Commit 6ccbda44 authored Apr 17, 2025 by Cong Wang Committed by Jakub Kicinski Apr 23, 2025

net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too



Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250417184732.943057-3-xiyou.wangcong@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 3df275ef

net/sched/sch_hfsc.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -1641,10 +1641,16 @@ hfsc_dequeue(struct Qdisc *sch)
		if (cl->qdisc->q.qlen != 0) {
		/* update ed */
		next_len = qdisc_peek_len(cl->qdisc);
		/* Check queue length again since some qdisc implementations
		* (e.g., netem/codel) might empty the queue during the peek
		* operation.
		*/
		if (cl->qdisc->q.qlen != 0) {
		if (realtime)
		update_ed(cl, next_len);
		else
		update_d(cl, next_len);
		}
		} else {
		/* the class becomes passive */
		eltree_remove(cl);