| From foo@baz Sat 11 Jan 2020 09:13:20 AM CET |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Mon, 6 Jan 2020 06:10:39 -0800 |
| Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| [ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ] |
| |
| As diagnosed by Florian : |
| |
| If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue() |
| can loop forever in : |
| |
| if (f->credit <= 0) { |
| f->credit += q->quantum; |
| goto begin; |
| } |
| |
| ... because f->credit is either 0 or -2147483648. |
| |
| Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 : |
| This max value should limit risks of breaking user setups |
| while fixing this bug. |
| |
| Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Diagnosed-by: Florian Westphal <fw@strlen.de> |
| Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sched/sch_fq.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/sched/sch_fq.c |
| +++ b/net/sched/sch_fq.c |
| @@ -787,10 +787,12 @@ static int fq_change(struct Qdisc *sch, |
| if (tb[TCA_FQ_QUANTUM]) { |
| u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); |
| |
| - if (quantum > 0) |
| + if (quantum > 0 && quantum <= (1 << 20)) { |
| q->quantum = quantum; |
| - else |
| + } else { |
| + NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); |
| err = -EINVAL; |
| + } |
| } |
| |
| if (tb[TCA_FQ_INITIAL_QUANTUM]) |