Skip to content
Snippets Groups Projects
Commit 62daba85 authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Yongqiang Liu
Browse files

sch_sfb: Also store skb len before calling child enqueue 

stable inclusion
from stable-v4.19.258
commit 5dac9b60b48ce8a3cd498c5680e8b5f0f4034461
category: bugfix
bugzilla: 187862, https://gitee.com/src-openeuler/kernel/issues/I5WF14


CVE: CVE-2022-3586

--------------------------------

[ Upstream commit 2f09707d0c972120bf794cfe0f0c67e2c2ddb252 ]

Cong Wang noticed that the previous fix for sch_sfb accessing the queued
skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue
function was also calling qdisc_qstats_backlog_inc() after enqueue, which
reads the pkt len from the skb cb field. Fix this by also storing the skb
len, and using the stored value to increment the backlog after enqueueing.

Fixes: 9efd23297cca ("sch_sfb: Don't assume the skb is still around after enqueueing to child")
Signed-off-by: default avatarToke Høiland-Jørgensen <toke@toke.dk>
Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dk


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: default avatarchenweilong <chenweilong@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
parent bd2d1f5d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 1 deletion
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment