From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Simon Horman <simon.horman@corigine.com>,
Cong Wang <cong.wang@bytedance.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 15/83] net: sched: sch: Bounds check priority
Date: Mon, 20 Feb 2023 14:35:48 +0100 [thread overview]
Message-ID: <20230220133554.234461370@linuxfoundation.org> (raw)
In-Reply-To: <20230220133553.669025851@linuxfoundation.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit de5ca4c3852f896cacac2bf259597aab5e17d9e3 ]
Nothing was explicitly bounds checking the priority index used to access
clpriop[]. WARN and bail out early if it's pathological. Seen with GCC 13:
../net/sched/sch_htb.c: In function 'htb_activate_prios':
../net/sched/sch_htb.c:437:44: warning: array subscript [0, 31] is outside array bounds of 'struct htb_prio[8]' [-Warray-bounds=]
437 | if (p->inner.clprio[prio].feed.rb_node)
| ~~~~~~~~~~~~~~~^~~~~~
../net/sched/sch_htb.c:131:41: note: while referencing 'clprio'
131 | struct htb_prio clprio[TC_HTB_NUMPRIO];
| ^~~~~~
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Cong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20230127224036.never.561-kees@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_htb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 45b92e40082ef..7ea8c73ddeff0 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -427,7 +427,10 @@ static void htb_activate_prios(struct htb_sched *q, struct htb_class *cl)
while (cl->cmode == HTB_MAY_BORROW && p && mask) {
m = mask;
while (m) {
- int prio = ffz(~m);
+ unsigned int prio = ffz(~m);
+
+ if (WARN_ON_ONCE(prio > ARRAY_SIZE(p->inner.clprio)))
+ break;
m &= ~(1 << prio);
if (p->inner.clprio[prio].feed.rb_node)
--
2.39.0
next prev parent reply other threads:[~2023-02-20 13:51 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:35 [PATCH 5.15 00/83] 5.15.95-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 01/83] mptcp: fix locking for in-kernel listener creation Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 02/83] kprobes: treewide: Cleanup the error messages for kprobes Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 03/83] riscv: kprobe: Fixup misaligned load text Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 04/83] ACPI / x86: Add support for LPS0 callback handler Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 05/83] ASoC: Intel: sof_rt5682: always set dpcm_capture for amplifiers Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 06/83] ASoC: Intel: sof_cs42l42: " Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 07/83] selftests/bpf: Verify copy_register_state() preserves parent/live fields Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 08/83] ALSA: hda: Do not unset preset when cleaning up codec Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 09/83] bpf, sockmap: Dont let sock_map_{close,destroy,unhash} call itself Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 10/83] ASoC: cs42l56: fix DT probe Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 11/83] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 12/83] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 13/83] net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 14/83] drm/nouveau/devinit/tu102-: wait for GFW_BOOT_PROGRESS == COMPLETED Greg Kroah-Hartman
2023-02-20 13:35 ` Greg Kroah-Hartman [this message]
2023-02-20 13:35 ` [PATCH 5.15 16/83] s390/decompressor: specify __decompress() buf len to avoid overflow Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 17/83] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 18/83] drm/amd/display: Properly handle additional cases where DCN is not supported Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 19/83] platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 20/83] nvmem: core: add error handling for dev_set_name Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 21/83] nvmem: core: fix cleanup after dev_set_name() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 22/83] nvmem: core: fix registration vs use race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 23/83] nvmem: core: fix return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 24/83] xfs: zero inode fork buffer at allocation Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 25/83] xfs: fix potential log item leak Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 5.15 26/83] xfs: detect self referencing btree sibling pointers Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 27/83] xfs: set XFS_FEAT_NLINK correctly Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 28/83] xfs: validate v5 feature fields Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 29/83] xfs: avoid unnecessary runtime sibling pointer endian conversions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 30/83] xfs: dont assert fail on perag references on teardown Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 31/83] xfs: assert in xfs_btree_del_cursor should take into account error Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 32/83] xfs: purge dquots after inode walk fails during quotacheck Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 33/83] xfs: dont leak btree cursor when insrec fails after a split Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 34/83] mptcp: do not wait for bare sockets timeout Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 35/83] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 36/83] drm/amd/display: Fail atomic_check early on normalize_zpos error Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 37/83] platform/x86: amd-pmc: Export Idlemask values based on the APU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 38/83] platform/x86: amd-pmc: Fix compilation when CONFIG_DEBUGFS is disabled Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 39/83] platform/x86: amd-pmc: Correct usage of SMU version Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 40/83] platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 41/83] netfilter: nft_tproxy: restrict to prerouting hook Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 42/83] tcp: Fix listen() regression in 5.15.88 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 43/83] mmc: jz4740: Work around bug on JZ4760(B) Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 44/83] mmc: sdio: fix possible resource leaks in some error paths Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 45/83] mmc: mmc_spi: fix error handling in mmc_spi_probe() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 46/83] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 47/83] ALSA: hda/realtek - fixed wrong gpio assigned Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 48/83] sched/psi: Fix use-after-free in ep_remove_wait_queue() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 49/83] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 50/83] of: reserved_mem: Have kmemleak ignore dynamically allocated reserved mem Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 51/83] selftest/lkdtm: Skip stack-entropy test if lkdtm is not available Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 52/83] Revert "mm: Always release pages to the buddy allocator in memblock_free_late()." Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 53/83] net: Fix unwanted sign extension in netdev_stats_to_stats64() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 54/83] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 55/83] ixgbe: allow to increase MTU to 3K with XDP enabled Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 56/83] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 57/83] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 58/83] net: ethernet: ti: am65-cpsw: Add RX DMA Channel Teardown Quirk Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 59/83] sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 60/83] net/sched: tcindex: update imperfect hash filters respecting rcu Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 61/83] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 62/83] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 63/83] net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 64/83] net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 65/83] bnxt_en: Fix mqprio and XDP ring checking logic Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 66/83] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 67/83] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 68/83] ixgbe: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 69/83] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 70/83] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 71/83] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 72/83] mm/filemap: fix page end in filemap_get_read_batch Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 73/83] drm/i915/gen11: Moving WAs to icl_gt_workarounds_init() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 74/83] drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 75/83] flow_offload: fill flags to action structure Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 76/83] net/sched: act_ctinfo: use percpu stats Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 77/83] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 78/83] net/sched: tcindex: search key must be 16 bits Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 79/83] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 80/83] alarmtimer: Prevent starvation by small intervals and SIG_IGN Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 81/83] ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 82/83] net: sched: sch: Fix off by one in htb_activate_prios() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 5.15 83/83] platform/x86/amd: pmc: add CONFIG_SERIO dependency Greg Kroah-Hartman
2023-02-21 4:10 ` [PATCH 5.15 00/83] 5.15.95-rc1 review Bagas Sanjaya
2023-02-21 7:09 ` Naresh Kamboju
2023-02-21 12:04 ` Ron Economos
2023-02-21 14:57 ` Sudip Mukherjee (Codethink)
2023-02-21 16:21 ` Guenter Roeck
2023-02-21 20:10 ` Florian Fainelli
2023-02-21 23:48 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133554.234461370@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cong.wang@bytedance.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=simon.horman@corigine.com \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).