sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb
authorToke Høiland-Jørgensen <toke@toke.dk>
Wed, 31 Aug 2022 09:21:03 +0000 (11:21 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 8 Sep 2022 10:28:03 +0000 (12:28 +0200)
[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ]

When the GSO splitting feature of sch_cake is enabled, GSO superpackets
will be broken up and the resulting segments enqueued in place of the
original skb. In this case, CAKE calls consume_skb() on the original skb,
but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into
assuming the original skb still exists, when it really has been freed. Fix
this by adding the __NET_XMIT_STOLEN flag to the return value in this case.

Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments")
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231
Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/sched/sch_cake.c

index 857aaebd49f4315502928fb1f75d2c85eb63eb51..6944c669731c4bbc0686dc8713a3acf05a2ef49a 100644 (file)
@@ -1713,6 +1713,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
        }
        idx--;
        flow = &b->flows[idx];
+       ret = NET_XMIT_SUCCESS;
 
        /* ensure shaper state isn't stale */
        if (!b->tin_backlog) {
@@ -1771,6 +1772,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 
                qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);
                consume_skb(skb);
+               ret |= __NET_XMIT_STOLEN;
        } else {
                /* not splitting */
                cobalt_set_enqueue_time(skb, now);
@@ -1904,7 +1906,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                }
                b->drop_overlimit += dropped;
        }
-       return NET_XMIT_SUCCESS;
+       return ret;
 }
 
 static struct sk_buff *cake_dequeue_one(struct Qdisc *sch)