Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp100980ybp;
        Thu, 3 Oct 2019 10:46:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzY+8iVkgO2Kz4v6QtId4TOuXETmaP87JxC/oJCEsRbL8BkoOCj3b7MM1U8DOB8HZeykh8x
X-Received: by 2002:a17:906:bcd6:: with SMTP id lw22mr8714162ejb.270.1570124786080;
        Thu, 03 Oct 2019 10:46:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570124786; cv=none;
        d=google.com; s=arc-20160816;
        b=JwOZSneURwqyaRLRhTUB4s9GTeP1H/BgUSymuVOlzxoyT5iSqVgzDwG+5kN8lvBV+9
         1mVo9kwwyHXJs4U/d4Ccmf88G6lyiA1P8boGeq2H3+GDcomgog9T3XI5TFqNL4+K2S0y
         OwRH6gTzoCrRdeGxdvU5D16Z/aGUrRURTlShu6R5aR0TwwfxePuGD98Yn7tl8TsK4R8f
         juopoWUeg3RCi57fov7QITNtwHoWrPwRDnShlbAQ7WtfnlxAybuxE1857rxp9daAANhj
         En6hJ6mvw/rNjjfmqxknPp64mhPvTzfwtd3iqmwJIF/ne4Gpv9+TBSH2K0EDeS10U/J5
         JZ4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=6aJ8yo6FbFkRQAVBMJRJGzUxxbQPStaTIg4kNYFPMAs=;
        b=hefUH7TZD0EOPd6jxb0PSR70ppED9mzU0B5wmzqnbDSDlmFnkdva0/1ENaT1D9A8t3
         sOjMvNT1GpxRGC9FBjSHQOeSZyAe8XIIssLKLJgUkg6qX8BlY5P6OuxiSw4BS305ZvUf
         LCiP1veLP7iamvhntaTTeql5vFXGJmHW+tD1fXeLI7jB8R5DF30pESLRnlvdIDuVdBWL
         YjTgFzIm0/usfwEXCcwEtjsDtB4RboGT5BzzR1u1tW5JiCFndtpNlHZxkob20zTq6yNG
         1Geayla50Y+2VcUNwBAHc7Uo6QTvlyYgMcLfhxOhV9q6FOoi/sqJz5y4mgKIgMxurWS+
         ecsQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="CvYUTsj/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f15si1950806edm.414.2019.10.03.10.46.01;
        Thu, 03 Oct 2019 10:46:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="CvYUTsj/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388768AbfJCQPA (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Thu, 3 Oct 2019 12:15:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:38726 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388752AbfJCQO6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Oct 2019 12:14:58 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B552121783;
        Thu,  3 Oct 2019 16:14:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1570119298;
        bh=zBya74pRYDPzIK4cQdHPpJIitnD/nPJtdMLpRb7hGTU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=CvYUTsj/rLvLFLtkedzuTV6a5OYsm10830DSqPg5X8kgfjwPhtMKCOmRzXr9izIkA
         DMlb+IHE5Y/zQnM6ILJCU/lIWFN2wDl6nrmTxAXnUNRYhktgdQmDECyeK8bnhZTuxO
         2MMbXkc5opVqYRzuQwpcf3GE8kOrNcjTGC2Ah2aw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Oliver Neukum <oneukum@suse.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 014/211] usbnet: sanity checking of packet sizes and device mtu
Date:   Thu,  3 Oct 2019 17:51:20 +0200
Message-Id: <20191003154450.103690210@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191003154447.010950442@linuxfoundation.org>
References: <20191003154447.010950442@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]

After a reset packet sizes and device mtu can change and need
to be reevaluated to calculate queue sizes.
Malicious devices can set this to zero and we divide by it.
Introduce sanity checking.

Reported-and-tested-by:  syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/usbnet.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -356,6 +356,8 @@ void usbnet_update_max_qlen(struct usbne
 {
 	enum usb_device_speed speed = dev->udev->speed;
 
+	if (!dev->rx_urb_size || !dev->hard_mtu)
+		goto insanity;
 	switch (speed) {
 	case USB_SPEED_HIGH:
 		dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
@@ -372,6 +374,7 @@ void usbnet_update_max_qlen(struct usbne
 		dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
 		break;
 	default:
+insanity:
 		dev->rx_qlen = dev->tx_qlen = 4;
 	}
 }