|
|
675592 |
From 84eda7845563ee9c0cc215fe9d0a3c67cb4903fd Mon Sep 17 00:00:00 2001
|
|
|
675592 |
From: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
675592 |
Date: Thu, 1 Feb 2024 14:36:30 -0500
|
|
|
675592 |
Subject: [KPATCH CVE-2023-4921] kpatch fixes for CVE-2023-4921
|
|
|
675592 |
|
|
|
675592 |
Kernels:
|
|
|
675592 |
3.10.0-1160.95.1.el7
|
|
|
675592 |
3.10.0-1160.99.1.el7
|
|
|
675592 |
3.10.0-1160.102.1.el7
|
|
|
675592 |
3.10.0-1160.105.1.el7
|
|
|
675592 |
3.10.0-1160.108.1.el7
|
|
|
675592 |
|
|
|
675592 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/67
|
|
|
675592 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
675592 |
Changes since last build:
|
|
|
675592 |
[x86_64]:
|
|
|
675592 |
igb_main.o: changed function: igb_configure
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_hold
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_conn_get
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_global_chan_by_psm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_recv_frame
|
|
|
675592 |
l2cap_core.o: new function: klp_l2cap_le_sig_cmd
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_peek
|
|
|
675592 |
sch_atm.o: changed function: sch_atm_dequeue
|
|
|
675592 |
sch_drr.o: changed function: drr_dequeue
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_peek
|
|
|
675592 |
sch_hfsc.o: changed function: hfsc_enqueue
|
|
|
675592 |
sch_hfsc.o: changed function: qdisc_peek_len
|
|
|
675592 |
sch_multiq.o: changed function: multiq_peek
|
|
|
675592 |
sch_prio.o: changed function: prio_peek
|
|
|
675592 |
sch_qfq.o: changed function: qfq_change_class
|
|
|
675592 |
sch_qfq.o: changed function: qfq_dequeue
|
|
|
675592 |
sch_red.o: changed function: red_peek
|
|
|
675592 |
sch_sfb.o: changed function: sfb_peek
|
|
|
675592 |
sch_tbf.o: changed function: tbf_dequeue
|
|
|
675592 |
|
|
|
675592 |
[ppc64le]:
|
|
|
675592 |
l2cap_core.o: changed function: __l2cap_chan_add
|
|
|
675592 |
l2cap_core.o: changed function: __l2cap_physical_cfm
|
|
|
675592 |
l2cap_core.o: changed function: __set_monitor_timer
|
|
|
675592 |
l2cap_core.o: changed function: __set_retrans_timer.part.24
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_ack_timeout
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_build_conf_req
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_busy
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_close
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_connect
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_del
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_hold
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_put
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_send
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_chan_timeout
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_conn_add.part.28
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_conn_del
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_conn_start
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_connect
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_connect_cfm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_connect_create_rsp
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_data_channel
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_disconn_cfm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_do_create
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_do_start
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_ertm_resend
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_ertm_send
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_global_fixed_chan
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_handle_rej
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_handle_srej
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_logical_cfm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_monitor_timeout
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_move_done
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_move_setup
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_pass_to_tx
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_process_reqseq
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_recv_frame
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_retrans_timeout
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_retransmit_all
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_rx
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_rx_state_recv
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_security_cfm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_ack
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_efs_conf_rsp
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_move_chan_cfm
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_move_chan_req
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_rr_or_rnr
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_sframe
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_srej
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_send_srej_tail
|
|
|
675592 |
l2cap_core.o: changed function: l2cap_start_connection
|
|
|
675592 |
l2cap_core.o: new function: l2cap_connect_req
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_bind_filter
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_change
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_delete
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_destroy
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_enqueue
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_find
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_graft
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_leaf
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_peek
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_put
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_reset
|
|
|
675592 |
sch_atm.o: changed function: atm_tc_tcf_block
|
|
|
675592 |
sch_atm.o: changed function: sch_atm_dequeue
|
|
|
675592 |
sch_drr.o: changed function: drr_dequeue
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_bind_filter
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_change
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_destroy
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_dump_class
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_init
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_peek
|
|
|
675592 |
sch_dsmark.o: changed function: dsmark_reset
|
|
|
675592 |
sch_hfsc.o: changed function: hfsc_change_class
|
|
|
675592 |
sch_hfsc.o: changed function: hfsc_dequeue
|
|
|
675592 |
sch_hfsc.o: changed function: hfsc_enqueue
|
|
|
675592 |
sch_multiq.o: changed function: multiq_peek
|
|
|
675592 |
sch_prio.o: changed function: prio_peek
|
|
|
675592 |
sch_qfq.o: changed function: qfq_change_class
|
|
|
675592 |
sch_qfq.o: changed function: qfq_dequeue
|
|
|
675592 |
sch_red.o: changed function: red_peek
|
|
|
675592 |
sch_sfb.o: changed function: sfb_peek
|
|
|
675592 |
sch_tbf.o: changed function: tbf_dequeue
|
|
|
675592 |
|
|
|
675592 |
---------------------------
|
|
|
675592 |
|
|
|
675592 |
Modifications:
|
|
|
675592 |
- redirected to qdisc_peek_dequeued() by modifying functions that
|
|
|
675592 |
called '->peek(qdisc)' to call klp_cve_2023_4921_peek() rather than by
|
|
|
675592 |
modifying plug_qdisc_ops
|
|
|
675592 |
- don't remove existing WARN_ONCE instances to avoid kpatch-build
|
|
|
675592 |
"unreconcilable difference" error in .data.once section
|
|
|
675592 |
|
|
|
675592 |
commit faf95907a10c29861882d7885b6e04ebe20057c8
|
|
|
675592 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
675592 |
Date: Fri Oct 27 17:22:42 2023 +0200
|
|
|
675592 |
|
|
|
675592 |
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
|
|
|
675592 |
|
|
|
675592 |
JIRA: https://issues.redhat.com/browse/RHEL-14397
|
|
|
675592 |
CVE: CVE-2023-4921
|
|
|
675592 |
Upstream Status: net.git commit 8fc134fee27f2263988ae38920bc03da416b03d8
|
|
|
675592 |
|
|
|
675592 |
commit 8fc134fee27f2263988ae38920bc03da416b03d8
|
|
|
675592 |
Author: valis <sec@valis.email>
|
|
|
675592 |
Date: Fri Sep 1 12:22:37 2023 -0400
|
|
|
675592 |
|
|
|
675592 |
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
|
|
|
675592 |
|
|
|
675592 |
When the plug qdisc is used as a class of the qfq qdisc it could trigger a
|
|
|
675592 |
UAF. This issue can be reproduced with following commands:
|
|
|
675592 |
|
|
|
675592 |
tc qdisc add dev lo root handle 1: qfq
|
|
|
675592 |
tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
|
|
|
675592 |
tc qdisc add dev lo parent 1:1 handle 2: plug
|
|
|
675592 |
tc filter add dev lo parent 1: basic classid 1:1
|
|
|
675592 |
ping -c1 127.0.0.1
|
|
|
675592 |
|
|
|
675592 |
and boom:
|
|
|
675592 |
|
|
|
675592 |
[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0
|
|
|
675592 |
[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
|
|
|
675592 |
[ 285.355903]
|
|
|
675592 |
[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4
|
|
|
675592 |
[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
|
|
|
675592 |
[ 285.358376] Call Trace:
|
|
|
675592 |
[ 285.358773] <IRQ>
|
|
|
675592 |
[ 285.359109] dump_stack_lvl+0x44/0x60
|
|
|
675592 |
[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0
|
|
|
675592 |
[ 285.360611] kasan_report+0x10c/0x120
|
|
|
675592 |
[ 285.361195] ? qfq_dequeue+0xa7/0x7f0
|
|
|
675592 |
[ 285.361780] qfq_dequeue+0xa7/0x7f0
|
|
|
675592 |
[ 285.362342] __qdisc_run+0xf1/0x970
|
|
|
675592 |
[ 285.362903] net_tx_action+0x28e/0x460
|
|
|
675592 |
[ 285.363502] __do_softirq+0x11b/0x3de
|
|
|
675592 |
[ 285.364097] do_softirq.part.0+0x72/0x90
|
|
|
675592 |
[ 285.364721] </IRQ>
|
|
|
675592 |
[ 285.365072] <TASK>
|
|
|
675592 |
[ 285.365422] __local_bh_enable_ip+0x77/0x90
|
|
|
675592 |
[ 285.366079] __dev_queue_xmit+0x95f/0x1550
|
|
|
675592 |
[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10
|
|
|
675592 |
[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10
|
|
|
675592 |
[ 285.368259] ? __build_skb_around+0x129/0x190
|
|
|
675592 |
[ 285.368960] ? ip_generic_getfrag+0x12c/0x170
|
|
|
675592 |
[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10
|
|
|
675592 |
[ 285.370390] ? csum_partial+0x8/0x20
|
|
|
675592 |
[ 285.370961] ? raw_getfrag+0xe5/0x140
|
|
|
675592 |
[ 285.371559] ip_finish_output2+0x539/0xa40
|
|
|
675592 |
[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10
|
|
|
675592 |
[ 285.372954] ip_output+0x113/0x1e0
|
|
|
675592 |
[ 285.373512] ? __pfx_ip_output+0x10/0x10
|
|
|
675592 |
[ 285.374130] ? icmp_out_count+0x49/0x60
|
|
|
675592 |
[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10
|
|
|
675592 |
[ 285.375457] ip_push_pending_frames+0xf3/0x100
|
|
|
675592 |
[ 285.376173] raw_sendmsg+0xef5/0x12d0
|
|
|
675592 |
[ 285.376760] ? do_syscall_64+0x40/0x90
|
|
|
675592 |
[ 285.377359] ? __static_call_text_end+0x136578/0x136578
|
|
|
675592 |
[ 285.378173] ? do_syscall_64+0x40/0x90
|
|
|
675592 |
[ 285.378772] ? kasan_enable_current+0x11/0x20
|
|
|
675592 |
[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10
|
|
|
675592 |
[ 285.380137] ? __sock_create+0x13e/0x270
|
|
|
675592 |
[ 285.380673] ? __sys_socket+0xf3/0x180
|
|
|
675592 |
[ 285.381174] ? __x64_sys_socket+0x3d/0x50
|
|
|
675592 |
[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
|
|
|
675592 |
[ 285.382425] ? __rcu_read_unlock+0x48/0x70
|
|
|
675592 |
[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380
|
|
|
675592 |
[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10
|
|
|
675592 |
[ 285.384295] ? preempt_count_sub+0x14/0xc0
|
|
|
675592 |
[ 285.384844] ? __list_del_entry_valid+0x76/0x140
|
|
|
675592 |
[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0
|
|
|
675592 |
[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10
|
|
|
675592 |
[ 285.386645] ? release_sock+0xa0/0xd0
|
|
|
675592 |
[ 285.387148] ? preempt_count_sub+0x14/0xc0
|
|
|
675592 |
[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0
|
|
|
675592 |
[ 285.388341] ? aa_sk_perm+0x177/0x390
|
|
|
675592 |
[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10
|
|
|
675592 |
[ 285.389441] ? check_stack_object+0x22/0x70
|
|
|
675592 |
[ 285.390032] ? inet_send_prepare+0x2f/0x120
|
|
|
675592 |
[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10
|
|
|
675592 |
[ 285.391172] sock_sendmsg+0xcc/0xe0
|
|
|
675592 |
[ 285.391667] __sys_sendto+0x190/0x230
|
|
|
675592 |
[ 285.392168] ? __pfx___sys_sendto+0x10/0x10
|
|
|
675592 |
[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30
|
|
|
675592 |
[ 285.393328] ? set_normalized_timespec64+0x57/0x70
|
|
|
675592 |
[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40
|
|
|
675592 |
[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160
|
|
|
675592 |
[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10
|
|
|
675592 |
[ 285.395908] ? _copy_to_user+0x3e/0x60
|
|
|
675592 |
[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120
|
|
|
675592 |
[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50
|
|
|
675592 |
[ 285.397734] ? do_syscall_64+0x71/0x90
|
|
|
675592 |
[ 285.398258] __x64_sys_sendto+0x74/0x90
|
|
|
675592 |
[ 285.398786] do_syscall_64+0x64/0x90
|
|
|
675592 |
[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120
|
|
|
675592 |
[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50
|
|
|
675592 |
[ 285.400605] ? do_syscall_64+0x71/0x90
|
|
|
675592 |
[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
|
|
|
675592 |
[ 285.401807] RIP: 0033:0x495726
|
|
|
675592 |
[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
|
|
|
675592 |
[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
|
|
|
675592 |
[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
|
|
|
675592 |
[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
|
|
|
675592 |
[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
|
|
|
675592 |
[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
|
|
|
675592 |
[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
|
|
|
675592 |
[ 285.410403] </TASK>
|
|
|
675592 |
[ 285.410704]
|
|
|
675592 |
[ 285.410929] Allocated by task 144:
|
|
|
675592 |
[ 285.411402] kasan_save_stack+0x1e/0x40
|
|
|
675592 |
[ 285.411926] kasan_set_track+0x21/0x30
|
|
|
675592 |
[ 285.412442] __kasan_slab_alloc+0x55/0x70
|
|
|
675592 |
[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0
|
|
|
675592 |
[ 285.413567] __alloc_skb+0x1b4/0x230
|
|
|
675592 |
[ 285.414060] __ip_append_data+0x17f7/0x1b60
|
|
|
675592 |
[ 285.414633] ip_append_data+0x97/0xf0
|
|
|
675592 |
[ 285.415144] raw_sendmsg+0x5a8/0x12d0
|
|
|
675592 |
[ 285.415640] sock_sendmsg+0xcc/0xe0
|
|
|
675592 |
[ 285.416117] __sys_sendto+0x190/0x230
|
|
|
675592 |
[ 285.416626] __x64_sys_sendto+0x74/0x90
|
|
|
675592 |
[ 285.417145] do_syscall_64+0x64/0x90
|
|
|
675592 |
[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
|
|
|
675592 |
[ 285.418306]
|
|
|
675592 |
[ 285.418531] Freed by task 144:
|
|
|
675592 |
[ 285.418960] kasan_save_stack+0x1e/0x40
|
|
|
675592 |
[ 285.419469] kasan_set_track+0x21/0x30
|
|
|
675592 |
[ 285.419988] kasan_save_free_info+0x27/0x40
|
|
|
675592 |
[ 285.420556] ____kasan_slab_free+0x109/0x1a0
|
|
|
675592 |
[ 285.421146] kmem_cache_free+0x1c2/0x450
|
|
|
675592 |
[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870
|
|
|
675592 |
[ 285.422333] __netif_receive_skb_one_core+0x97/0x140
|
|
|
675592 |
[ 285.423003] process_backlog+0x100/0x2f0
|
|
|
675592 |
[ 285.423537] __napi_poll+0x5c/0x2d0
|
|
|
675592 |
[ 285.424023] net_rx_action+0x2be/0x560
|
|
|
675592 |
[ 285.424510] __do_softirq+0x11b/0x3de
|
|
|
675592 |
[ 285.425034]
|
|
|
675592 |
[ 285.425254] The buggy address belongs to the object at ffff8880bad31280
|
|
|
675592 |
[ 285.425254] which belongs to the cache skbuff_head_cache of size 224
|
|
|
675592 |
[ 285.426993] The buggy address is located 40 bytes inside of
|
|
|
675592 |
[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
|
|
|
675592 |
[ 285.428572]
|
|
|
675592 |
[ 285.428798] The buggy address belongs to the physical page:
|
|
|
675592 |
[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31
|
|
|
675592 |
[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1)
|
|
|
675592 |
[ 285.431447] page_type: 0xffffffff()
|
|
|
675592 |
[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
|
|
|
675592 |
[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
|
|
|
675592 |
[ 285.433562] page dumped because: kasan: bad access detected
|
|
|
675592 |
[ 285.434144]
|
|
|
675592 |
[ 285.434320] Memory state around the buggy address:
|
|
|
675592 |
[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
|
675592 |
[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
|
675592 |
[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
|
|
675592 |
[ 285.436777] ^
|
|
|
675592 |
[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
|
|
|
675592 |
[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
|
675592 |
[ 285.438126] ==================================================================
|
|
|
675592 |
[ 285.438662] Disabling lock debugging due to kernel taint
|
|
|
675592 |
|
|
|
675592 |
Fix this by:
|
|
|
675592 |
1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a
|
|
|
675592 |
function compatible with non-work-conserving qdiscs
|
|
|
675592 |
2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq.
|
|
|
675592 |
|
|
|
675592 |
Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
|
|
|
675592 |
Reported-by: valis <sec@valis.email>
|
|
|
675592 |
Signed-off-by: valis <sec@valis.email>
|
|
|
675592 |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
675592 |
Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com
|
|
|
675592 |
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
|
675592 |
|
|
|
675592 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
675592 |
|
|
|
675592 |
commit eb76ae2165f95d31ad199d706840140b271c719e
|
|
|
675592 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
675592 |
Date: Thu Jan 25 15:45:42 2024 +0100
|
|
|
675592 |
|
|
|
675592 |
net: sched: sch_qfq: Use non-work-conserving warning handler
|
|
|
675592 |
|
|
|
675592 |
JIRA: https://issues.redhat.com/browse/RHEL-14397
|
|
|
675592 |
Upstream Status: net.git commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77
|
|
|
675592 |
|
|
|
675592 |
commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77
|
|
|
675592 |
Author: Liu Jian <liujian56@huawei.com>
|
|
|
675592 |
Date: Mon Oct 23 14:47:29 2023 +0800
|
|
|
675592 |
|
|
|
675592 |
net: sched: sch_qfq: Use non-work-conserving warning handler
|
|
|
675592 |
|
|
|
675592 |
A helper function for printing non-work-conserving alarms is added in
|
|
|
675592 |
commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving
|
|
|
675592 |
warning handler."). In this commit, use qdisc_warn_nonwc() instead of
|
|
|
675592 |
WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc.
|
|
|
675592 |
|
|
|
675592 |
Signed-off-by: Liu Jian <liujian56@huawei.com>
|
|
|
675592 |
Link: https://lore.kernel.org/r/20231023064729.370649-1-liujian56@huawei.com
|
|
|
675592 |
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
|
675592 |
|
|
|
675592 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
675592 |
|
|
|
675592 |
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
675592 |
---
|
|
|
675592 |
net/sched/klp_cve_2023_4921.h | 16 +++++++++++++
|
|
|
675592 |
net/sched/sch_atm.c | 5 ++--
|
|
|
675592 |
net/sched/sch_drr.c | 3 ++-
|
|
|
675592 |
net/sched/sch_dsmark.c | 3 ++-
|
|
|
675592 |
net/sched/sch_hfsc.c | 7 +++---
|
|
|
675592 |
net/sched/sch_multiq.c | 4 +++-
|
|
|
675592 |
net/sched/sch_prio.c | 6 ++++-
|
|
|
675592 |
net/sched/sch_qfq.c | 43 ++++++++++++++++++++++++++---------
|
|
|
675592 |
net/sched/sch_red.c | 3 ++-
|
|
|
675592 |
net/sched/sch_sfb.c | 3 ++-
|
|
|
675592 |
net/sched/sch_tbf.c | 3 ++-
|
|
|
675592 |
11 files changed, 73 insertions(+), 23 deletions(-)
|
|
|
675592 |
create mode 100644 net/sched/klp_cve_2023_4921.h
|
|
|
675592 |
|
|
|
675592 |
diff --git a/net/sched/klp_cve_2023_4921.h b/net/sched/klp_cve_2023_4921.h
|
|
|
675592 |
new file mode 100644
|
|
|
675592 |
index 000000000000..07a5624a487c
|
|
|
675592 |
--- /dev/null
|
|
|
675592 |
+++ b/net/sched/klp_cve_2023_4921.h
|
|
|
675592 |
@@ -0,0 +1,16 @@
|
|
|
675592 |
+#ifndef __KLP_CVE_2023_4921__
|
|
|
675592 |
+#define __KLP_CVE_2023_4921__
|
|
|
675592 |
+
|
|
|
675592 |
+static inline struct sk_buff *klp_cve_2023_4921_peek(struct Qdisc *sch)
|
|
|
675592 |
+{
|
|
|
675592 |
+ /*
|
|
|
675592 |
+ * kpatch workaround: can't modify plug_qdisc_ops structure, so
|
|
|
675592 |
+ * provide a peek pivot based on the underlying qdisc ops id
|
|
|
675592 |
+ */
|
|
|
675592 |
+ if (strcmp(sch->ops->id, "plug") == 0)
|
|
|
675592 |
+ return qdisc_peek_dequeued(sch);
|
|
|
675592 |
+
|
|
|
675592 |
+ return sch->ops->peek(sch);
|
|
|
675592 |
+}
|
|
|
675592 |
+
|
|
|
675592 |
+#endif
|
|
|
675592 |
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
|
|
|
675592 |
index 7c8966a42794..d58c84b3fba2 100644
|
|
|
675592 |
--- a/net/sched/sch_atm.c
|
|
|
675592 |
+++ b/net/sched/sch_atm.c
|
|
|
675592 |
@@ -16,6 +16,7 @@
|
|
|
675592 |
#include <net/netlink.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
/*
|
|
|
675592 |
* The ATM queuing discipline provides a framework for invoking classifiers
|
|
|
675592 |
@@ -474,7 +475,7 @@ static void sch_atm_dequeue(unsigned long data)
|
|
|
675592 |
* If traffic is properly shaped, this won't generate nasty
|
|
|
675592 |
* little bursts. Otherwise, it may ... (but that's okay)
|
|
|
675592 |
*/
|
|
|
675592 |
- while ((skb = flow->q->ops->peek(flow->q))) {
|
|
|
675592 |
+ while ((skb = klp_cve_2023_4921_peek(flow->q))) {
|
|
|
675592 |
if (!atm_may_send(flow->vcc, skb->truesize))
|
|
|
675592 |
break;
|
|
|
675592 |
|
|
|
675592 |
@@ -528,7 +529,7 @@ static struct sk_buff *atm_tc_peek(struct Qdisc *sch)
|
|
|
675592 |
|
|
|
675592 |
pr_debug("atm_tc_peek(sch %p,[qdisc %p])\n", sch, p);
|
|
|
675592 |
|
|
|
675592 |
- return p->link.q->ops->peek(p->link.q);
|
|
|
675592 |
+ return klp_cve_2023_4921_peek(p->link.q);
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
static int atm_tc_init(struct Qdisc *sch, struct nlattr *opt)
|
|
|
675592 |
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
|
|
|
675592 |
index 9bfe7b50115f..27dd8e610da2 100644
|
|
|
675592 |
--- a/net/sched/sch_drr.c
|
|
|
675592 |
+++ b/net/sched/sch_drr.c
|
|
|
675592 |
@@ -17,6 +17,7 @@
|
|
|
675592 |
#include <net/sch_generic.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
struct drr_class {
|
|
|
675592 |
struct Qdisc_class_common common;
|
|
|
675592 |
@@ -378,7 +379,7 @@ static struct sk_buff *drr_dequeue(struct Qdisc *sch)
|
|
|
675592 |
goto out;
|
|
|
675592 |
while (1) {
|
|
|
675592 |
cl = list_first_entry(&q->active, struct drr_class, alist);
|
|
|
675592 |
- skb = cl->qdisc->ops->peek(cl->qdisc);
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek(cl->qdisc);
|
|
|
675592 |
if (skb == NULL) {
|
|
|
675592 |
qdisc_warn_nonwc(__func__, cl->qdisc);
|
|
|
675592 |
goto out;
|
|
|
675592 |
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
|
|
|
675592 |
index df08e15e6f19..06b6e03f89ea 100644
|
|
|
675592 |
--- a/net/sched/sch_dsmark.c
|
|
|
675592 |
+++ b/net/sched/sch_dsmark.c
|
|
|
675592 |
@@ -17,6 +17,7 @@
|
|
|
675592 |
#include <net/dsfield.h>
|
|
|
675592 |
#include <net/inet_ecn.h>
|
|
|
675592 |
#include <asm/byteorder.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
/*
|
|
|
675592 |
* classid class marking
|
|
|
675592 |
@@ -327,7 +328,7 @@ static struct sk_buff *dsmark_peek(struct Qdisc *sch)
|
|
|
675592 |
|
|
|
675592 |
pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p);
|
|
|
675592 |
|
|
|
675592 |
- return p->q->ops->peek(p->q);
|
|
|
675592 |
+ return klp_cve_2023_4921_peek(p->q);
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
static int dsmark_init(struct Qdisc *sch, struct nlattr *opt)
|
|
|
675592 |
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
|
|
|
675592 |
index fb14b551f65d..466244c57737 100644
|
|
|
675592 |
--- a/net/sched/sch_hfsc.c
|
|
|
675592 |
+++ b/net/sched/sch_hfsc.c
|
|
|
675592 |
@@ -67,6 +67,7 @@
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
#include <asm/div64.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
/*
|
|
|
675592 |
* kernel internal service curve representation:
|
|
|
675592 |
@@ -834,7 +835,8 @@ qdisc_peek_len(struct Qdisc *sch)
|
|
|
675592 |
struct sk_buff *skb;
|
|
|
675592 |
unsigned int len;
|
|
|
675592 |
|
|
|
675592 |
- skb = sch->ops->peek(sch);
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek(sch);
|
|
|
675592 |
+
|
|
|
675592 |
if (unlikely(skb == NULL)) {
|
|
|
675592 |
qdisc_warn_nonwc("qdisc_peek_len", sch);
|
|
|
675592 |
return 0;
|
|
|
675592 |
@@ -1567,8 +1569,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
|
|
|
675592 |
* to invalidate the deadline.
|
|
|
675592 |
*/
|
|
|
675592 |
if (cl->cl_flags & HFSC_RSC)
|
|
|
675592 |
- cl->qdisc->ops->peek(cl->qdisc);
|
|
|
675592 |
-
|
|
|
675592 |
+ klp_cve_2023_4921_peek(cl->qdisc);
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
qdisc_qstats_backlog_inc(sch, skb);
|
|
|
675592 |
diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
|
|
|
675592 |
index 31e0a284eeff..8f6e85b2c8b8 100644
|
|
|
675592 |
--- a/net/sched/sch_multiq.c
|
|
|
675592 |
+++ b/net/sched/sch_multiq.c
|
|
|
675592 |
@@ -26,6 +26,7 @@
|
|
|
675592 |
#include <net/netlink.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
struct multiq_sched_data {
|
|
|
675592 |
u16 bands;
|
|
|
675592 |
@@ -145,7 +146,8 @@ static struct sk_buff *multiq_peek(struct Qdisc *sch)
|
|
|
675592 |
if (!netif_xmit_stopped(
|
|
|
675592 |
netdev_get_tx_queue(qdisc_dev(sch), curband))) {
|
|
|
675592 |
qdisc = q->queues[curband];
|
|
|
675592 |
- skb = qdisc->ops->peek(qdisc);
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek(qdisc);
|
|
|
675592 |
+
|
|
|
675592 |
if (skb)
|
|
|
675592 |
return skb;
|
|
|
675592 |
}
|
|
|
675592 |
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
|
|
|
675592 |
index faf447b60b68..23526ef54f0c 100644
|
|
|
675592 |
--- a/net/sched/sch_prio.c
|
|
|
675592 |
+++ b/net/sched/sch_prio.c
|
|
|
675592 |
@@ -21,6 +21,7 @@
|
|
|
675592 |
#include <net/netlink.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
struct prio_sched_data {
|
|
|
675592 |
int bands;
|
|
|
675592 |
@@ -103,7 +104,10 @@ static struct sk_buff *prio_peek(struct Qdisc *sch)
|
|
|
675592 |
|
|
|
675592 |
for (prio = 0; prio < q->bands; prio++) {
|
|
|
675592 |
struct Qdisc *qdisc = q->queues[prio];
|
|
|
675592 |
- struct sk_buff *skb = qdisc->ops->peek(qdisc);
|
|
|
675592 |
+ struct sk_buff *skb;
|
|
|
675592 |
+
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek(qdisc);
|
|
|
675592 |
+
|
|
|
675592 |
if (skb)
|
|
|
675592 |
return skb;
|
|
|
675592 |
}
|
|
|
675592 |
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
|
|
|
675592 |
index ca8c79456c80..134cd66225c0 100644
|
|
|
675592 |
--- a/net/sched/sch_qfq.c
|
|
|
675592 |
+++ b/net/sched/sch_qfq.c
|
|
|
675592 |
@@ -18,6 +18,8 @@
|
|
|
675592 |
#include <net/sch_generic.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
+#include <linux/string.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
|
|
|
675592 |
/* Quick Fair Queueing Plus
|
|
|
675592 |
@@ -984,19 +986,24 @@ static void qfq_update_eligible(struct qfq_sched *q)
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
/* Dequeue head packet of the head class in the DRR queue of the aggregate. */
|
|
|
675592 |
-static void agg_dequeue(struct qfq_aggregate *agg,
|
|
|
675592 |
- struct qfq_class *cl, unsigned int len)
|
|
|
675592 |
+static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg,
|
|
|
675592 |
+ struct qfq_class *cl, unsigned int len)
|
|
|
675592 |
{
|
|
|
675592 |
- qdisc_dequeue_peeked(cl->qdisc);
|
|
|
675592 |
+ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc);
|
|
|
675592 |
+
|
|
|
675592 |
+ if (!skb)
|
|
|
675592 |
+ return NULL;
|
|
|
675592 |
|
|
|
675592 |
cl->deficit -= (int) len;
|
|
|
675592 |
|
|
|
675592 |
if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */
|
|
|
675592 |
list_del(&cl->alist);
|
|
|
675592 |
- else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) {
|
|
|
675592 |
+ else if (cl->deficit < qdisc_pkt_len(klp_cve_2023_4921_peek(cl->qdisc))) {
|
|
|
675592 |
cl->deficit += agg->lmax;
|
|
|
675592 |
list_move_tail(&cl->alist, &agg->active);
|
|
|
675592 |
}
|
|
|
675592 |
+
|
|
|
675592 |
+ return skb;
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
|
|
|
675592 |
@@ -1006,10 +1013,16 @@ static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
|
|
|
675592 |
struct sk_buff *skb;
|
|
|
675592 |
|
|
|
675592 |
*cl = list_first_entry(&agg->active, struct qfq_class, alist);
|
|
|
675592 |
- skb = (*cl)->qdisc->ops->peek((*cl)->qdisc);
|
|
|
675592 |
- if (skb == NULL)
|
|
|
675592 |
- WARN_ONCE(1, "qfq_dequeue: non-workconserving leaf\n");
|
|
|
675592 |
- else
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek((*cl)->qdisc);
|
|
|
675592 |
+ if (skb == NULL) {
|
|
|
675592 |
+ /*
|
|
|
675592 |
+ * kpatch-build workaround: keep old WARN_ONCE to avoid
|
|
|
675592 |
+ * create-diff-object unreconcilable difference from
|
|
|
675592 |
+ * unsupported .data.once section change.
|
|
|
675592 |
+ */
|
|
|
675592 |
+ WARN_ONCE(!jiffies, "qfq_dequeue: non-workconserving leaf\n");
|
|
|
675592 |
+ qdisc_warn_nonwc("qfq_dequeue", (*cl)->qdisc);
|
|
|
675592 |
+ } else
|
|
|
675592 |
*len = qdisc_pkt_len(skb);
|
|
|
675592 |
|
|
|
675592 |
return skb;
|
|
|
675592 |
@@ -1142,11 +1155,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
|
|
|
675592 |
if (!skb)
|
|
|
675592 |
return NULL;
|
|
|
675592 |
|
|
|
675592 |
- qdisc_qstats_backlog_dec(sch, skb);
|
|
|
675592 |
sch->q.qlen--;
|
|
|
675592 |
+
|
|
|
675592 |
+ skb = agg_dequeue(in_serv_agg, cl, len);
|
|
|
675592 |
+
|
|
|
675592 |
+ if (!skb) {
|
|
|
675592 |
+ sch->q.qlen++;
|
|
|
675592 |
+ return NULL;
|
|
|
675592 |
+ }
|
|
|
675592 |
+
|
|
|
675592 |
+ qdisc_qstats_backlog_dec(sch, skb);
|
|
|
675592 |
qdisc_bstats_update(sch, skb);
|
|
|
675592 |
|
|
|
675592 |
- agg_dequeue(in_serv_agg, cl, len);
|
|
|
675592 |
/* If lmax is lowered, through qfq_change_class, for a class
|
|
|
675592 |
* owning pending packets with larger size than the new value
|
|
|
675592 |
* of lmax, then the following condition may hold.
|
|
|
675592 |
@@ -1224,6 +1244,7 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
|
|
|
675592 |
}
|
|
|
675592 |
pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
|
|
|
675592 |
|
|
|
675592 |
+
|
|
|
675592 |
if (unlikely(cl->agg->lmax < qdisc_pkt_len(skb))) {
|
|
|
675592 |
pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
|
|
|
675592 |
cl->agg->lmax, qdisc_pkt_len(skb), cl->common.classid);
|
|
|
675592 |
@@ -1252,7 +1273,7 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
|
|
|
675592 |
agg = cl->agg;
|
|
|
675592 |
/* if the queue was not empty, then done here */
|
|
|
675592 |
if (cl->qdisc->q.qlen != 1) {
|
|
|
675592 |
- if (unlikely(skb == cl->qdisc->ops->peek(cl->qdisc)) &&
|
|
|
675592 |
+ if (unlikely(skb == klp_cve_2023_4921_peek(cl->qdisc)) &&
|
|
|
675592 |
list_first_entry(&agg->active, struct qfq_class, alist)
|
|
|
675592 |
== cl && cl->deficit < qdisc_pkt_len(skb))
|
|
|
675592 |
list_move_tail(&cl->alist, &agg->active);
|
|
|
675592 |
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
|
|
|
675592 |
index e4789760457a..eea80e402219 100644
|
|
|
675592 |
--- a/net/sched/sch_red.c
|
|
|
675592 |
+++ b/net/sched/sch_red.c
|
|
|
675592 |
@@ -22,6 +22,7 @@
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
#include <net/inet_ecn.h>
|
|
|
675592 |
#include <net/red.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
|
|
|
675592 |
/* Parameters, settable by user:
|
|
|
675592 |
@@ -135,7 +136,7 @@ static struct sk_buff *red_peek(struct Qdisc *sch)
|
|
|
675592 |
struct red_sched_data *q = qdisc_priv(sch);
|
|
|
675592 |
struct Qdisc *child = q->qdisc;
|
|
|
675592 |
|
|
|
675592 |
- return child->ops->peek(child);
|
|
|
675592 |
+ return klp_cve_2023_4921_peek(child);
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
static void red_reset(struct Qdisc *sch)
|
|
|
675592 |
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
|
|
|
675592 |
index aeb509bde740..f8d75735351f 100644
|
|
|
675592 |
--- a/net/sched/sch_sfb.c
|
|
|
675592 |
+++ b/net/sched/sch_sfb.c
|
|
|
675592 |
@@ -27,6 +27,7 @@
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
#include <net/pkt_cls.h>
|
|
|
675592 |
#include <net/inet_ecn.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
/*
|
|
|
675592 |
* SFB uses two B[l][n] : L x N arrays of bins (L levels, N bins per level)
|
|
|
675592 |
@@ -445,7 +446,7 @@ static struct sk_buff *sfb_peek(struct Qdisc *sch)
|
|
|
675592 |
struct sfb_sched_data *q = qdisc_priv(sch);
|
|
|
675592 |
struct Qdisc *child = q->qdisc;
|
|
|
675592 |
|
|
|
675592 |
- return child->ops->peek(child);
|
|
|
675592 |
+ return klp_cve_2023_4921_peek(child);
|
|
|
675592 |
}
|
|
|
675592 |
|
|
|
675592 |
/* No sfb_drop -- impossible since the child doesn't return the dropped skb. */
|
|
|
675592 |
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
|
|
|
675592 |
index 15a19519aa9c..9957adc1b951 100644
|
|
|
675592 |
--- a/net/sched/sch_tbf.c
|
|
|
675592 |
+++ b/net/sched/sch_tbf.c
|
|
|
675592 |
@@ -21,6 +21,7 @@
|
|
|
675592 |
#include <net/netlink.h>
|
|
|
675592 |
#include <net/sch_generic.h>
|
|
|
675592 |
#include <net/pkt_sched.h>
|
|
|
675592 |
+#include "klp_cve_2023_4921.h"
|
|
|
675592 |
|
|
|
675592 |
|
|
|
675592 |
/* Simple Token Bucket Filter.
|
|
|
675592 |
@@ -214,7 +215,7 @@ static struct sk_buff *tbf_dequeue(struct Qdisc *sch)
|
|
|
675592 |
struct tbf_sched_data *q = qdisc_priv(sch);
|
|
|
675592 |
struct sk_buff *skb;
|
|
|
675592 |
|
|
|
675592 |
- skb = q->qdisc->ops->peek(q->qdisc);
|
|
|
675592 |
+ skb = klp_cve_2023_4921_peek(q->qdisc);
|
|
|
675592 |
|
|
|
675592 |
if (skb) {
|
|
|
675592 |
s64 now;
|
|
|
675592 |
--
|
|
|
675592 |
2.44.0
|
|
|
675592 |
|
|
|
675592 |
|