This is a note to let you know that I've just added the patch titled net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-sched-taprio-always-validate-tca_taprio_attr_pri.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 6c0dbca64e1400cf1049a8a3229fbbf9511de6a4 Author: Eric Dumazet <edumazet@xxxxxxxxxx> Date: Tue Jun 4 18:15:11 2024 +0000 net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP [ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ] If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") Reported-by: Noam Rathaus <noamr@xxxxxxxxxxxxxxxxxx> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Acked-by: Vinicius Costa Gomes <vinicius.gomes@xxxxxxxxx> Reviewed-by: Vladimir Oltean <vladimir.oltean@xxxxxxx> Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index e4c4d23a1b535..7b896be009d55 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -925,16 +925,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, { int i, j; - if (!qopt && !dev->num_tc) { - NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); - return -EINVAL; - } - - /* If num_tc is already set, it means that the user already - * configured the mqprio part - */ - if (dev->num_tc) + if (!qopt) { + if (!dev->num_tc) { + NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); + return -EINVAL; + } return 0; + } /* Verify num_tc is not out of max range */ if (qopt->num_tc > TC_MAX_QUEUE) {