git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Victor Nogueira <victor@mojatatu.com>
	Fri, 25 Apr 2025 22:07:06 +0000 (19:07 -0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 9 May 2025 07:39:38 +0000 (09:39 +0200)
commit	e3e949a39a91d1f829a4890e7dfe9417ac72e4d0
tree	a9bfdf71ea111b1d67ecd73c3cbf657283c9ec27	tree
parent	2968632880f1792007eedd12eeedf7f6e2b7e9f3	commit \| diff

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

[ Upstream commit 141d34391abbb315d68556b7c67ad97885407547 ]

As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).

This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Fixes: 37d9cf1a3ce3 ("sched: Fix detection of empty queues in child qdiscs")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20250425220710.3964791-3-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>