From: Eric Dumazet Date: Fri, 31 Dec 2010 20:48:55 +0000 (-0800) Subject: sfq: fix slot_dequeue_head() X-Git-Tag: firefly_0821_release~7613^2~3122^2~67 X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=18c8d82ae5b802c5d82e0dfbcc08b1b568955f46;p=firefly-linux-kernel-4.4.55.git sfq: fix slot_dequeue_head() slot_dequeue_head() should make sure slot skb chain is correct in both ways, or we can crash if all possible flows are in use. Jarek pointed out slot_queue_init() can now be done in sfq_init() once, instead each time a flow is setup. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index b76d46b71466..d54ac94066c2 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -297,6 +297,7 @@ static inline struct sk_buff *slot_dequeue_head(struct sfq_slot *slot) struct sk_buff *skb = slot->skblist_next; slot->skblist_next = skb->next; + skb->next->prev = (struct sk_buff *)slot; skb->next = skb->prev = NULL; return skb; } @@ -380,7 +381,6 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch) q->ht[hash] = x; slot = &q->slots[x]; slot->hash = hash; - slot_queue_init(slot); } /* If selected queue has length q->limit, do simple tail drop, @@ -545,8 +545,10 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt) return err; } - for (i = 0; i < SFQ_SLOTS; i++) + for (i = 0; i < SFQ_SLOTS; i++) { + slot_queue_init(&q->slots[i]); sfq_link(q, i); + } return 0; }