6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@xxxxxxxxxx>
[ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ]
If either a zero count or a large one is provided, kernel can crash.
Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
Reported-by: syzbot+ea40e4294e58b0292f74@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@xxxxxxxxxx/T/#u
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Jiri Pirko <jiri@xxxxxxxxxx>
Reviewed-by: Joe Damato <jdamato@xxxxxxxxxx>
Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/netdevsim/health.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
index eb04ed715d2d..c63427b71898 100644
--- a/drivers/net/netdevsim/health.c
+++ b/drivers/net/netdevsim/health.c
@@ -203,6 +203,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file,
char *break_msg;
int err;
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
break_msg = memdup_user_nul(data, count);
if (IS_ERR(break_msg))
return PTR_ERR(break_msg);
--
2.39.5
