Re: [PATCH v2 net] net: Prevent invalid access to skb->prev in __qdisc_drop_all

From: David Miller <davem@davemloft.net>
Date: 2018-11-30 11:36:05

From: Christoph Paasch <redacted>
Date: Thu, 29 Nov 2018 16:01:04 -0800

__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84a1368 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7e276d ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

...

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <redacted>
Cc: Tyler Hicks <redacted>
Cc: Eric Dumazet <redacted>
Fixes: 68d2f84a1368 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <redacted>
Signed-off-by: Christoph Paasch <redacted>

Applied and queued up for -stable, thanks!

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help