commit f6bab199315b70fd83fe3ee0947bc84c7a35f3d4
author Toke Høiland-Jørgensen <toke@redhat.com> Wed Jan 09 17:09:42 2019 +0100
committer David S. Miller <davem@davemloft.net> Tue Jan 15 20:12:00 2019 -0800
tree c662d696e0bfe2ee2be86cbdf0da095d9d6389ba
parent 80b3671e9377916bf2b02e56113fa7377ce5705a

sched: Avoid dereferencing skb pointer after child enqueue

Parent qdiscs may dereference the pointer to the enqueued skb after
enqueue. However, both CAKE and TBF call consume_skb() on the original skb
when splitting GSO packets, leading to a potential use-after-free in the
parent. Fix this by avoiding dereferencing the skb pointer after enqueueing
to the child.

Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/sched/sch_dsmark.c

diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
index f6f4807..4247146 100644
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -199,6 +199,7 @@ static struct tcf_block *dsmark_tcf_block(struct Qdisc *sch, unsigned long cl,
 static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 			  struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb);
 	struct dsmark_qdisc_data *p = qdisc_priv(sch);
 	int err;
 
@@ -271,7 +272,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		return err;
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 
 	return NET_XMIT_SUCCESS;