Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1540945pxb; Thu, 16 Sep 2021 09:32:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjpKHbxZcG8gCul4/oeDYvcXu0zVjw5mvLTFl0JONrBCR4OdPQdGMuOqdRXubLCMG9j2EQ X-Received: by 2002:a92:c56c:: with SMTP id b12mr4641763ilj.7.1631809947194; Thu, 16 Sep 2021 09:32:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631809947; cv=none; d=google.com; s=arc-20160816; b=fETT4quW7wemossDEYPblOrjJvEH3fOKQCGS3+rUW9WMhn13Xatrc5d3OLmUXGqrGQ 07KGDEkbe7KCtdcX/KZV0WEYQQAbRWA3I0B7O7D1UYvET+NyACeokoFkHmMhSuKigCi2 olA0FbnpupaimzzFp3XfYAndJfAUAp8AeYz9mnXMDK1StQkyN/sCuuTCrtX5qEvVFOqW 384rRlHHwLrTLl9uPlh3uYA4RyeZOhLGa+y91Pu7ZvVkn1RaQnk2eLesSMOgpWYoIIMj a1B0uQC8VgxmMhgdH49qtfEK/WWDE1AdmusfnTf4AzdQNik/P3sEdE1aX4dwwUbzMjpd 6JcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HuMTkoTN2Yoz86obLdjde1IvVCSlnzua+4y79xIgbrc=; b=rmSGzPGMLaU8A/EuwaT2JK+IZaraUubpyAgt3xjLDi6Sk9naW1Q0Gdkd06Kmn5BtOi qvQj0J78PSAaolJA1uipq27CY2HyXwCoFR9fujX4YNrXTbBlUJl/XdRC1f+s0ychSgZP 7OVihqD9/7LKDsVvNI+WapwyxPsfk9BP0T6sas6Rl1A3Bhffn+C8lts30oEII94vwJUb AbECi7Do63tm/lccu7XNxIuCKw4F663eNhFIKVpW2Zdga6lsbuUmPgRc8Q3u81LeTDMS jRms9SHOebXwG6Ef1bq9jLx5Pu6SAhS0WbFy9w8m832jwAKjgoweMgmZd9HezMearc7n gXVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hbvHo8NS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c18si3700329iod.38.2021.09.16.09.32.10; Thu, 16 Sep 2021 09:32:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hbvHo8NS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241900AbhIPQbV (ORCPT + 99 others); Thu, 16 Sep 2021 12:31:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:58822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241201AbhIPQXO (ORCPT ); Thu, 16 Sep 2021 12:23:14 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 50BEC61465; Thu, 16 Sep 2021 16:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631808934; bh=w6iHWZT7Y89nYZJtQYlzQhQc3f55MOOEZW8zB9l1v80=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hbvHo8NSkcEWeeHaYttmmNIEw21YUsW1lbRepw/o4Z3mh9201wWeVwTkHoDdfy5kg Ielmow21eW67jsc7l23s7MImuR7t7Bb6RxhD3VqwVvtaSBZTH88sY0umiGWzWlAnVV vLDWg0MiPuZFGUCYIC544+Fxv9cZu/I+Zun6Fj7E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+2b3e5fb6c7ef285a94f6@syzkaller.appspotmail.com, Haimin Zhang , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 275/306] fix array-index-out-of-bounds in taprio_change Date: Thu, 16 Sep 2021 18:00:20 +0200 Message-Id: <20210916155803.453788546@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155753.903069397@linuxfoundation.org> References: <20210916155753.903069397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Haimin Zhang [ Upstream commit efe487fce3061d94222c6501d7be3aa549b3dc78 ] syzbot report an array-index-out-of-bounds in taprio_change index 16 is out of range for type '__u16 [16]' that's because mqprio->num_tc is lager than TC_MAX_QUEUE,so we check the return value of netdev_set_num_tc. Reported-by: syzbot+2b3e5fb6c7ef285a94f6@syzkaller.appspotmail.com Signed-off-by: Haimin Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sched/sch_taprio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 00853065dfa0..cb5e5220da55 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -1502,7 +1502,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt, taprio_set_picos_per_byte(dev, q); if (mqprio) { - netdev_set_num_tc(dev, mqprio->num_tc); + err = netdev_set_num_tc(dev, mqprio->num_tc); + if (err) + goto free_sched; for (i = 0; i < mqprio->num_tc; i++) netdev_set_tc_queue(dev, i, mqprio->count[i], -- 2.30.2