releases/5.4.11/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Sat 11 Jan 2020 09:13:20 AM CET
 From: Eric Dumazet <edumazet@google.com>
 Date: Mon, 6 Jan 2020 06:10:39 -0800
 Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM

 From: Eric Dumazet <edumazet@google.com>

 [ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ]

 As diagnosed by Florian :

 If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
 can loop forever in :

 if (f->credit <= 0) {
   f->credit += q->quantum;
   goto begin;
 }

 ... because f->credit is either 0 or -2147483648.

 Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 :
 This max value should limit risks of breaking user setups
 while fixing this bug.

 Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Diagnosed-by: Florian Westphal <fw@strlen.de>
 Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/sched/sch_fq.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/net/sched/sch_fq.c
 +++ b/net/sched/sch_fq.c
 @@ -787,10 +787,12 @@ static int fq_change(struct Qdisc *sch,
  	if (tb[TCA_FQ_QUANTUM]) {
  		u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);

 -		if (quantum > 0)
 +		if (quantum > 0 && quantum <= (1 << 20)) {
  			q->quantum = quantum;
 -		else
 +		} else {
 +			NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
  			err = -EINVAL;
 +		}
  	}

  	if (tb[TCA_FQ_INITIAL_QUANTUM])
	From foo@baz Sat 11 Jan 2020 09:13:20 AM CET
	From: Eric Dumazet <edumazet@google.com>
	Date: Mon, 6 Jan 2020 06:10:39 -0800
	Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM

	From: Eric Dumazet <edumazet@google.com>

	[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ]

	As diagnosed by Florian :

	If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
	can loop forever in :

	if (f->credit <= 0) {
	f->credit += q->quantum;
	goto begin;
	}

	... because f->credit is either 0 or -2147483648.

	Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 :
	This max value should limit risks of breaking user setups
	while fixing this bug.

	Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Diagnosed-by: Florian Westphal <fw@strlen.de>
	Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/sched/sch_fq.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/net/sched/sch_fq.c
	+++ b/net/sched/sch_fq.c
	@@ -787,10 +787,12 @@ static int fq_change(struct Qdisc *sch,
	if (tb[TCA_FQ_QUANTUM]) {
	u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);

	- if (quantum > 0)
	+ if (quantum > 0 && quantum <= (1 << 20)) {
	q->quantum = quantum;
	- else
	+ } else {
	+ NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
	err = -EINVAL;
	+ }
	}

	if (tb[TCA_FQ_INITIAL_QUANTUM])