From patchwork Fri Apr 21 01:29:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1771658
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=YCl0j5Lk;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Q2cQN2p8hz1ybF
	for <incoming@patchwork.ozlabs.org>; Fri, 21 Apr 2023 11:29:48 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ppfap-0006xA-6K; Fri, 21 Apr 2023 01:29:43 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1ppfan-0006uq-P6
 for kernel-team@lists.ubuntu.com; Fri, 21 Apr 2023 01:29:41 +0000
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 55A083F238
 for <kernel-team@lists.ubuntu.com>; Fri, 21 Apr 2023 01:29:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1682040580;
 bh=e+gzjh1tNXirnlz9wxRtkOaS6LjnGgrDxDrOt2iuDyY=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version:Content-Type;
 b=YCl0j5Lka8LAjXi96mru8/7PDqbfLwEWO1VCVkdRmfQF67hDjTg5gsYiyJn4VQsPG
 FdaeYnRv1InI5qgd1P9976cdMlG1JD+cx9MfhAijf6cHwV8FMvgJhrfOMQS9IFVA2g
 b9wvdPuMwz92FBOdoB7k/7k5CjbvucmLSNI80XIjn8VpLCdNy3uyjS/Um7b093g4nC
 JzzWGOawSLCL2S7Vxk9zzfjcFFv51Xz+8fsfNGSkZeeI/zL27tVV9bJZUgGUGYnN8S
 829jEqN5c8XtqzAeog4HgnRY2YrFf/5fDs0ZJ0YOehXjqUSgrjhIyYH9T6ruST1Z8b
 QhgcEDilCtpSA==
Received: by mail-wr1-f70.google.com with SMTP id
 ffacd0b85a97d-2fb600e570aso371824f8f.0
 for <kernel-team@lists.ubuntu.com>; Thu, 20 Apr 2023 18:29:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1682040580; x=1684632580;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=e+gzjh1tNXirnlz9wxRtkOaS6LjnGgrDxDrOt2iuDyY=;
 b=MUDvKHu4rOxtTnfPxerrpSWtbLoClyoPgBs9fbAe4IMQfURlLmlVa9F+BR6FA1m+y8
 sSzK3vc5E4cKKjNM+/L8PfHXE97qgpPFxY1abBJVqgq4WlCCT7C/B/7Gs6XCuCFtugdX
 3cROOgPOLu8N/MVNyziFi0eV4xGH561JESCCaYI5iwrU1+rdceXj39qGIkVmj0So8hBX
 xAMJTbPKvqd4ym4C1EkUgmBcV+xRQ+tXkRIR1jtokq4YMJVFZ8nVNsPMFOS7yz3a+ENr
 mLI50Ux1o7dhw5DR7h4bQv2qk7LtBP/Ju7x5iQDRKT9e5Z5pJrpJPLjHpEs9Ygqy8XOg
 8c3w==
X-Gm-Message-State: AAQBX9dNd46MTiCCFwXfJ8AGPihAO184VuM06lWFl+kpTfOcvuVo6TWm
 b0FshbpvnhQDXuzvSRHswU1J9m0xRBd1FI+WzbRbGM7sZCnbVS5sV9cGqNtcp82IlTZzteJG5DD
 ZsQVJHcvvcxic1dYOP0MrpWCy0fC6RdOsxowa17scY+z/2CJqflqH3A0=
X-Received: by 2002:a5d:6352:0:b0:2ff:f37:9d19 with SMTP id
 b18-20020a5d6352000000b002ff0f379d19mr2639244wrw.54.1682040579833;
 Thu, 20 Apr 2023 18:29:39 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350bOW27tz+CH8zi4RX8ZfP549INNB/biKP01yKTPKLq5YKXzJobHvMagrGiP8cbVDr1uDWXn7A==
X-Received: by 2002:a5d:6352:0:b0:2ff:f37:9d19 with SMTP id
 b18-20020a5d6352000000b002ff0f379d19mr2639238wrw.54.1682040579514;
 Thu, 20 Apr 2023 18:29:39 -0700 (PDT)
Received: from localhost ([195.142.69.213]) by smtp.gmail.com with ESMTPSA id
 r4-20020adfdc84000000b002f598008d50sm3255919wrj.34.2023.04.20.18.29.39
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 20 Apr 2023 18:29:39 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-5.14 2/2,
 OEM-5.17 1/1] sch_sfb: Also store skb len before calling child enqueue
Date: Fri, 21 Apr 2023 04:29:21 +0300
Message-Id: <20230421012921.33113-3-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20230421012921.33113-1-cengiz.can@canonical.com>
References: <20230421012921.33113-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Toke Høiland-Jørgensen <toke@toke.dk>

Cong Wang noticed that the previous fix for sch_sfb accessing the queued
skb after enqueueing it to a child qdisc was incomplete: the SFB enqueue
function was also calling qdisc_qstats_backlog_inc() after enqueue, which
reads the pkt len from the skb cb field. Fix this by also storing the skb
len, and using the stored value to increment the backlog after enqueueing.

Fixes: 9efd23297cca ("sch_sfb: Don't assume the skb is still around after enqueueing to child")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Link: https://lore.kernel.org/r/20220905192137.965549-1-toke@toke.dk
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
CVE-2022-3586
(cherry picked from commit 2f09707d0c972120bf794cfe0f0c67e2c2ddb252)
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 net/sched/sch_sfb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index e8f664ee2f27..c0feb158ab4e 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -281,6 +281,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 
 	struct sfb_sched_data *q = qdisc_priv(sch);
+	unsigned int len = qdisc_pkt_len(skb);
 	struct Qdisc *child = q->qdisc;
 	struct tcf_proto *fl;
 	struct sfb_skb_cb cb;
@@ -403,7 +404,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 	memcpy(&cb, sfb_skb_cb(skb), sizeof(cb));
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 		increment_qlen(&cb, q);
 	} else if (net_xmit_drop_count(ret)) {