| Message ID | 20240924150257.1059524-1-edumazet@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | net: two fixes for qdisc_pkt_len_init() | expand |
On 9/24/24 9:02 AM, Eric Dumazet wrote: > Inspired by one syzbot report. > > At least one qdisc (fq_codel) depends on qdisc_skb_cb(skb)->pkt_len > having a sane value (not zero) > > With the help of af_packet, syzbot was able to fool qdisc_pkt_len_init() > to precisely set qdisc_skb_cb(skb)->pkt_len to zero. > > First patch fixes this issue. > > Second one (a separate one to help future bisections) adds > more sanity check to SKB_GSO_DODGY users. > > Eric Dumazet (2): > net: avoid potential underflow in qdisc_pkt_len_init() with UFO > net: add more sanity checks to qdisc_pkt_len_init() > > net/core/dev.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > LGTM. For the set: Reviewed-by: David Ahern <dsahern@kernel.org>
Hello: This series was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Tue, 24 Sep 2024 15:02:55 +0000 you wrote: > Inspired by one syzbot report. > > At least one qdisc (fq_codel) depends on qdisc_skb_cb(skb)->pkt_len > having a sane value (not zero) > > With the help of af_packet, syzbot was able to fool qdisc_pkt_len_init() > to precisely set qdisc_skb_cb(skb)->pkt_len to zero. > > [...] Here is the summary with links: - [net,1/2] net: avoid potential underflow in qdisc_pkt_len_init() with UFO https://git.kernel.org/netdev/net/c/c20029db2839 - [net,2/2] net: add more sanity checks to qdisc_pkt_len_init() https://git.kernel.org/netdev/net/c/ab9a9a9e9647 You are awesome, thank you!