qiurui
/
linux-kernelorg-stable
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-kernelorg-stable/net/sched
History
Maher Azzouzi ffd2dc4c6c net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing 
TCA_MQPRIO_TC_ENTRY_INDEX is validated using
NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value
TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack
write in the fp[] array, which only has room for 16 elements (0–15).

Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1.

Fixes: f62af20bed ("net/sched: mqprio: allow per-TC user input of FP adminStatus")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Maher Azzouzi <maherazz04@gmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250802001857.2702497-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-08-04 17:22:20 -07:00
..
Kconfig sched: Add enqueue/dequeue of dualpi2 qdisc 2025-07-23 17:52:07 -07:00
Makefile sched: Add enqueue/dequeue of dualpi2 qdisc 2025-07-23 17:52:07 -07:00
act_api.c
act_bpf.c
act_connmark.c
act_csum.c
act_ct.c
act_ctinfo.c
act_gact.c
act_gate.c
act_ife.c
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c
act_mpls.c
act_nat.c
act_pedit.c
act_police.c
act_sample.c
act_simple.c
act_skbedit.c
act_skbmod.c
act_tunnel_key.c
act_vlan.c
bpf_qdisc.c
cls_api.c
cls_basic.c
cls_bpf.c
cls_cgroup.c
cls_flow.c
cls_flower.c
cls_fw.c
cls_matchall.c
cls_route.c
cls_u32.c
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c
sch_api.c
sch_blackhole.c
sch_cake.c
sch_cbs.c
sch_choke.c
sch_codel.c
sch_drr.c
sch_dualpi2.c sched: Add enqueue/dequeue of dualpi2 qdisc 2025-07-23 17:52:07 -07:00
sch_etf.c
sch_ets.c
sch_fifo.c
sch_fq.c
sch_fq_codel.c
sch_fq_pie.c
sch_frag.c
sch_generic.c net/sched: Add precise drop reason for pfifo_fast queue overflows 2025-07-25 15:47:21 -07:00
sch_gred.c
sch_hfsc.c
sch_hhf.c
sch_htb.c
sch_ingress.c
sch_mq.c
sch_mqprio.c net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing 2025-08-04 17:22:20 -07:00
sch_mqprio_lib.c
sch_mqprio_lib.h
sch_multiq.c
sch_netem.c
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class 2025-07-22 11:48:34 +02:00
sch_red.c
sch_sfb.c
sch_sfq.c
sch_skbprio.c
sch_taprio.c net/sched: taprio: enforce minimum value for picos_per_byte 2025-08-01 15:15:28 -07:00
sch_tbf.c
sch_teql.c