lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 09 Dec 2018 21:50:33 +0000
From:   Ben Hutchings <>
CC:, "syzbot" <>,
        "David S. Miller" <>,
        "Eric Dumazet" <>
Subject: [PATCH 3.16 290/328] rtnl: limit IFLA_NUM_TX_QUEUES and

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.


From: Eric Dumazet <>

commit 0e1d6eca5113858ed2caea61a5adc03c595f6096 upstream.

We have an impressive number of syzkaller bugs that are linked
to the fact that syzbot was able to create a networking device
with millions of TX (or RX) queues.

Let's limit the number of RX/TX queues to 4096, this really should
cover all known cases.

A separate patch will add various cond_resched() in the loops
handling sysfs entries at device creation and dismantle.


lpaa6:~# ip link add gre-4097 numtxqueues 4097 numrxqueues 4097 type ip6gretap
RTNETLINK answers: Invalid argument

lpaa6:~# time ip link add gre-4096 numtxqueues 4096 numrxqueues 4096 type ip6gretap

real	0m0.180s
user	0m0.000s
sys	0m0.107s

Fixes: 76ff5cc91935 ("rtnl: allow to specify number of rx and tx queues on device creation")
Signed-off-by: Eric Dumazet <>
Reported-by: syzbot <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <>
 net/core/rtnetlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1831,6 +1831,12 @@ struct net_device *rtnl_create_link(stru
 	else if (ops->get_num_rx_queues)
 		num_rx_queues = ops->get_num_rx_queues();
+	if (num_tx_queues < 1 || num_tx_queues > 4096)
+		return ERR_PTR(-EINVAL);
+	if (num_rx_queues < 1 || num_rx_queues > 4096)
+		return ERR_PTR(-EINVAL);
 	err = -ENOMEM;
 	dev = alloc_netdev_mqs(ops->priv_size, ifname, ops->setup,
 			       num_tx_queues, num_rx_queues);

Powered by blists - more mailing lists