-ethnl_set_channels.patch b/queue-5.10/ethtool-fix-error-paths-in-ethnl_set_channels.patch
new file mode 100644
index 00000000000..b2a66e7dd56
--- /dev/null
+++ b/queue-5.10/ethtool-fix-error-paths-in-ethnl_set_channels.patch
@@ -0,0 +1,47 @@
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Tue, 15 Dec 2020 10:08:10 +0100
+Subject: ethtool: fix error paths in ethnl_set_channels()
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit ef72cd3c5ce168829c6684ecb2cae047d3493690 ]
+
+Fix two error paths in ethnl_set_channels() to avoid lock-up caused
+but unreleased RTNL.
+
+Fixes: e19c591eafad ("ethtool: set device channel counts with CHANNELS_SET request")
+Reported-by: LiLiang <liali@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Link: https://lore.kernel.org/r/20201215090810.801777-1-ivecera@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/channels.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ethtool/channels.c
++++ b/net/ethtool/channels.c
+@@ -194,8 +194,9 @@ int ethnl_set_channels(struct sk_buff *s
+ 	if (netif_is_rxfh_configured(dev) &&
+ 	    !ethtool_get_max_rxfh_channel(dev, &max_rx_in_use) &&
+ 	    (channels.combined_count + channels.rx_count) <= max_rx_in_use) {
++		ret = -EINVAL;
+ 		GENL_SET_ERR_MSG(info, "requested channel counts are too low for existing indirection table settings");
+-		return -EINVAL;
++		goto out_ops;
+ 	}
+ 
+ 	/* Disabling channels, query zero-copy AF_XDP sockets */
+@@ -203,8 +204,9 @@ int ethnl_set_channels(struct sk_buff *s
+ 		       min(channels.rx_count, channels.tx_count);
+ 	for (i = from_channel; i < old_total; i++)
+ 		if (xsk_get_pool_from_qid(dev, i)) {
++			ret = -EINVAL;
+ 			GENL_SET_ERR_MSG(info, "requested channel counts are too low for existing zerocopy AF_XDP sockets");
+-			return -EINVAL;
++			goto out_ops;
+ 		}
+ 
+ 	ret = dev->ethtool_ops->set_channels(dev, &channels);
diff --git a/queue-5.10/ethtool-fix-string-set-id-check.patch b/queue-5.10/ethtool-fix-string-set-id-check.patch
new file mode 100644
index 00000000000..bc1263ebc26
--- /dev/null
+++ b/queue-5.10/ethtool-fix-string-set-id-check.patch
@@ -0,0 +1,35 @@
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Mon, 14 Dec 2020 14:25:01 +0100
+Subject: ethtool: fix string set id check
+
+From: Michal Kubecek <mkubecek@suse.cz>
+
+[ Upstream commit efb796f5571f030743e1d9c662cdebdad724f8c5 ]
+
+Syzbot reported a shift of a u32 by more than 31 in strset_parse_request()
+which is undefined behavior. This is caused by range check of string set id
+using variable ret (which is always 0 at this point) instead of id (string
+set id from request).
+
+Fixes: 71921690f974 ("ethtool: provide string sets with STRSET_GET request")
+Reported-by: syzbot+96523fb438937cd01220@syzkaller.appspotmail.com
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Link: https://lore.kernel.org/r/b54ed5c5fd972a59afea3e1badfb36d86df68799.1607952208.git.mkubecek@suse.cz
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/strset.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ethtool/strset.c
++++ b/net/ethtool/strset.c
+@@ -182,7 +182,7 @@ static int strset_parse_request(struct e
+ 		ret = strset_get_id(attr, &id, extack);
+ 		if (ret < 0)
+ 			return ret;
+-		if (ret >= ETH_SS_COUNT) {
++		if (id >= ETH_SS_COUNT) {
+ 			NL_SET_ERR_MSG_ATTR(extack, attr,
+ 					    "unknown string set id");
+ 			return -EOPNOTSUPP;
diff --git a/queue-5.10/mptcp-fix-security-context-on-server-socket.patch b/queue-5.10/mptcp-fix-security-context-on-server-socket.patch
new file mode 100644
index 00000000000..c7164c14889
--- /dev/null
+++ b/queue-5.10/mptcp-fix-security-context-on-server-socket.patch
@@ -0,0 +1,35 @@
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 16 Dec 2020 12:48:32 +0100
+Subject: mptcp: fix security context on server socket
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 0c14846032f2c0a3b63234e1fc2759f4155b6067 ]
+
+Currently MPTCP is not propagating the security context
+from the ingress request socket to newly created msk
+at clone time.
+
+Address the issue invoking the missing security helper.
+
+Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2081,6 +2081,8 @@ struct sock *mptcp_sk_clone(const struct
+ 	sock_reset_flag(nsk, SOCK_RCU_FREE);
+ 	/* will be fully established after successful MPC subflow creation */
+ 	inet_sk_state_store(nsk, TCP_SYN_RECV);
++
++	security_inet_csk_clone(nsk, req);
+ 	bh_unlock_sock(nsk);
+ 
+ 	/* keep a single reference */
diff --git a/queue-5.10/net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch b/queue-5.10/net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
new file mode 100644
index 00000000000..b46750f5f51
--- /dev/null
+++ b/queue-5.10/net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
@@ -0,0 +1,65 @@
+From foo@baz Wed Dec 30 04:02:58 PM CET 2020
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 16 Dec 2020 19:33:29 +0100
+Subject: net/sched: sch_taprio: reset child qdiscs before freeing them
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 44d4775ca51805b376a8db5b34f650434a08e556 ]
+
+syzkaller shows that packets can still be dequeued while taprio_destroy()
+is running. Let sch_taprio use the reset() function to cancel the advance
+timer and drop all skbs from the child qdiscs.
+
+Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
+Link: https://syzkaller.appspot.com/bug?id=f362872379bf8f0017fb667c1ab158f2d1e764ae
+Reported-by: syzbot+8971da381fb5a31f542d@syzkaller.appspotmail.com
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://lore.kernel.org/r/63b6d79b0e830ebb0283e020db4df3cdfdfb2b94.1608142843.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c |   17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -1596,6 +1596,21 @@ free_sched:
+ 	return err;
+ }
+ 
++static void taprio_reset(struct Qdisc *sch)
++{
++	struct taprio_sched *q = qdisc_priv(sch);
++	struct net_device *dev = qdisc_dev(sch);
++	int i;
++
++	hrtimer_cancel(&q->advance_timer);
++	if (q->qdiscs) {
++		for (i = 0; i < dev->num_tx_queues && q->qdiscs[i]; i++)
++			qdisc_reset(q->qdiscs[i]);
++	}
++	sch->qstats.backlog = 0;
++	sch->q.qlen = 0;
++}
++
+ static void taprio_destroy(struct Qdisc *sch)
+ {
+ 	struct taprio_sched *q = qdisc_priv(sch);
+@@ -1606,7 +1621,6 @@ static void taprio_destroy(struct Qdisc
+ 	list_del(&q->taprio_list);
+ 	spin_unlock(&taprio_list_lock);
+ 
+-	hrtimer_cancel(&q->advance_timer);
+ 
+ 	taprio_disable_offload(dev, q, NULL);
+ 
+@@ -1953,6 +1967,7 @@ static struct Qdisc_ops taprio_qdisc_ops
+ 	.init		= taprio_init,
+ 	.change		= taprio_change,
+ 	.destroy	= taprio_destroy,
++	.reset		= taprio_reset,
+ 	.peek		= taprio_peek,
+ 	.dequeue	= taprio_dequeue,
+ 	.enqueue	= taprio_enqueue,
diff --git a/queue-5.10/series b/queue-5.10/series
new file mode 100644
index 00000000000..1da481e27ff
--- /dev/null
+++ b/queue-5.10/series
@@ -0,0 +1,4 @@
+net-sched-sch_taprio-reset-child-qdiscs-before-freeing-them.patch
+mptcp-fix-security-context-on-server-socket.patch
+ethtool-fix-error-paths-in-ethnl_set_channels.patch
+ethtool-fix-string-set-id-check.patch
-- 
2.47.3