projects / platform / kernel / linux-amlogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 96f23cb)
usbnet: sanity checking of packet sizes and device mtu
authorOliver Neukum <oneukum@suse.com>
Thu, 19 Sep 2019 08:23:08 +0000 (10:23 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 5 Oct 2019 10:30:14 +0000 (12:30 +0200)
[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]

After a reset packet sizes and device mtu can change and need
to be reevaluated to calculate queue sizes.
Malicious devices can set this to zero and we divide by it.
Introduce sanity checking.

Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/usb/usbnet.c patch | blob | history

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 6d0efeb28f5cbffdeb57a375927514bdc74c63e5..0b5fd1499ac06014fc05bccd2765cb79deb9687c 100644 (file)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -354,6 +354,8 @@ void usbnet_update_max_qlen(struct usbnet *dev)
 {
        enum usb_device_speed speed = dev->udev->speed;
 
+       if (!dev->rx_urb_size || !dev->hard_mtu)
+               goto insanity;
        switch (speed) {
        case USB_SPEED_HIGH:
                dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
@@ -370,6 +372,7 @@ void usbnet_update_max_qlen(struct usbnet *dev)
                dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
                break;
        default:
+insanity:
                dev->rx_qlen = dev->tx_qlen = 4;
        }
 }
Domain: System / Kernel;