From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 5.2 61/63] usbnet: sanity checking of packet sizes and device mtu
Date: Tue, 1 Oct 2019 12:41:23 -0400 [thread overview]
Message-ID: <20191001164125.15398-61-sashal@kernel.org> (raw)
In-Reply-To: <20191001164125.15398-1-sashal@kernel.org>
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]
After a reset packet sizes and device mtu can change and need
to be reevaluated to calculate queue sizes.
Malicious devices can set this to zero and we divide by it.
Introduce sanity checking.
Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/usbnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 07c00e378a5cd..ef1d667b0108b 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -344,6 +344,8 @@ void usbnet_update_max_qlen(struct usbnet *dev)
{
enum usb_device_speed speed = dev->udev->speed;
+ if (!dev->rx_urb_size || !dev->hard_mtu)
+ goto insanity;
switch (speed) {
case USB_SPEED_HIGH:
dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
@@ -360,6 +362,7 @@ void usbnet_update_max_qlen(struct usbnet *dev)
dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
break;
default:
+insanity:
dev->rx_qlen = dev->tx_qlen = 4;
}
}
--
2.20.1
next prev parent reply other threads:[~2019-10-01 16:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191001164125.15398-1-sashal@kernel.org>
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 05/63] xprtrdma: Send Queue size grows after a reconnect Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 06/63] 9p: Transport error uninitialized Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 15/63] SUNRPC: RPC level errors should always set task->tk_rpc_status Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 17/63] netfilter: nf_tables: allow lookups in dynamic sets Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 21/63] SUNRPC: Don't try to parse incomplete RPC messages Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 22/63] net/sched: act_sample: don't push mac header on ip6gre ingress Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 24/63] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 25/63] usbnet: ignore endpoints with " Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 26/63] net/phy: fix DP83865 10 Mbps HDX loopback disable function Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 27/63] net_sched: add max len check for TCA_KIND Sasha Levin
2019-10-01 16:40 ` [PATCH AUTOSEL 5.2 34/63] net/mlx5e: Fix traffic duplication in ethtool steering Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 38/63] arcnet: provide a buffer big enough to actually receive packets Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 40/63] ppp: Fix memory leak in ppp_write Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 49/63] bpf: Fix bpf_event_output re-entry issue Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 50/63] macsec: drop skb sk before calling gro_cells_receive Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 53/63] nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 54/63] net: phy: micrel: add Asym Pause workaround for KSZ9021 Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 55/63] mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 56/63] vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 57/63] nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs Sasha Levin
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 58/63] nfp: abm: fix memory leak in nfp_abm_u32_knode_replace Sasha Levin
2019-10-01 16:41 ` Sasha Levin [this message]
2019-10-01 16:41 ` [PATCH AUTOSEL 5.2 62/63] sch_netem: fix a divide by zero in tabledist() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001164125.15398-61-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).