From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Dan Carpenter <dan.carpenter@oracle.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 08/30] net: sched: Fix use after free in red_enqueue()
Date: Tue, 8 Nov 2022 14:38:56 +0100 [thread overview]
Message-ID: <20221108133327.003687785@linuxfoundation.org> (raw)
In-Reply-To: <20221108133326.715586431@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9 ]
We can't use "skb" again after passing it to qdisc_enqueue(). This is
basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
len before calling child enqueue").
Fixes: d7f4f332f082 ("sch_red: update backlog as well")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_red.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index d6abf5c5a5b8..27142950827a 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -61,6 +61,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
{
struct red_sched_data *q = qdisc_priv(sch);
struct Qdisc *child = q->qdisc;
+ unsigned int len;
int ret;
q->vars.qavg = red_calc_qavg(&q->parms,
@@ -96,9 +97,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
break;
}
+ len = qdisc_pkt_len(skb);
ret = qdisc_enqueue(skb, child, to_free);
if (likely(ret == NET_XMIT_SUCCESS)) {
- qdisc_qstats_backlog_inc(sch, skb);
+ sch->qstats.backlog += len;
sch->q.qlen++;
} else if (net_xmit_drop_count(ret)) {
q->stats.pdrop++;
--
2.35.1
next prev parent reply other threads:[~2022-11-08 13:41 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-08 13:38 [PATCH 4.9 00/30] 4.9.333-rc1 review Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 01/30] NFSv4.1: Handle RECLAIM_COMPLETE trunking errors Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 02/30] NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 03/30] nfs4: Fix kmemleak when allocate slot failed Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 04/30] nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 05/30] nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 06/30] net: fec: fix improper use of NETDEV_TX_BUSY Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 07/30] ata: pata_legacy: fix pdc20230_set_piomode() Greg Kroah-Hartman
2022-11-08 13:38 ` Greg Kroah-Hartman [this message]
2022-11-08 13:38 ` [PATCH 4.9 09/30] ipvs: use explicitly signed chars Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 10/30] rose: Fix NULL pointer dereference in rose_send_frame() Greg Kroah-Hartman
2022-11-08 13:38 ` [PATCH 4.9 11/30] mISDN: fix possible memory leak in mISDN_register_device() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 12/30] isdn: mISDN: netjet: fix wrong check of device registration Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 13/30] btrfs: fix ulist leaks in error paths of qgroup self tests Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 14/30] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 15/30] Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 16/30] net: mdio: fix undefined behavior in bit shift for __mdiobus_register Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 17/30] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 18/30] media: dvb-frontends/drxk: initialize err to 0 Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 19/30] i2c: xiic: Add platform module alias Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 20/30] Bluetooth: L2CAP: Fix attempting to access uninitialized memory Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 21/30] btrfs: fix type of parameter generation in btrfs_get_dentry Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 22/30] ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 23/30] parisc: Make 8250_gsc driver dependend on CONFIG_PARISC Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 24/30] parisc: Export iosapic_serial_irq() symbol for serial port driver Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 25/30] ext4: fix warning in ext4_da_release_space Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 26/30] KVM: x86: Mask off reserved bits in CPUID.80000008H Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 27/30] KVM: x86: emulator: em_sysexit should update ctxt->mode Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 28/30] KVM: x86: emulator: introduce emulator_recalc_and_set_mode Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 29/30] KVM: x86: emulator: update the emulation mode after CR0 write Greg Kroah-Hartman
2022-11-08 13:39 ` [PATCH 4.9 30/30] wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Greg Kroah-Hartman
2022-11-08 15:14 ` [PATCH 4.9 00/30] 4.9.333-rc1 review Pavel Machek
2022-11-08 18:43 ` Florian Fainelli
2022-11-09 2:58 ` Guenter Roeck
2022-11-09 10:47 ` Jon Hunter
2022-11-09 12:31 ` Naresh Kamboju
2022-11-10 1:59 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221108133327.003687785@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.