net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
BUG=b/470372754
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2025-68325 in the Linux kernel.
cos-patch: security-moderate
Fixes: 15de71d06a40 ("net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit")
Link: https://patch.msgid.link/20251128001415.377823-1-xmei5@asu.edu
Reviewed-by: Toke Høiland-Jørgensen <toke@toke.dk>
Change-Id: I4b0f18ae770418fb8a1b6361acf7314c5b61aa3c
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/122821
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Kevin Liu <zhihuil@google.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/122861
1 file changed
