Commit 3879cffd authored by Eric Dumazet's avatar Eric Dumazet Committed by Jakub Kicinski
Browse files

net/sched: sch_qfq: do not free existing class in qfq_change_class() 



Fixes qfq_change_class() error case.

cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.

Fixes: 462dbc91 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Reported-by: default avatar <syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u


Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent dbe6b313

net/sched/sch_qfq.c

+4 −2
Original line number Diff line number Diff line
@@ -529,8 +529,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, 
	return 0;



destroy_class:

	if (!existing) {

		qdisc_put(cl->qdisc);

		kfree(cl);

	}

	return err;

}