From 22a2439ca3b8a691421795d84f97d80e3a763039 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 1 Aug 2023 10:25:46 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
---
 ...unt-for-stab-overhead-in-qfq_enqueue.patch | 92 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 queue-5.4/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch

diff --git a/queue-5.4/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch b/queue-5.4/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
new file mode 100644
index 00000000000..73188bc6f1d
--- /dev/null
+++ b/queue-5.4/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
@@ -0,0 +1,92 @@
+From 3e337087c3b5805fe0b8a46ba622a962880b5d64 Mon Sep 17 00:00:00 2001
+From: Pedro Tammela <pctammela@mojatatu.com>
+Date: Tue, 11 Jul 2023 18:01:02 -0300
+Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 upstream.
+
+Lion says:
+-------
+In the QFQ scheduler a similar issue to CVE-2023-31436
+persists.
+
+Consider the following code in net/sched/sch_qfq.c:
+
+static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+                struct sk_buff **to_free)
+{
+     unsigned int len = qdisc_pkt_len(skb), gso_segs;
+
+    // ...
+
+     if (unlikely(cl->agg->lmax < len)) {
+         pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
+              cl->agg->lmax, len, cl->common.classid);
+         err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
+         if (err) {
+             cl->qstats.drops++;
+             return qdisc_drop(skb, sch, to_free);
+         }
+
+    // ...
+
+     }
+
+Similarly to CVE-2023-31436, "lmax" is increased without any bounds
+checks according to the packet length "len". Usually this would not
+impose a problem because packet sizes are naturally limited.
+
+This is however not the actual packet length, rather the
+"qdisc_pkt_len(skb)" which might apply size transformations according to
+"struct qdisc_size_table" as created by "qdisc_get_stab()" in
+net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.
+
+A user may choose virtually any size using such a table.
+
+As a result the same issue as in CVE-2023-31436 can occur, allowing heap
+out-of-bounds read / writes in the kmalloc-8192 cache.
+-------
+
+We can create the issue with the following commands:
+
+tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
+overhead 999999999 linklayer ethernet qfq
+tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
+tc filter add dev $DEV parent 1: matchall classid 1:1
+ping -I $DEV 1.1.1.2
+
+This is caused by incorrectly assuming that qdisc_pkt_len() returns a
+length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: Lion <nnamrec@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_qfq.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -375,8 +375,13 @@ static int qfq_change_agg(struct Qdisc *
+ 			   u32 lmax)
+ {
+ 	struct qfq_sched *q = qdisc_priv(sch);
+-	struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight);
++	struct qfq_aggregate *new_agg;
+ 
++	/* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */
++	if (lmax > (1UL << QFQ_MTU_SHIFT))
++		return -EINVAL;
++
++	new_agg = qfq_find_agg(q, lmax, weight);
+ 	if (new_agg == NULL) { /* create new aggregate */
+ 		new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC);
+ 		if (new_agg == NULL)
diff --git a/queue-5.4/series b/queue-5.4/series
index da1c8cbd06d..bf4bcf3bece 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -84,3 +84,4 @@ cpufreq-intel_pstate-drop-acpi-_pss-states-table-patching.patch
 btrfs-qgroup-remove-one-time-use-variables-for-quota_root-checks.patch
 btrfs-qgroup-return-enotconn-instead-of-einval-when-quotas-are-not-enabled.patch
 btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch
+net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
-- 
2.47.3