Patch "ppp_async: limit MRU to 64K" has been added to the 6.7-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ppp_async: limit MRU to 64K

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ppp_async-limit-mru-to-64k.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 721aa4187559b50d750258973ff912183427e0b4
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Mon Feb 5 17:10:04 2024 +0000

    ppp_async: limit MRU to 64K
    
    [ Upstream commit cb88cb53badb8aeb3955ad6ce80b07b598e310b8 ]
    
    syzbot triggered a warning [1] in __alloc_pages():
    
    WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)
    
    Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")
    
    Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)
    
    [1]:
    
     WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
    Modules linked in:
    CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
    Workqueue: events_unbound flush_to_ldisc
    pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
     lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537
    sp : ffff800093967580
    x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000
    x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0
    x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8
    x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120
    x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005
    x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000
    x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001
    x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f
    x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020
    x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0
    Call trace:
      __alloc_pages+0x308/0x698 mm/page_alloc.c:4543
      __alloc_pages_node include/linux/gfp.h:238 [inline]
      alloc_pages_node include/linux/gfp.h:261 [inline]
      __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926
      __do_kmalloc_node mm/slub.c:3969 [inline]
      __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001
      kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590
      __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651
      __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715
      netdev_alloc_skb include/linux/skbuff.h:3235 [inline]
      dev_alloc_skb include/linux/skbuff.h:3248 [inline]
      ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]
      ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341
      tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390
      tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37
      receive_buf drivers/tty/tty_buffer.c:444 [inline]
      flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494
      process_one_work+0x694/0x1204 kernel/workqueue.c:2633
      process_scheduled_works kernel/workqueue.c:2706 [inline]
      worker_thread+0x938/0xef4 kernel/workqueue.c:2787
      kthread+0x288/0x310 kernel/kthread.c:388
      ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-and-tested-by: syzbot+c5da1f087c9e4ec6c933@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240205171004.1059724-1-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
index fbaaa8c102a1..e94a4b08fd63 100644
--- a/drivers/net/ppp/ppp_async.c
+++ b/drivers/net/ppp/ppp_async.c
@@ -460,6 +460,10 @@ ppp_async_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg)
 	case PPPIOCSMRU:
 		if (get_user(val, p))
 			break;
+		if (val > U16_MAX) {
+			err = -EINVAL;
+			break;
+		}
 		if (val < PPP_MRU)
 			val = PPP_MRU;
 		ap->mru = val;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux