]> git.baikalelectronics.ru Git - kernel.git/commitdiff
sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
authorEric Dumazet <edumazet@google.com>
Tue, 4 Jan 2022 09:45:08 +0000 (01:45 -0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jan 2022 12:36:51 +0000 (12:36 +0000)
tx_queue_len can be set to ~0U, we need to be more
careful about overflows.

__fls(0) is undefined, as this report shows:

UBSAN: shift-out-of-bounds in net/sched/sch_qfq.c:1430:24
shift exponent 51770272 is too large for 32-bit type 'int'
CPU: 0 PID: 25574 Comm: syz-executor.0 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x201/0x2d8 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x494/0x530 lib/ubsan.c:330
 qfq_init_qdisc+0x43f/0x450 net/sched/sch_qfq.c:1430
 qdisc_create+0x895/0x1430 net/sched/sch_api.c:1253
 tc_modify_qdisc+0x9d9/0x1e20 net/sched/sch_api.c:1660
 rtnetlink_rcv_msg+0x934/0xe60 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x200/0x470 net/netlink/af_netlink.c:2496
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x814/0x9f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0xaea/0xe60 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0x5b9/0x910 net/socket.c:2409
 ___sys_sendmsg net/socket.c:2463 [inline]
 __sys_sendmsg+0x280/0x370 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 6a4df64a0723 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_qfq.c

index 0b7f9ba28deb057afb1e689eafbb848cbbe2aa90..d4ce58c90f9fbab1a4f35e08213b11f87cce92af 100644 (file)
@@ -1421,10 +1421,8 @@ static int qfq_init_qdisc(struct Qdisc *sch, struct nlattr *opt,
        if (err < 0)
                return err;
 
-       if (qdisc_dev(sch)->tx_queue_len + 1 > QFQ_MAX_AGG_CLASSES)
-               max_classes = QFQ_MAX_AGG_CLASSES;
-       else
-               max_classes = qdisc_dev(sch)->tx_queue_len + 1;
+       max_classes = min_t(u64, (u64)qdisc_dev(sch)->tx_queue_len + 1,
+                           QFQ_MAX_AGG_CLASSES);
        /* max_cl_shift = floor(log_2(max_classes)) */
        max_cl_shift = __fls(max_classes);
        q->max_agg_classes = 1<<max_cl_shift;