Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp462254pxb; Thu, 9 Sep 2021 05:08:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzflYyh0t7550el4QvsGm4MW2MuJkRcy3fOc3+bLu8YpbGBaAlCyLukvTlM0jLsU5AmNw5 X-Received: by 2002:a2e:b050:: with SMTP id d16mr1984031ljl.282.1631189314665; Thu, 09 Sep 2021 05:08:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631189314; cv=none; d=google.com; s=arc-20160816; b=I6Ja6HDU5W94OHd3y6KejZMJCPvSu/lYOsAuybLZ/NWtkgKAlLaQz1kK14ujKRO/qs ea3QK2MwedWkvLa2/LrDfm1Duwk6+7LKNeMlB4J7mITmv9xAgqd81BULOAPAzseTBzyi MSIdCX0qQY0o2yQGQDIhhlt9E3hhhmiFDUeVN+J1hLEOynBiEkWxefVWXH3ip3Trmi9D RLW0AmSY9n/qRqaDdA4zZa/9PYkmQkMWKN6oWC9LP4VkYgDSly5N1ExOo7LGlTDwt4zh gLucpUi1clZx8oSMtX2WUpasCYVUQzdOsIDnOiVrEEkooTTlObK/93E4yEJVW5TtnwiU LX2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=B82afzGVziYj/9NtuUluXSzVunhNCFi0LuCdoEKya5A=; b=0yRu4GQDVw8RuIADkF4/fQswI3xNryR3ILz/VrUT1QxdF/Nv/kqEJpyR5U2I73ThlN /0oI8ANGhCU/Ux8ayu83rl4TpZpiIYaRtiAdd7cVRFZSGNZ8bSJYB5b8k16r0QKwtk6e yLNCoX7bgK+5UuCF3R8evmk3lBT0zPBZ9vpR8VNtx9JjljXrasDBpfptNJ74ibswdcyC IRxXJx510AiaPkoD9VtangqFERcLvjo37L3+izTSCb1BNFRqHEeSVsldyG7wAW7e4a+r 3bz+PE2Oqyttb/mJwOLUXuI3V3afLaAw1t1HcY/A5vFfE5N6kfcJPJ7SkjS2PuDjWabD BeHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="RDm/Df3i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yd13si1627593ejb.525.2021.09.09.05.08.06; Thu, 09 Sep 2021 05:08:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="RDm/Df3i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345868AbhIIMHR (ORCPT + 99 others); Thu, 9 Sep 2021 08:07:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:41776 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343693AbhIIMB5 (ORCPT ); Thu, 9 Sep 2021 08:01:57 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 51AC7615A3; Thu, 9 Sep 2021 11:46:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631187991; bh=AnqclIy/yhabaP/XcnnT3myiJuVDcV2mN78sB8cMj18=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RDm/Df3iV5VFR9LRzMQYYI73JYdnjXy+63sI3X8oFXRPZ6Z+X2Q42GTsxPlJqNRDy kBa5tPQsOeXb0AsP58vS6ZGJxvhew96zhU0+7USyY1FfTOQNsaHUI4CXmbsNMs1NUD qXhts1JCtTArHef9adcsNXHJ1uTE8xEZ47fvpp0v5PKCwMiAJsMFfbGhukzJr18cjw KE4yxp0BDS48xRtxpOPJOMI0Xlvy5wuml9ErACHPkhRsIRst4hdGRXXmheyXiwd99g 5wma83EKrNgMUNknPWx0lH9kpNcOJSeGWrH4x9Ci52EgBMMwkOw7O22TA8rOtSg94R boNopdpNQ7UdQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Haimin Zhang , syzbot+2b3e5fb6c7ef285a94f6@syzkaller.appspotmail.com, "David S . Miller" , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.14 250/252] fix array-index-out-of-bounds in taprio_change Date: Thu, 9 Sep 2021 07:41:04 -0400 Message-Id: <20210909114106.141462-250-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210909114106.141462-1-sashal@kernel.org> References: <20210909114106.141462-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haimin Zhang [ Upstream commit efe487fce3061d94222c6501d7be3aa549b3dc78 ] syzbot report an array-index-out-of-bounds in taprio_change index 16 is out of range for type '__u16 [16]' that's because mqprio->num_tc is lager than TC_MAX_QUEUE,so we check the return value of netdev_set_num_tc. Reported-by: syzbot+2b3e5fb6c7ef285a94f6@syzkaller.appspotmail.com Signed-off-by: Haimin Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sched/sch_taprio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 9c79374457a0..1ab2fc933a21 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -1513,7 +1513,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, taprio_set_picos_per_byte(dev, q); if (mqprio) { - netdev_set_num_tc(dev, mqprio->num_tc); + err = netdev_set_num_tc(dev, mqprio->num_tc); + if (err) + goto free_sched; for (i = 0; i < mqprio->num_tc; i++) netdev_set_tc_queue(dev, i, mqprio->count[i], -- 2.30.2