I'm trying to make some further progress on this because it
has been sitting for too long.
What I want to do at this point is fix the most obvious
problems in order to fix those crashes that were reported,
and do it in such a way that an easy 2.6.26-stable backport
is there too.
After a first pass, just trying to sort out the worst cases,
I came up with TBF and HTB that needed immediate fixes.
HTB's case has been discussed to death before, and my current
fix is greatly simplified from my original patch. I misread
the logic and only that inner code block to the ->enqueue()
and ->requeue() calls need to ensure proper return value
propagation. I moved all kinds of things around for no good
reason in my original patch.
TBF is just a case of an improperly open-coded implementation
of qdisc_reshape_fail() which corrupts the return value.
First the net-2.6 version then the version intended for
2.6.26-stable submission:
-------------------- net-2.6 --------------------
pkt_sched: Fix return value corruption in HTB and TBF.
Packet schedulers should only return NET_XMIT_DROP iff
the packet really was dropped. If the packet does reach
the device after we return NET_XMIT_DROP then TCP can
crash because it depends upon the enqueue path return
values being accurate.
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 6febd24..0df0df2 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -577,7 +577,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch)
sch->qstats.drops++;
cl->qstats.drops++;
}
- return NET_XMIT_DROP;
+ return ret;
} else {
cl->bstats.packets +=
skb_is_gso(skb)?skb_shinfo(skb)->gso_segs:1;
@@ -623,7 +623,7 @@ static int htb_requeue(struct sk_buff *skb, struct Qdisc *sch)
sch->qstats.drops++;
cl->qstats.drops++;
}
- return NET_XMIT_DROP;
+ return ret;
} else
htb_activate(q, cl);
diff --git a/net/sched/sch_tbf.c ...
