net_sched: Flush gso_skb list too during ->change()
[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ] Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines. Fixes:76e3cc126b("codel: Controlled Delay AQM") Fixes:4b549a2ef4("fq_codel: Fair Queue Codel AQM") Fixes:afe4fd0624("pkt_sched: fq: Fair Queue packet scheduler") Fixes:ec97ecf1eb("net: sched: add Flow Queue PIE packet scheduler") Fixes:10239edf86("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") Fixes:d4b36210c2("net: pkt_sched: PIE AQM scheme") Reported-by: Will <willsroot@protonmail.com> Reported-by: Savy <savy@syst3mfailure.io> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
committed by
Greg Kroah-Hartman
parent
28826a89fd
commit
d1365ca80b
@@ -1031,6 +1031,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh)
|
||||
return skb;
|
||||
}
|
||||
|
||||
static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct)
|
||||
{
|
||||
struct sk_buff *skb;
|
||||
|
||||
skb = __skb_dequeue(&sch->gso_skb);
|
||||
if (skb) {
|
||||
sch->q.qlen--;
|
||||
return skb;
|
||||
}
|
||||
if (direct)
|
||||
return __qdisc_dequeue_head(&sch->q);
|
||||
else
|
||||
return sch->dequeue(sch);
|
||||
}
|
||||
|
||||
static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch)
|
||||
{
|
||||
struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
|
||||
|
||||
Reference in New Issue
Block a user