diff mbox series

[net] net: sched: Fix use after free in red_enqueue()

Message ID Y1vvnBnSVl976Pt3@kili (mailing list archive)
State Accepted
Commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9
Delegated to: Netdev Maintainers
Headers show
Series [net] net: sched: Fix use after free in red_enqueue() | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 18 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Dan Carpenter Oct. 28, 2022, 3:05 p.m. UTC 
We can't use "skb" again after passing it to qdisc_enqueue().  This is
basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
len before calling child enqueue").

Fixes: d7f4f332f082 ("sch_red: update backlog as well")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Applies to net.

 net/sched/sch_red.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Eric Dumazet Oct. 28, 2022, 6:13 p.m. UTC | #1 
On Fri, Oct 28, 2022 at 8:05 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> We can't use "skb" again after passing it to qdisc_enqueue().  This is
> basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
> len before calling child enqueue").
>
> Fixes: d7f4f332f082 ("sch_red: update backlog as well")

Reviewed-by: Eric Dumazet <edumazet@google.com>
patchwork-bot+netdevbpf@kernel.org Oct. 31, 2022, noon UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Fri, 28 Oct 2022 18:05:00 +0300 you wrote:
> We can't use "skb" again after passing it to qdisc_enqueue().  This is
> basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
> len before calling child enqueue").
> 
> Fixes: d7f4f332f082 ("sch_red: update backlog as well")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> [...]

Here is the summary with links:
  - [net] net: sched: Fix use after free in red_enqueue()
    https://git.kernel.org/netdev/net/c/8bdc2acd420c

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index a5a401f93c1a..98129324e157 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -72,6 +72,7 @@  static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	struct red_sched_data *q = qdisc_priv(sch);
 	struct Qdisc *child = q->qdisc;
+	unsigned int len;
 	int ret;
 
 	q->vars.qavg = red_calc_qavg(&q->parms,
@@ -126,9 +127,10 @@  static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		break;
 	}
 
+	len = qdisc_pkt_len(skb);
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 	} else if (net_xmit_drop_count(ret)) {
 		q->stats.pdrop++;