From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 18/19] usbnet: sanity checking of packet sizes and device mtu
Date: Tue, 1 Oct 2019 12:45:04 -0400 [thread overview]
Message-ID: <20191001164505.16708-18-sashal@kernel.org> (raw)
In-Reply-To: <20191001164505.16708-1-sashal@kernel.org>
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]
After a reset packet sizes and device mtu can change and need
to be reevaluated to calculate queue sizes.
Malicious devices can set this to zero and we divide by it.
Introduce sanity checking.
Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/usbnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 6d0efeb28f5cb..0b5fd1499ac06 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -354,6 +354,8 @@ void usbnet_update_max_qlen(struct usbnet *dev)
{
enum usb_device_speed speed = dev->udev->speed;
+ if (!dev->rx_urb_size || !dev->hard_mtu)
+ goto insanity;
switch (speed) {
case USB_SPEED_HIGH:
dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
@@ -370,6 +372,7 @@ void usbnet_update_max_qlen(struct usbnet *dev)
dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
break;
default:
+insanity:
dev->rx_qlen = dev->tx_qlen = 4;
}
}
--
2.20.1
next prev parent reply other threads:[~2019-10-01 16:47 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-01 16:44 [PATCH AUTOSEL 4.9 01/19] ima: always return negative code for error Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 02/19] fs: nfs: Fix possible null-pointer dereferences in encode_attrs() Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 03/19] 9p: avoid attaching writeback_fid on mmap with type PRIVATE Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 04/19] xen/pci: reserve MCFG areas earlier Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 05/19] ceph: fix directories inode i_blkbits initialization Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 06/19] ceph: reconnect connection if session hang in opening state Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 07/19] drm/amdgpu: Check for valid number of registers to read Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 08/19] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 09/19] usbnet: ignore endpoints with " Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 10/19] net/phy: fix DP83865 10 Mbps HDX loopback disable function Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 11/19] thermal: Fix use-after-free when unregistering thermal zone device Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 12/19] fuse: fix memleak in cuse_channel_open Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 13/19] arcnet: provide a buffer big enough to actually receive packets Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 14/19] ppp: Fix memory leak in ppp_write Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 15/19] sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 16/19] kernel/elfcore.c: include proper prototypes Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 17/19] macsec: drop skb sk before calling gro_cells_receive Sasha Levin
2019-10-01 16:45 ` Sasha Levin [this message]
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 19/19] sch_netem: fix a divide by zero in tabledist() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001164505.16708-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).