From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 11/48] sch_sfq: validate silly quantum values
Date: Wed, 13 May 2020 11:44:37 +0200 [thread overview]
Message-ID: <20200513094354.518501516@linuxfoundation.org> (raw)
In-Reply-To: <20200513094351.100352960@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]
syzbot managed to set up sfq so that q->scaled_quantum was zero,
triggering an infinite loop in sfq_dequeue()
More generally, we must only accept quantum between 1 and 2^18 - 7,
meaning scaled_quantum must be in [1, 0x7FFF] range.
Otherwise, we also could have a loop in sfq_dequeue()
if scaled_quantum happens to be 0x8000, since slot->allot
could indefinitely switch between 0 and 0x8000.
Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_sfq.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -641,6 +641,15 @@ static int sfq_change(struct Qdisc *sch,
if (ctl->divisor &&
(!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
return -EINVAL;
+
+ /* slot->allot is a short, make sure quantum is not too big. */
+ if (ctl->quantum) {
+ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
+
+ if (scaled <= 0 || scaled > SHRT_MAX)
+ return -EINVAL;
+ }
+
if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
ctl_v1->Wlog))
return -EINVAL;
next prev parent reply other threads:[~2020-05-13 9:46 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 9:44 [PATCH 4.19 00/48] 4.19.123-rc1 review Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 01/48] USB: serial: qcserial: Add DW5816e support Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 02/48] tracing/kprobes: Fix a double initialization typo Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 03/48] vt: fix unicode console freeing with a common interface Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 04/48] dp83640: reverse arguments to list_add_tail Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 05/48] fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 06/48] net: macsec: preserve ingress frame ordering Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 07/48] net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 08/48] net_sched: sch_skbprio: add message validation to skbprio_change() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 09/48] net: usb: qmi_wwan: add support for DW5816e Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 10/48] sch_choke: avoid potential panic in choke_reset() Greg Kroah-Hartman
2020-05-13 9:44 ` Greg Kroah-Hartman [this message]
2020-05-13 9:44 ` [PATCH 4.19 12/48] tipc: fix partial topology connection closure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 13/48] bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 14/48] net/mlx5: Fix forced completion access non initialized command entry Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 15/48] net/mlx5: Fix command entry leak in Internal Error State Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 16/48] bnxt_en: Improve AER slot reset Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 17/48] bnxt_en: Fix VF anti-spoof filter setup Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 18/48] net: stricter validation of untrusted gso packets Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 19/48] HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 20/48] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 21/48] HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 22/48] USB: uas: add quirk for LaCie 2Big Quadra Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 23/48] USB: serial: garmin_gps: add sanity checking for data length Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 24/48] tracing: Add a vmalloc_sync_mappings() for safe measure Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 25/48] KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 26/48] KVM: arm64: Fix 32bit PC wrap-around Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 27/48] arm64: hugetlb: avoid potential NULL dereference Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 28/48] mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 29/48] staging: gasket: Check the return value of gasket_get_bar_index() Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 30/48] coredump: fix crash when umh is disabled Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 31/48] KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 32/48] KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()s asm blob Greg Kroah-Hartman
2020-05-13 9:44 ` [PATCH 4.19 33/48] batman-adv: fix batadv_nc_random_weight_tq Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 34/48] batman-adv: Fix refcnt leak in batadv_show_throughput_override Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 35/48] batman-adv: Fix refcnt leak in batadv_store_throughput_override Greg Kroah-Hartman
2020-05-13 21:03 ` Pavel Machek
2020-05-13 9:45 ` [PATCH 4.19 36/48] batman-adv: Fix refcnt leak in batadv_v_ogm_process Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 37/48] x86/entry/64: Fix unwind hints in register clearing code Greg Kroah-Hartman
2020-05-13 21:48 ` Pavel Machek
2020-05-14 19:27 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 38/48] x86/entry/64: Fix unwind hints in kernel exit path Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 39/48] x86/entry/64: Fix unwind hints in rewind_stack_do_exit() Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 40/48] x86/unwind/orc: Dont skip the first frame for inactive tasks Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 41/48] x86/unwind/orc: Prevent unwinding before ORC initialization Greg Kroah-Hartman
2020-05-13 21:52 ` Pavel Machek
2020-05-14 19:44 ` Josh Poimboeuf
2020-05-14 20:13 ` Pavel Machek
2020-05-14 20:28 ` Josh Poimboeuf
2020-05-13 9:45 ` [PATCH 4.19 42/48] x86/unwind/orc: Fix error path for bad ORC entry type Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 43/48] x86/unwind/orc: Fix premature unwind stoppage due to IRET frames Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 44/48] netfilter: nat: never update the UDP checksum when its 0 Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 45/48] netfilter: nf_osf: avoid passing pointer to local var Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 46/48] objtool: Fix stack offset tracking for indirect CFAs Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 47/48] scripts/decodecode: fix trapping instruction formatting Greg Kroah-Hartman
2020-05-13 9:45 ` [PATCH 4.19 48/48] ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Greg Kroah-Hartman
[not found] ` <20200513094351.100352960-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-13 13:45 ` [PATCH 4.19 00/48] 4.19.123-rc1 review Jon Hunter
2020-05-13 13:45 ` Jon Hunter
2020-05-13 17:03 ` Guenter Roeck
2020-05-13 18:14 ` Naresh Kamboju
2020-05-13 19:29 ` Chris Paterson
2020-05-13 23:02 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200513094354.518501516@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.