net/sched: sch_qfq: Fix race condition on qfq_aggregate
[Upstream commit 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64]
A race condition can occur when 'agg' is modified in qfq_change_agg
(called during qfq_enqueue) while other threads access it
concurrently. For example, qfq_dump_class may trigger a NULL
dereference, and qfq_delete_class may cause a use-after-free.
This patch addresses the issue by:
1. Moved qfq_destroy_class into the critical section.
2. Added sch_tree_lock protection to qfq_dump_class and
qfq_dump_class_stats.
BUG=b/433107803
TEST=presubmit
RELEASE_NOTE=None
Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
cos-patch: security-high
Change-Id: Ibfb7bbdd70d2d5c358da50c67492c6c29d5fb67c
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/107380
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Kevin Berry <kpberry@google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/107403
1 file changed
