Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b216cb54 authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Greg Kroah-Hartman
Browse files

sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb 



[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ]

When the GSO splitting feature of sch_cake is enabled, GSO superpackets
will be broken up and the resulting segments enqueued in place of the
original skb. In this case, CAKE calls consume_skb() on the original skb,
but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into
assuming the original skb still exists, when it really has been freed. Fix
this by adding the __NET_XMIT_STOLEN flag to the return value in this case.

Fixes: 0c850344 ("sch_cake: Conditionally split GSO segments")
Signed-off-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231
Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent a8a0c321

net/sched/sch_cake.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -1666,6 +1666,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
	}

	}

	idx--;

	idx--;

	flow = &b->flows[idx];

	flow = &b->flows[idx];

	ret = NET_XMIT_SUCCESS;





	/* ensure shaper state isn't stale */

	/* ensure shaper state isn't stale */

	if (!b->tin_backlog) {

	if (!b->tin_backlog) {
@@ -1726,6 +1727,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, 




		qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);

		qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);

		consume_skb(skb);

		consume_skb(skb);

		ret |= __NET_XMIT_STOLEN;

	} else {

	} else {

		/* not splitting */

		/* not splitting */

		cobalt_set_enqueue_time(skb, now);

		cobalt_set_enqueue_time(skb, now);
@@ -1849,7 +1851,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, 
		}

		}

		b->drop_overlimit += dropped;

		b->drop_overlimit += dropped;

	}

	}

	return NET_XMIT_SUCCESS;

	return ret;

}

}





static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)

static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)