Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f6bab199 authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by David S. Miller
Browse files

sched: Avoid dereferencing skb pointer after child enqueue 



Parent qdiscs may dereference the pointer to the enqueued skb after
enqueue. However, both CAKE and TBF call consume_skb() on the original skb
when splitting GSO packets, leading to a potential use-after-free in the
parent. Fix this by avoiding dereferencing the skb pointer after enqueueing
to the child.

Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 80b3671e

net/sched/sch_cbs.c

+2 −1
Original line number Diff line number Diff line
@@ -88,13 +88,14 @@ static int cbs_child_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
			     struct Qdisc *child,

			     struct sk_buff **to_free)

{

	unsigned int len = qdisc_pkt_len(skb);

	int err;



	err = child->ops->enqueue(skb, child, to_free);

	if (err != NET_XMIT_SUCCESS)

		return err;



	qdisc_qstats_backlog_inc(sch, skb);

	sch->qstats.backlog += len;

	sch->q.qlen++;



	return NET_XMIT_SUCCESS;

net/sched/sch_drr.c

+2 −1
Original line number Diff line number Diff line
@@ -350,6 +350,7 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch, 
static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,

		       struct sk_buff **to_free)

{

	unsigned int len = qdisc_pkt_len(skb);

	struct drr_sched *q = qdisc_priv(sch);

	struct drr_class *cl;

	int err = 0;
@@ -376,7 +377,7 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
		cl->deficit = cl->quantum;

	}



	qdisc_qstats_backlog_inc(sch, skb);

	sch->qstats.backlog += len;

	sch->q.qlen++;

	return err;

}

net/sched/sch_dsmark.c

+2 −1
Original line number Diff line number Diff line
@@ -199,6 +199,7 @@ static struct tcf_block *dsmark_tcf_block(struct Qdisc *sch, unsigned long cl, 
static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,

			  struct sk_buff **to_free)

{

	unsigned int len = qdisc_pkt_len(skb);

	struct dsmark_qdisc_data *p = qdisc_priv(sch);

	int err;
@@ -271,7 +272,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
		return err;

	}



	qdisc_qstats_backlog_inc(sch, skb);

	sch->qstats.backlog += len;

	sch->q.qlen++;



	return NET_XMIT_SUCCESS;

net/sched/sch_hfsc.c

+2 −3
Original line number Diff line number Diff line
@@ -1539,6 +1539,7 @@ hfsc_dump_qdisc(struct Qdisc *sch, struct sk_buff *skb) 
static int

hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)

{

	unsigned int len = qdisc_pkt_len(skb);

	struct hfsc_class *cl;

	int uninitialized_var(err);
@@ -1560,8 +1561,6 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) 
	}



	if (cl->qdisc->q.qlen == 1) {

		unsigned int len = qdisc_pkt_len(skb);



		if (cl->cl_flags & HFSC_RSC)

			init_ed(cl, len);

		if (cl->cl_flags & HFSC_FSC)
@@ -1576,7 +1575,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) 


	}



	qdisc_qstats_backlog_inc(sch, skb);

	sch->qstats.backlog += len;

	sch->q.qlen++;



	return NET_XMIT_SUCCESS;

net/sched/sch_htb.c

+2 −1
Original line number Diff line number Diff line
@@ -581,6 +581,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
		       struct sk_buff **to_free)

{

	int uninitialized_var(ret);

	unsigned int len = qdisc_pkt_len(skb);

	struct htb_sched *q = qdisc_priv(sch);

	struct htb_class *cl = htb_classify(skb, sch, &ret);
@@ -610,7 +611,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
		htb_activate(q, cl);

	}



	qdisc_qstats_backlog_inc(sch, skb);

	sch->qstats.backlog += len;

	sch->q.qlen++;

	return NET_XMIT_SUCCESS;

}