Message-Id: <20250124060740.356527-4-xiyou.wangcong@gmail.com>
Date: Thu, 23 Jan 2025 22:07:39 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: netdev@...r.kernel.org
Cc: jhs@...atatu.com,
	jiri@...nulli.us,
	quanglex97@...il.com,
	mincho@...ori.io,
	Cong Wang <cong.wang@...edance.com>,
	Martin Ottens <martin.ottens@....de>
Subject: [Patch net 3/4] netem: update sch->q.qlen before qdisc_tree_reduce_backlog()

From: Cong Wang <cong.wang@...edance.com>

qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would become a nop and
result in UAF in DRR case (which is integrated in the following patch).

Fixes: f8d4bc455047 ("net/sched: netem: account for backlog updates from child qdisc")
Cc: Martin Ottens <martin.ottens@....de>
Reported-by: Mingi Cho <mincho@...ori.io>
Signed-off-by: Cong Wang <cong.wang@...edance.com>
---
 net/sched/sch_netem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 71ec9986ed37..fdd79d3ccd8c 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -749,9 +749,9 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
 				if (err != NET_XMIT_SUCCESS) {
 					if (net_xmit_drop_count(err))
 						qdisc_qstats_drop(sch);
-					qdisc_tree_reduce_backlog(sch, 1, pkt_len);
 					sch->qstats.backlog -= pkt_len;
 					sch->q.qlen--;
+					qdisc_tree_reduce_backlog(sch, 1, pkt_len);
 				}
 				goto tfifo_dequeue;
 			}
-- 
2.34.1

Powered by blists - more mailing lists