)]}'
{
  "commit": "791f4c8fa4649670d70587cf60248cd892be9410",
  "tree": "f6e2000dac63c1e6553e6119c967b3bd5e51b3b6",
  "parents": [
    "5cf53cb63bc67c7077352a62c151e8cd417dfdbb"
  ],
  "author": {
    "name": "Cong Wang",
    "email": "xiyou.wangcong@gmail.com",
    "time": "Thu Apr 17 11:47:30 2025 -0700"
  },
  "committer": {
    "name": "Anil Altinay",
    "email": "aaltinay@google.com",
    "time": "Mon May 05 16:21:23 2025 -0700"
  },
  "message": "net_sched: hfsc: Fix a UAF vulnerability in class handling\n\n[ Upstream commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c ]\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen !\u003d 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n   codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n   the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n   are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn\u0027t emptied.\n\nBUG\u003db/414271136\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed KCTF-3df275e in the Linux kernel.\n\ncos-patch: security-high\nFixes: 21f4d5cc25ec (\"net_sched/hfsc: fix curve activation in hfsc_change_class()\")\nReported-by: Gerrard Tai \u003cgerrard.tai@starlabs.sg\u003e\nReviewed-by: Konstantin Khlebnikov \u003ckoct9i@gmail.com\u003e\nChange-Id: Ib11970752bd4cde7e2ae58997b929d6b921cad31\nSigned-off-by: Cong Wang \u003cxiyou.wangcong@gmail.com\u003e\nReviewed-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nLink: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/101602\nReviewed-by: Michael Kochera \u003ckochera@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Anil Altinay \u003caaltinay@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "880c5f16b29ccf322f2308450aac4c6f130a2472",
      "old_mode": 33188,
      "old_path": "net/sched/sch_hfsc.c",
      "new_id": "90801b6fe2b08803ad06fb5b8ee6314bb043a394",
      "new_mode": 33188,
      "new_path": "net/sched/sch_hfsc.c"
    }
  ]
}