pkt_sched: Fix return value corruption in HTB and TBF.
authorDavid S. Miller <davem@davemloft.net>
Mon, 18 Aug 2008 06:55:36 +0000 (23:55 -0700)
committerDavid S. Miller <davem@davemloft.net>
Mon, 18 Aug 2008 07:39:41 +0000 (00:39 -0700)
Based upon a bug report by Josip Rodin.

Packet schedulers should only return NET_XMIT_DROP iff
the packet really was dropped.  If the packet does reach
the device after we return NET_XMIT_DROP then TCP can
crash because it depends upon the enqueue path return
values being accurate.

Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_htb.c
net/sched/sch_tbf.c

index 6febd245e62b349b061674986a13b826cff8e02a..0df0df202ed064770699569a6749563ec2d34706 100644 (file)
@@ -577,7 +577,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                        sch->qstats.drops++;
                        cl->qstats.drops++;
                }
-               return NET_XMIT_DROP;
+               return ret;
        } else {
                cl->bstats.packets +=
                        skb_is_gso(skb)?skb_shinfo(skb)->gso_segs:1;
@@ -623,7 +623,7 @@ static int htb_requeue(struct sk_buff *skb, struct Qdisc *sch)
                        sch->qstats.drops++;
                        cl->qstats.drops++;
                }
-               return NET_XMIT_DROP;
+               return ret;
        } else
                htb_activate(q, cl);
 
index 7d3b7ff3bf07fbb1af0de7cab8a5056a37254937..94c61598b86ae1c0f52a23817f797a216b77492f 100644 (file)
@@ -123,15 +123,8 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc* sch)
        struct tbf_sched_data *q = qdisc_priv(sch);
        int ret;
 
-       if (qdisc_pkt_len(skb) > q->max_size) {
-               sch->qstats.drops++;
-#ifdef CONFIG_NET_CLS_ACT
-               if (sch->reshape_fail == NULL || sch->reshape_fail(skb, sch))
-#endif
-                       kfree_skb(skb);
-
-               return NET_XMIT_DROP;
-       }
+       if (qdisc_pkt_len(skb) > q->max_size)
+               return qdisc_reshape_fail(skb, sch);
 
        ret = qdisc_enqueue(skb, q->qdisc);
        if (ret != 0) {