Commit 36b7bfe0 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

netem: fix possible NULL deref in netem_dequeue()

commit aec0a40a ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.

Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9eb5bf83
...@@ -554,10 +554,13 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) ...@@ -554,10 +554,13 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
} }
p = rb_first(&q->t_root); p = rb_first(&q->t_root);
if (p) { if (p) {
psched_time_t time_to_send;
skb = netem_rb_to_skb(p); skb = netem_rb_to_skb(p);
/* if more time remaining? */ /* if more time remaining? */
if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) { time_to_send = netem_skb_cb(skb)->time_to_send;
if (time_to_send <= psched_get_time()) {
rb_erase(p, &q->t_root); rb_erase(p, &q->t_root);
sch->q.qlen--; sch->q.qlen--;
...@@ -593,8 +596,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) ...@@ -593,8 +596,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
if (skb) if (skb)
goto deliver; goto deliver;
} }
qdisc_watchdog_schedule(&q->watchdog, qdisc_watchdog_schedule(&q->watchdog, time_to_send);
netem_skb_cb(skb)->time_to_send);
} }
if (q->qdisc) { if (q->qdisc) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment