[PATCH openEuler-22.03-LTS-SP1 2/2] net/sched: taprio: extend minimum interval restriction to entire cycle too

From: Vladimir Oltean vladimir.oltean@nxp.com

mainline inclusion from mainline-v6.10-rc2 commit fb66df20a7201e60f2b13d7f95d031b31a8831d3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D5O CVE: CVE-2024-36244

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

It is possible for syzbot to side-step the restriction imposed by the blamed commit in the Fixes: tag, because the taprio UAPI permits a cycle-time different from (and potentially shorter than) the sum of entry intervals.

We need one more restriction, which is that the cycle time itself must be larger than N * ETH_ZLEN bit times, where N is the number of schedule entries. This restriction needs to apply regardless of whether the cycle time came from the user or was the implicit, auto-calculated value, so we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" branch. This way covers both conditions and scenarios.

Add a selftest which illustrates the issue triggered by syzbot.

Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals") Reported-by: syzbot+a7d2b1d5d1af83035567@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/ Signed-off-by: Vladimir Oltean vladimir.oltean@nxp.com Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski kuba@kernel.org Conflicts: net/sched/sch_taprio.c tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json [commit a306a90c8ffe add taprio_calculate_gate_durations() to calculate tc gate durations, which wasnt merged lead to conflicts.commit 8a3b3667ddbd ("selftests/tc-testing: add selftests for taprio qdisc") that add taprio.json wasnt merged] Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/sched/sch_taprio.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index c76aa904d878..df2a372445a6 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -913,11 +913,6 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, list_for_each_entry(entry, &new->entries, list) cycle = ktime_add_ns(cycle, entry->interval);

- if (!cycle) { - NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); - return -EINVAL; - } - if (cycle < 0 || cycle > INT_MAX) { NL_SET_ERR_MSG(extack, "'cycle_time' is too big"); return -EINVAL; @@ -926,6 +921,11 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, new->cycle_time = cycle; }

+ if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) { + NL_SET_ERR_MSG(extack, "'cycle_time' is too small"); + return -EINVAL; + } + return 0; }