提交 a0cba34c 编写于 作者: T Toke Høiland-Jørgensen 提交者: Zheng Zengkai

sch_sfb: Also store skb len before calling child enqueue

stable inclusion
from stable-v5.10.143
commit 2ead78fbe6b523e6232ad286e3c13d2a410de22a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WF14
CVE: CVE-2022-3586

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=2ead78fbe6b523e6232ad286e3c13d2a410de22a

--------------------------------

[ Upstream commit 2f09707d ]

Cong Wang noticed that the previous fix for sch_sfb accessing the queued
skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue
function was also calling qdisc_qstats_backlog_inc() after enqueue, which
reads the pkt len from the skb cb field. Fix this by also storing the skb
len, and using the stored value to increment the backlog after enqueueing.

Fixes: 9efd2329 ("sch_sfb: Don't assume the skb is still around after enqueueing to child")
Signed-off-by: NToke Høiland-Jørgensen <toke@toke.dk>
Acked-by: NCong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dkSigned-off-by: NPaolo Abeni <pabeni@redhat.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: Nchenweilong <chenweilong@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 a98edd65
...@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, ...@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
{ {
struct sfb_sched_data *q = qdisc_priv(sch); struct sfb_sched_data *q = qdisc_priv(sch);
unsigned int len = qdisc_pkt_len(skb);
struct Qdisc *child = q->qdisc; struct Qdisc *child = q->qdisc;
struct tcf_proto *fl; struct tcf_proto *fl;
struct sfb_skb_cb cb; struct sfb_skb_cb cb;
...@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, ...@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); memcpy(&cb, sfb_skb_cb(skb), sizeof(cb));
ret = qdisc_enqueue(skb, child, to_free); ret = qdisc_enqueue(skb, child, to_free);
if (likely(ret == NET_XMIT_SUCCESS)) { if (likely(ret == NET_XMIT_SUCCESS)) {
qdisc_qstats_backlog_inc(sch, skb); sch->qstats.backlog += len;
sch->q.qlen++; sch->q.qlen++;
increment_qlen(&cb, q); increment_qlen(&cb, q);
} else if (net_xmit_drop_count(ret)) { } else if (net_xmit_drop_count(ret)) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册