From patchwork Fri Apr 21 01:34:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1771661
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=BTgWwpjN;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Q2cWl6pvRz23rW
	for <incoming@patchwork.ozlabs.org>; Fri, 21 Apr 2023 11:34:27 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ppffL-0007jb-Jw; Fri, 21 Apr 2023 01:34:23 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1ppffJ-0007iv-KK
 for kernel-team@lists.ubuntu.com; Fri, 21 Apr 2023 01:34:21 +0000
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BFB9F3F238
 for <kernel-team@lists.ubuntu.com>; Fri, 21 Apr 2023 01:34:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1682040860;
 bh=kbrJSGJb8vIaIzlyUp4ffjlmatX5kqopz7nGW0L9u6I=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=BTgWwpjNO72kJQZ3R2TKYj9hms7UjyHbkEeXv77IAVHz1FL1TNLT/fmqQy4O0mUMZ
 FfIZnr3fFdkQJjeWFsr+IHUfNjD6FtV9EowucNBcyXtzGkQfGSx7XO00mf5Ja+3+9f
 caYTahMUi2ZplnktybCFlkzlPEm0MHvYAGqukOQI2Iv5kN+f4RsHKsi581TDFj+J3X
 kbOHhAin7i6kEiXFRtL1kMNSG9U4AntBudydNrsvyuOUY9nhnd1Crf9objrwxxlBXI
 2YLX9lVGOcKxPTieXHExI4pr1xG58nPMHlOduMgGbHgtfPBn/ZIV3x8/OFeBR4sAhx
 Ew9CbtZY0ObNw==
Received: by mail-wm1-f70.google.com with SMTP id
 5b1f17b1804b1-3f1793d6363so3971905e9.1
 for <kernel-team@lists.ubuntu.com>; Thu, 20 Apr 2023 18:34:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1682040860; x=1684632860;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=kbrJSGJb8vIaIzlyUp4ffjlmatX5kqopz7nGW0L9u6I=;
 b=icUL4U8OmaX3rjbcvv8gg8G8qH7HCT2bqy1g/O20F9on/dzjWrfGaurNwKxt6nYiLI
 VUXSdULN5BpgToiHhD4tQKFMR1CsaWVVa+uJHn0KwiosmKe2+9VHA09d5wD9oHn6i4HX
 MCspZifSu22+qhLm1sICSQ2Oj4cfrMjSvmroHijUKEgR62gzOTC6x0Tn7iFhgmIb340R
 164WTi93jMmZYpk5N5anWNv0wtBb5O4qjzqfJmxQ0XA/JIiTxcjr17NCOEVvqzycPBFj
 u/tn612Xvkv0Z6TRqgju46/2jffeGYgbIC4++Kg4XXQVpAkVuj/XhuCf+O4uFg21BNwO
 Qeuw==
X-Gm-Message-State: AAQBX9er2CmFEhSJ3VbvPneN4FOET616Z4hRbAvNWCO/XptVaLjFZdf1
 CLX4AsW3q5KTPzLGSGi4K//Btky9qaXvP8LE6vvlC1Nb0G6BB240YH39E3IB/mxmeqWh+TLIDxA
 ziUkIe+h8tBPKbugKENsVdORuB5KTJfP8AayFJttFRVuTJVsYaxjbKfA=
X-Received: by 2002:a05:600c:d0:b0:3f1:91c6:c77d with SMTP id
 u16-20020a05600c00d000b003f191c6c77dmr354325wmm.4.1682040860209;
 Thu, 20 Apr 2023 18:34:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350byaUGJNaKCvKjupKPDMrXEUeyYPKk3WtNRRqe7meUd0MJT9TyAzHkbDcrToEUTPGuHf8BxGA==
X-Received: by 2002:a05:600c:d0:b0:3f1:91c6:c77d with SMTP id
 u16-20020a05600c00d000b003f191c6c77dmr354315wmm.4.1682040859896;
 Thu, 20 Apr 2023 18:34:19 -0700 (PDT)
Received: from localhost ([195.142.69.213]) by smtp.gmail.com with ESMTPSA id
 l18-20020a05600c4f1200b003f07ef4e3e0sm9247018wmq.0.2023.04.20.18.34.19
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 20 Apr 2023 18:34:19 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-5.14,
 OEM-5.17 1/1] net: sched: Fix use after free in red_enqueue()
Date: Fri, 21 Apr 2023 04:34:06 +0300
Message-Id: <20230421013406.33564-2-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20230421013406.33564-1-cengiz.can@canonical.com>
References: <20230421013406.33564-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Dan Carpenter <dan.carpenter@oracle.com>

BugLink: https://bugs.launchpad.net/bugs/2017013

We can't use "skb" again after passing it to qdisc_enqueue().  This is
basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
len before calling child enqueue").

Fixes: d7f4f332f082 ("sch_red: update backlog as well")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9)
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
---
 net/sched/sch_red.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 40adf1f07a82..b310842b4225 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -72,6 +72,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	struct red_sched_data *q = qdisc_priv(sch);
 	struct Qdisc *child = q->qdisc;
+	unsigned int len;
 	int ret;
 
 	q->vars.qavg = red_calc_qavg(&q->parms,
@@ -126,9 +127,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		break;
 	}
 
+	len = qdisc_pkt_len(skb);
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 	} else if (net_xmit_drop_count(ret)) {
 		q->stats.pdrop++;