From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: Eric Dumazet <edumazet@google•com>,
syzbot <syzkaller@googlegroups•com>,
Jakub Kicinski <jakub.kicinski@netronome•com>,
Sasha Levin <sashal@kernel•org>,
netdev@vger•kernel.org
Subject: [PATCH AUTOSEL 5.3 70/71] sch_netem: fix a divide by zero in tabledist()
Date: Tue, 1 Oct 2019 12:39:20 -0400 [thread overview]
Message-ID: <20191001163922.14735-70-sashal@kernel.org> (raw)
In-Reply-To: <20191001163922.14735-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google•com>
[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ]
syzbot managed to crash the kernel in tabledist() loading
an empty distribution table.
t = dist->table[rnd % dist->size];
Simply return an error when such load is attempted.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google•com>
Reported-by: syzbot <syzkaller@googlegroups•com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome•com>
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
net/sched/sch_netem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index b17f2ed970e29..f5cb35e550f8d 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -777,7 +777,7 @@ static int get_dist_table(struct Qdisc *sch, struct disttable **tbl,
struct disttable *d;
int i;
- if (n > NETEM_DIST_MAX)
+ if (!n || n > NETEM_DIST_MAX)
return -EINVAL;
d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
--
2.20.1
prev parent reply other threads:[~2019-10-01 16:59 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191001163922.14735-1-sashal@kernel.org>
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 05/71] xprtrdma: Toggle XPRT_CONGESTED in xprtrdma's slot methods Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 06/71] xprtrdma: Send Queue size grows after a reconnect Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 07/71] 9p: Transport error uninitialized Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 16/71] SUNRPC: RPC level errors should always set task->tk_rpc_status Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 18/71] netfilter: nf_tables: allow lookups in dynamic sets Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 23/71] SUNRPC: Don't try to parse incomplete RPC messages Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 24/71] net/sched: act_sample: don't push mac header on ip6gre ingress Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 26/71] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 27/71] usbnet: ignore endpoints with " Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 28/71] net/phy: fix DP83865 10 Mbps HDX loopback disable function Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 29/71] net_sched: add max len check for TCA_KIND Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 30/71] selftests/seccomp: fix build on older kernels Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 37/71] net/mlx5e: Fix matching on tunnel addresses type Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 38/71] net/mlx5e: Fix traffic duplication in ethtool steering Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 42/71] arcnet: provide a buffer big enough to actually receive packets Sasha Levin
2019-10-01 16:38 ` [PATCH AUTOSEL 5.3 44/71] ppp: Fix memory leak in ppp_write Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 50/71] selftests/bpf: adjust strobemeta loop to satisfy latest clang Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 52/71] libbpf: fix false uninitialized variable warning Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 55/71] bpf: Fix bpf_event_output re-entry issue Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 56/71] macsec: drop skb sk before calling gro_cells_receive Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 57/71] net: dsa: microchip: Always set regmap stride to 1 Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 60/71] nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 61/71] net: stmmac: Fix page pool size Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 62/71] net: phy: micrel: add Asym Pause workaround for KSZ9021 Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 63/71] mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 64/71] vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 65/71] nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 66/71] nfp: abm: fix memory leak in nfp_abm_u32_knode_replace Sasha Levin
2019-10-01 16:39 ` [PATCH AUTOSEL 5.3 69/71] usbnet: sanity checking of packet sizes and device mtu Sasha Levin
2019-10-01 16:39 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001163922.14735-70-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=edumazet@google$(echo .)com \
--cc=jakub.kicinski@netronome$(echo .)com \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=netdev@vger$(echo .)kernel.org \
--cc=stable@vger$(echo .)kernel.org \
--cc=syzkaller@googlegroups$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox