net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class

bmastbergen · bmastbergen · commit d4221b3b026e · 2025-10-06T09:29:23.000-04:00
jira VULN-89287 cve-bf CVE-2025-38477 commit-author Xiang Mei <xmei5@asu.edu> commit cf074ec might_sleep could be trigger in the atomic context in qfq_delete_class. qfq_destroy_class was moved into atomic context locked by sch_tree_lock to avoid a race condition bug on qfq_aggregate. However, might_sleep could be triggered by qfq_destroy_class, which introduced sleeping in atomic context (path: qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key ->might_sleep). Considering the race is on the qfq_aggregate objects, keeping qfq_rm_from_agg in the lock but moving the left part out can solve this issue. Fixes: 5e28d5a ("net/sched: sch_qfq: Fix race condition on qfq_aggregate") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit cf074ec) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
@@ -541,9 +541,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 
 static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
 {
-	struct qfq_sched *q = qdisc_priv(sch);
-
-	qfq_rm_from_agg(q, cl);
 	gen_kill_estimator(&cl->rate_est);
 	qdisc_destroy(cl->qdisc);
 	kfree(cl);
@@ -561,10 +558,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg)
 
 	qfq_purge_queue(cl);
 	qdisc_class_hash_remove(&q->clhash, &cl->common);
-	qfq_destroy_class(sch, cl);
+	qfq_rm_from_agg(q, cl);
 
 	sch_tree_unlock(sch);
 
+	qfq_destroy_class(sch, cl);
 	return 0;
 }
 
@@ -1511,6 +1509,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)
 	for (i = 0; i < q->clhash.hashsize; i++) {
 		hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],
 					  common.hnode) {
+			qfq_rm_from_agg(q, cl);
 			qfq_destroy_class(sch, cl);
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -541,9 +541,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,`
`541`	`541`
`542`	`542`	`static void qfq_destroy_class(struct Qdisc sch, struct qfq_class cl)`
`543`	`543`	`{`
`544`		`- struct qfq_sched *q = qdisc_priv(sch);`
`545`		`-`
`546`		`- qfq_rm_from_agg(q, cl);`
`547`	`544`	`gen_kill_estimator(&cl->rate_est);`
`548`	`545`	`qdisc_destroy(cl->qdisc);`
`549`	`546`	`kfree(cl);`
`@@ -561,10 +558,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg)`
`561`	`558`
`562`	`559`	`qfq_purge_queue(cl);`
`563`	`560`	`qdisc_class_hash_remove(&q->clhash, &cl->common);`
`564`		`- qfq_destroy_class(sch, cl);`
	`561`	`+ qfq_rm_from_agg(q, cl);`
`565`	`562`
`566`	`563`	`sch_tree_unlock(sch);`
`567`	`564`
	`565`	`+ qfq_destroy_class(sch, cl);`
`568`	`566`	`return 0;`
`569`	`567`	`}`
`570`	`568`
`@@ -1511,6 +1509,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)`
`1511`	`1509`	`for (i = 0; i < q->clhash.hashsize; i++) {`
`1512`	`1510`	`hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],`
`1513`	`1511`	`common.hnode) {`
	`1512`	`+ qfq_rm_from_agg(q, cl);`
`1514`	`1513`	`qfq_destroy_class(sch, cl);`
`1515`	`1514`	`}`
`1516`	`1515`	`}`