eeepc-laptop: fix use after free

[linux-2.6] / net / sched / sch_netem.c

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 13c4821e42b8f04f0a730b7e079e9d392648963d..fb0294d0b55e6e71ed87c9b7e1206e755ad5561b 100644 (file)
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -84,8 +84,9 @@ struct netem_skb_cb {
 
 static inline struct netem_skb_cb *netem_skb_cb(struct sk_buff *skb)
 {
-       BUILD_BUG_ON(sizeof(skb->cb) < sizeof(struct netem_skb_cb));
-       return (struct netem_skb_cb *)skb->cb;
+       BUILD_BUG_ON(sizeof(skb->cb) <
+               sizeof(struct qdisc_skb_cb) + sizeof(struct netem_skb_cb));
+       return (struct netem_skb_cb *)qdisc_skb_cb(skb)->data;
 }
 
 /* init_crandom - initialize correlated random number generator
@@ -175,7 +176,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        if (count == 0) {
                sch->qstats.drops++;
                kfree_skb(skb);
-               return NET_XMIT_BYPASS;
+               return NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
        }
 
        skb_orphan(skb);
@@ -237,10 +238,11 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 
        if (likely(ret == NET_XMIT_SUCCESS)) {
                sch->q.qlen++;
-               sch->bstats.bytes += skb->len;
+               sch->bstats.bytes += qdisc_pkt_len(skb);
                sch->bstats.packets++;
-       } else
+       } else if (net_xmit_drop_count(ret)) {
                sch->qstats.drops++;
+       }
 
        pr_debug("netem: enqueue ret %d\n", ret);
        return ret;
@@ -481,8 +483,8 @@ static int tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
 
                __skb_queue_after(list, skb, nskb);
 
-               sch->qstats.backlog += nskb->len;
-               sch->bstats.bytes += nskb->len;
+               sch->qstats.backlog += qdisc_pkt_len(nskb);
+               sch->bstats.bytes += qdisc_pkt_len(nskb);
                sch->bstats.packets++;
 
                return NET_XMIT_SUCCESS;