mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-12 19:46:29 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/core
History
Eric Dumazet fd4c12f312 net_sched: gen_estimator: support large ewma log 
commit dd5e073381 upstream

syzbot report reminded us that very big ewma_log were supported in the past,
even if they made litle sense.

tc qdisc replace dev xxx root est 1sec 131072sec ...

While fixing the bug, also add boundary checks for ewma_log, in line
with range supported by iproute2.

UBSAN: shift-out-of-bounds in net/core/gen_estimator.c:83:38
shift exponent -1 is negative
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 est_timer.cold+0xbb/0x12d net/core/gen_estimator.c:83
 call_timer_fn+0x1a5/0x710 kernel/time/timer.c:1417
 expire_timers kernel/time/timer.c:1462 [inline]
 __run_timers.part.0+0x692/0xa80 kernel/time/timer.c:1731
 __run_timers kernel/time/timer.c:1712 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744
 __do_softirq+0x2bc/0xa77 kernel/softirq.c:343
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:226 [inline]
 __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:432
 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516

Fixes: 1c0d32fde5 ("net_sched: gen_estimator: complete rewrite of rate estimators")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20210114181929.1717985-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-02-07 15:35:47 +01:00
..
bpf_sk_storage.c bpf: Improve bucket_log calculation logic 2020-02-14 16:34:10 -05:00
datagram.c net: use indirect call wrappers for skb_copy_datagram_iter() 2020-05-02 08:49:00 +02:00
datagram.h
dev.c net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled 2021-01-27 11:47:54 +01:00
dev_addr_lists.c
dev_ioctl.c
devlink.c devlink: Hold rtnl lock while reading netdev attributes 2020-12-08 10:40:23 +01:00
drop_monitor.c drop_monitor: work around gcc-10 stringop-overflow warning 2020-05-20 08:20:06 +02:00
dst.c
dst_cache.c
ethtool.c
failover.c
fib_notifier.c
fib_rules.c net: fib_rules: Correctly set table field when table number exceeds 8 bits 2020-03-05 16:43:31 +01:00
filter.c net, sctp, filter: remap copy_from_user failure error 2021-01-23 15:58:00 +01:00
flow_dissector.c flow_dissector: Drop BPF flow dissector prog ref on netns cleanup 2020-05-27 17:46:49 +02:00
flow_offload.c
gen_estimator.c net_sched: gen_estimator: support large ewma log 2021-02-07 15:35:47 +01:00
gen_stats.c
gro_cells.c
hwbm.c
link_watch.c
lwt_bpf.c lwt: Disable BH too in run_lwt_bpf() 2020-12-30 11:51:30 +01:00
lwtunnel.c
Makefile
neighbour.c Exempt multicast addresses from five-second neighbor lifetime 2020-11-24 13:28:56 +01:00
net-procfs.c
net-sysfs.c net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc 2021-01-12 20:16:13 +01:00
net-sysfs.h
net-traces.c
net_namespace.c
netclassid_cgroup.c cgroup, netclassid: remove double cond_resched 2020-05-10 10:31:32 +02:00
netevent.c
netpoll.c net: Have netpoll bring-up DSA management interface 2020-11-24 13:28:57 +01:00
netprio_cgroup.c netprio_cgroup: Fix unlimited memory leak of v2 cgroups 2020-05-20 08:20:12 +02:00
page_pool.c
pktgen.c net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-04-01 11:02:18 +02:00
ptp_classifier.c
request_sock.c
rtnetlink.c rtnetlink: Fix memory(net_device) leak when ->newlink fails 2020-07-31 18:39:30 +02:00
scm.c
secure_seq.c
skbuff.c skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too 2021-01-27 11:47:53 +01:00
skmsg.c bpf, sockmap: Avoid returning unneeded EAGAIN when redirecting to self 2020-11-24 13:29:19 +01:00
sock.c socket: don't clear SOCK_TSTAMP_NEW when SO_TIMESTAMPNS is disabled 2020-11-01 12:01:01 +01:00
sock_diag.c
sock_map.c bpf: sockmap: Require attach_bpf_fd when detaching a program 2020-08-07 09:34:02 +02:00
sock_reuseport.c udp: Prevent reuseport_select_sock from reading uninitialized socks 2021-01-23 15:57:56 +01:00
stream.c
sysctl_net_core.c bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() 2020-07-16 08:16:45 +02:00
timestamping.c
tso.c
utils.c net: Fix skb->csum update in inet_proto_csum_replace16(). 2020-02-05 21:22:52 +00:00
xdp.c