| From b60ae70d58a9030cc40a7021b088bfbae2c79445 Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Sun, 26 Apr 2020 18:19:07 -0700 |
| Subject: [PATCH] sch_sfq: validate silly quantum values |
| |
| commit df4953e4e997e273501339f607b77953772e3559 upstream. |
| |
| syzbot managed to set up sfq so that q->scaled_quantum was zero, |
| triggering an infinite loop in sfq_dequeue() |
| |
| More generally, we must only accept quantum between 1 and 2^18 - 7, |
| meaning scaled_quantum must be in [1, 0x7FFF] range. |
| |
| Otherwise, we also could have a loop in sfq_dequeue() |
| if scaled_quantum happens to be 0x8000, since slot->allot |
| could indefinitely switch between 0 and 0x8000. |
| |
| Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com |
| Cc: Jason A. Donenfeld <Jason@zx2c4.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c |
| index c787d4d46017..5a6def5e4e6d 100644 |
| --- a/net/sched/sch_sfq.c |
| +++ b/net/sched/sch_sfq.c |
| @@ -637,6 +637,15 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) |
| if (ctl->divisor && |
| (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) |
| return -EINVAL; |
| + |
| + /* slot->allot is a short, make sure quantum is not too big. */ |
| + if (ctl->quantum) { |
| + unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum); |
| + |
| + if (scaled <= 0 || scaled > SHRT_MAX) |
| + return -EINVAL; |
| + } |
| + |
| if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, |
| ctl_v1->Wlog)) |
| return -EINVAL; |
| -- |
| 2.7.4 |
| |