This is a note to let you know that I've just added the patch titled net/sched: sch_qfq: reintroduce lmax bound check for MTU to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 158810b261d02fc7dd92ca9c392d8f8a211a2401 Mon Sep 17 00:00:00 2001 From: Pedro Tammela <pctammela@xxxxxxxxxxxx> Date: Tue, 11 Jul 2023 18:01:00 -0300 Subject: net/sched: sch_qfq: reintroduce lmax bound check for MTU From: Pedro Tammela <pctammela@xxxxxxxxxxxx> commit 158810b261d02fc7dd92ca9c392d8f8a211a2401 upstream. 25369891fcef deletes a check for the case where no 'lmax' is specified which 3037933448f6 previously fixed as 'lmax' could be set to the device's MTU without any bound checking for QFQ_LMAX_MIN and QFQ_LMAX_MAX. Therefore, reintroduce the check. Fixes: 25369891fcef ("net/sched: sch_qfq: refactor parsing of netlink parameters") Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx> Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx> Signed-off-by: Pedro Tammela <pctammela@xxxxxxxxxxxx> Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx> Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/sched/sch_qfq.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/net/sched/sch_qfq.c +++ b/net/sched/sch_qfq.c @@ -428,10 +428,17 @@ static int qfq_change_class(struct Qdisc else weight = 1; - if (tb[TCA_QFQ_LMAX]) + if (tb[TCA_QFQ_LMAX]) { lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); - else + } else { + /* MTU size is user controlled */ lmax = psched_mtu(qdisc_dev(sch)); + if (lmax < QFQ_MIN_LMAX || lmax > QFQ_MAX_LMAX) { + NL_SET_ERR_MSG_MOD(extack, + "MTU size out of bounds for qfq"); + return -EINVAL; + } + } inv_w = ONE_FP / weight; weight = ONE_FP / inv_w; Patches currently in stable-queue which might be from pctammela@xxxxxxxxxxxx are queue-6.1/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch queue-6.1/net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch queue-6.1/net-sched-make-psched_mtu-rtnl-less-safe.patch queue-6.1/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch queue-6.1/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch