Commit 7a02ea65027523386ab4ba4af0ab93497b3073df
Committed by
David S. Miller
David S. Miller
1 parent
86b18aaa2b
net: sched: prevent a use after free
The bug is that we call kfree_skb(skb) and then pass "skb" to qdisc_pkt_len(skb) on the next line, which is a use after free. Also Cong Wang points out that it's better to delay the actual frees until we drop the rtnl lock so we should use rtnl_kfree_skbs() instead of kfree_skb(). Cc: Cong Wang <xiyou.wangcong@gmail.com> Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/sched/sch_fq_pie.c
| ... | ... | @@ -349,9 +349,9 @@ |
| 349 | 349 | while (sch->q.qlen > sch->limit) { |
| 350 | 350 | struct sk_buff *skb = fq_pie_qdisc_dequeue(sch); |
| 351 | 351 | |
| 352 | - kfree_skb(skb); | |
| 353 | 352 | len_dropped += qdisc_pkt_len(skb); |
| 354 | 353 | num_dropped += 1; |
| 354 | + rtnl_kfree_skbs(skb, skb); | |
| 355 | 355 | } |
| 356 | 356 | qdisc_tree_reduce_backlog(sch, num_dropped, len_dropped); |
| 357 | 357 |