net/sched: sch_hfsc: Ensure inner classes have fsc curve

commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f upstream.

HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.

Don't allow non-root classes without HFSC_FSC to become parents.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ v4.14: Delete NL_SET_ERR_MSG because extack is not added to hfsc_change_class ]
Signed-off-by: Shaoying Xu <shaoyi@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 3f88b75488b03275b152298bab0e66ea02298caa..3a43abe4d9c4cfbb3e8d59f96481b6bbd9b5e0df 100644 (file)
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1020,6 +1020,8 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
                if (parent == NULL)
                        return -ENOENT;
        }
+       if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root)
+               return -EINVAL;
 
        if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
                return -EINVAL;