sched: Avoid dereferencing skb pointer after child enqueue

bmastbergen · bmastbergen · commit 24ea45886651 · 2025-10-28T09:19:18.000-04:00
jira VULN-68349 cve-pre CVE-2025-38000 commit-author Toke Høiland-Jørgensen <toke@redhat.com> commit f6bab19 upstream-diff No changes were made to sch_cbs.c because it doesn't support child qdiscs in this kernel because it lacks "990e35ecba1c cbs: Add support for graft function" Parent qdiscs may dereference the pointer to the enqueued skb after enqueue. However, both CAKE and TBF call consume_skb() on the original skb when splitting GSO packets, leading to a potential use-after-free in the parent. Fix this by avoiding dereferencing the skb pointer after enqueueing to the child. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit f6bab19) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
@@ -336,6 +336,7 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
 static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		       struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb);
 	struct drr_sched *q = qdisc_priv(sch);
 	struct drr_class *cl;
 	int err = 0;
@@ -362,7 +363,7 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		cl->deficit = cl->quantum;
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 	return err;
 }
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
@@ -196,6 +196,7 @@ static struct tcf_block *dsmark_tcf_block(struct Qdisc *sch, unsigned long cl)
 static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 			  struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb);
 	struct dsmark_qdisc_data *p = qdisc_priv(sch);
 	int err;
 
@@ -268,7 +269,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		return err;
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 
 	return NET_XMIT_SUCCESS;
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
@@ -1552,6 +1552,7 @@ hfsc_dump_qdisc(struct Qdisc *sch, struct sk_buff *skb)
 static int
 hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb);
 	struct hfsc_class *cl;
 	int uninitialized_var(err);
 
@@ -1573,8 +1574,6 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 	}
 
 	if (cl->qdisc->q.qlen == 1) {
-		unsigned int len = qdisc_pkt_len(skb);
-
 		if (cl->cl_flags & HFSC_RSC)
 			init_ed(cl, len);
 		if (cl->cl_flags & HFSC_FSC)
@@ -1589,7 +1588,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 
 	return NET_XMIT_SUCCESS;
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
@@ -597,6 +597,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		       struct sk_buff **to_free)
 {
 	int uninitialized_var(ret);
+	unsigned int len = qdisc_pkt_len(skb);
 	struct htb_sched *q = qdisc_priv(sch);
 	struct htb_class *cl = htb_classify(skb, sch, &ret);
 
@@ -626,7 +627,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		htb_activate(q, cl);
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 	return NET_XMIT_SUCCESS;
 }
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
@@ -71,6 +71,7 @@ prio_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
 static int
 prio_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb);
 	struct Qdisc *qdisc;
 	int ret;
 
@@ -87,7 +88,7 @@ prio_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 
 	ret = qdisc_enqueue(skb, qdisc, to_free);
 	if (ret == NET_XMIT_SUCCESS) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 		return NET_XMIT_SUCCESS;
 	}
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
@@ -1233,6 +1233,7 @@ static struct qfq_aggregate *qfq_choose_next_agg(struct qfq_sched *q)
 static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		       struct sk_buff **to_free)
 {
+	unsigned int len = qdisc_pkt_len(skb), gso_segs;
 	struct qfq_sched *q = qdisc_priv(sch);
 	struct qfq_class *cl;
 	struct qfq_aggregate *agg;
@@ -1247,17 +1248,17 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 	}
 	pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
 
-	if (unlikely(cl->agg->lmax < qdisc_pkt_len(skb))) {
+	if (unlikely(cl->agg->lmax < len)) {
 		pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
-			 cl->agg->lmax, qdisc_pkt_len(skb), cl->common.classid);
-		err = qfq_change_agg(sch, cl, cl->agg->class_weight,
-				     qdisc_pkt_len(skb));
+			 cl->agg->lmax, len, cl->common.classid);
+		err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
 		if (err) {
 			cl->qstats.drops++;
 			return qdisc_drop(skb, sch, to_free);
 		}
 	}
 
+	gso_segs = skb_is_gso(skb) ? skb_shinfo(skb)->gso_segs : 1;
 	err = qdisc_enqueue(skb, cl->qdisc, to_free);
 	if (unlikely(err != NET_XMIT_SUCCESS)) {
 		pr_debug("qfq_enqueue: enqueue failed %d\n", err);
@@ -1268,16 +1269,17 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		return err;
 	}
 
-	bstats_update(&cl->bstats, skb);
-	qdisc_qstats_backlog_inc(sch, skb);
+	cl->bstats.bytes += len;
+	cl->bstats.packets += gso_segs;
+	sch->qstats.backlog += len;
 	++sch->q.qlen;
 
 	agg = cl->agg;
 	/* if the queue was not empty, then done here */
 	if (cl->qdisc->q.qlen != 1) {
 		if (unlikely(skb == cl->qdisc->ops->peek(cl->qdisc)) &&
 		    list_first_entry(&agg->active, struct qfq_class, alist)
-		    == cl && cl->deficit < qdisc_pkt_len(skb))
+		    == cl && cl->deficit < len)
 			list_move_tail(&cl->alist, &agg->active);
 
 		return err;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
@@ -185,6 +185,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		       struct sk_buff **to_free)
 {
 	struct tbf_sched_data *q = qdisc_priv(sch);
+	unsigned int len = qdisc_pkt_len(skb);
 	int ret;
 
 	if (qdisc_pkt_len(skb) > q->max_size) {
@@ -199,7 +200,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		return ret;
 	}
 
-	qdisc_qstats_backlog_inc(sch, skb);
+	sch->qstats.backlog += len;
 	sch->q.qlen++;
 	return NET_XMIT_SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -336,6 +336,7 @@ static struct drr_class drr_classify(struct sk_buff skb, struct Qdisc *sch,`
`336`	`336`	`static int drr_enqueue(struct sk_buff skb, struct Qdisc sch,`
`337`	`337`	`struct sk_buff **to_free)`
`338`	`338`	`{`
	`339`	`+ unsigned int len = qdisc_pkt_len(skb);`
`339`	`340`	`struct drr_sched *q = qdisc_priv(sch);`
`340`	`341`	`struct drr_class *cl;`
`341`	`342`	`int err = 0;`
`@@ -362,7 +363,7 @@ static int drr_enqueue(struct sk_buff skb, struct Qdisc sch,`
`362`	`363`	`cl->deficit = cl->quantum;`
`363`	`364`	`}`
`364`	`365`
`365`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`366`	`+ sch->qstats.backlog += len;`
`366`	`367`	`sch->q.qlen++;`
`367`	`368`	`return err;`
`368`	`369`	`}`
Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,7 @@ static struct tcf_block dsmark_tcf_block(struct Qdisc sch, unsigned long cl)`
`196`	`196`	`static int dsmark_enqueue(struct sk_buff skb, struct Qdisc sch,`
`197`	`197`	`struct sk_buff **to_free)`
`198`	`198`	`{`
	`199`	`+ unsigned int len = qdisc_pkt_len(skb);`
`199`	`200`	`struct dsmark_qdisc_data *p = qdisc_priv(sch);`
`200`	`201`	`int err;`
`201`	`202`
`@@ -268,7 +269,7 @@ static int dsmark_enqueue(struct sk_buff skb, struct Qdisc sch,`
`268`	`269`	`return err;`
`269`	`270`	`}`
`270`	`271`
`271`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`272`	`+ sch->qstats.backlog += len;`
`272`	`273`	`sch->q.qlen++;`
`273`	`274`
`274`	`275`	`return NET_XMIT_SUCCESS;`
Original file line number	Diff line number	Diff line change
`@@ -1552,6 +1552,7 @@ hfsc_dump_qdisc(struct Qdisc sch, struct sk_buff skb)`
`1552`	`1552`	`static int`
`1553`	`1553`	`hfsc_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free)`
`1554`	`1554`	`{`
	`1555`	`+ unsigned int len = qdisc_pkt_len(skb);`
`1555`	`1556`	`struct hfsc_class *cl;`
`1556`	`1557`	`int uninitialized_var(err);`
`1557`	`1558`
`@@ -1573,8 +1574,6 @@ hfsc_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free)`
`1573`	`1574`	`}`
`1574`	`1575`
`1575`	`1576`	`if (cl->qdisc->q.qlen == 1) {`
`1576`		`- unsigned int len = qdisc_pkt_len(skb);`
`1577`		`-`
`1578`	`1577`	`if (cl->cl_flags & HFSC_RSC)`
`1579`	`1578`	`init_ed(cl, len);`
`1580`	`1579`	`if (cl->cl_flags & HFSC_FSC)`
`@@ -1589,7 +1588,7 @@ hfsc_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free)`
`1589`	`1588`
`1590`	`1589`	`}`
`1591`	`1590`
`1592`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`1591`	`+ sch->qstats.backlog += len;`
`1593`	`1592`	`sch->q.qlen++;`
`1594`	`1593`
`1595`	`1594`	`return NET_XMIT_SUCCESS;`
Original file line number	Diff line number	Diff line change
`@@ -597,6 +597,7 @@ static int htb_enqueue(struct sk_buff skb, struct Qdisc sch,`
`597`	`597`	`struct sk_buff **to_free)`
`598`	`598`	`{`
`599`	`599`	`int uninitialized_var(ret);`
	`600`	`+ unsigned int len = qdisc_pkt_len(skb);`
`600`	`601`	`struct htb_sched *q = qdisc_priv(sch);`
`601`	`602`	`struct htb_class *cl = htb_classify(skb, sch, &ret);`
`602`	`603`
`@@ -626,7 +627,7 @@ static int htb_enqueue(struct sk_buff skb, struct Qdisc sch,`
`626`	`627`	`htb_activate(q, cl);`
`627`	`628`	`}`
`628`	`629`
`629`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`630`	`+ sch->qstats.backlog += len;`
`630`	`631`	`sch->q.qlen++;`
`631`	`632`	`return NET_XMIT_SUCCESS;`
`632`	`633`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ prio_classify(struct sk_buff skb, struct Qdisc sch, int *qerr)`
`71`	`71`	`static int`
`72`	`72`	`prio_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free)`
`73`	`73`	`{`
	`74`	`+ unsigned int len = qdisc_pkt_len(skb);`
`74`	`75`	`struct Qdisc *qdisc;`
`75`	`76`	`int ret;`
`76`	`77`
`@@ -87,7 +88,7 @@ prio_enqueue(struct sk_buff skb, struct Qdisc sch, struct sk_buff **to_free)`
`87`	`88`
`88`	`89`	`ret = qdisc_enqueue(skb, qdisc, to_free);`
`89`	`90`	`if (ret == NET_XMIT_SUCCESS) {`
`90`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`91`	`+ sch->qstats.backlog += len;`
`91`	`92`	`sch->q.qlen++;`
`92`	`93`	`return NET_XMIT_SUCCESS;`
`93`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,7 @@ static int tbf_enqueue(struct sk_buff skb, struct Qdisc sch,`
`185`	`185`	`struct sk_buff **to_free)`
`186`	`186`	`{`
`187`	`187`	`struct tbf_sched_data *q = qdisc_priv(sch);`
	`188`	`+ unsigned int len = qdisc_pkt_len(skb);`
`188`	`189`	`int ret;`
`189`	`190`
`190`	`191`	`if (qdisc_pkt_len(skb) > q->max_size) {`
`@@ -199,7 +200,7 @@ static int tbf_enqueue(struct sk_buff skb, struct Qdisc sch,`
`199`	`200`	`return ret;`
`200`	`201`	`}`
`201`	`202`
`202`		`- qdisc_qstats_backlog_inc(sch, skb);`
	`203`	`+ sch->qstats.backlog += len;`
`203`	`204`	`sch->q.qlen++;`
`204`	`205`	`return NET_XMIT_SUCCESS;`
`205`	`206`	`}`