git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Eric Dumazet <edumazet@google.com>
	Mon, 27 Apr 2020 01:19:07 +0000 (18:19 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 14 May 2020 05:57:18 +0000 (07:57 +0200)
commit	cdacfbb66f96d77e9ceb394ce9a12551ae63d67c
tree	db83ef6d254a25f856218d66a76c8f9312ad8bc8	tree \| snapshot
parent	9a67503a5a1cef0225e4f223d5f90c2ffc7cfc3b	commit \| diff

sch_sfq: validate silly quantum values

[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]

syzbot managed to set up sfq so that q->scaled_quantum was zero,
triggering an infinite loop in sfq_dequeue()

More generally, we must only accept quantum between 1 and 2^18 - 7,
meaning scaled_quantum must be in [1, 0x7FFF] range.

Otherwise, we also could have a loop in sfq_dequeue()
if scaled_quantum happens to be 0x8000, since slot->allot
could indefinitely switch between 0 and 0x8000.

Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>