-
由 Toke Høiland-Jørgensen 提交于
stable inclusion from stable-v5.10.143 commit 2ead78fbe6b523e6232ad286e3c13d2a410de22a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WF14 CVE: CVE-2022-3586 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=2ead78fbe6b523e6232ad286e3c13d2a410de22a -------------------------------- [ Upstream commit 2f09707d ] Cong Wang noticed that the previous fix for sch_sfb accessing the queued skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue function was also calling qdisc_qstats_backlog_inc() after enqueue, which reads the pkt len from the skb cb field. Fix this by also storing the skb len, and using the stored value to increment the backlog after enqueueing. Fixes: 9efd2329 ("sch_sfb: Don't assume the skb is still around after enqueueing to child") Signed-off-by: NToke Høiland-Jørgensen <toke@toke.dk> Acked-by: NCong Wang <cong.wang@bytedance.com> Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dkSigned-off-by: NPaolo Abeni <pabeni@redhat.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com> Reviewed-by: Nchenweilong <chenweilong@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
a0cba34c