net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class

PlaidCat · PlaidCat · commit 9a068aa4ddce · 2025-09-18T16:13:34.000-04:00
jira VULN-89289 jira VULN-89290 cve-bf CVE-2025-38477 commit-author Xiang Mei <xmei5@asu.edu> commit cf074ec might_sleep could be trigger in the atomic context in qfq_delete_class. qfq_destroy_class was moved into atomic context locked by sch_tree_lock to avoid a race condition bug on qfq_aggregate. However, might_sleep could be triggered by qfq_destroy_class, which introduced sleeping in atomic context (path: qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key ->might_sleep). Considering the race is on the qfq_aggregate objects, keeping qfq_rm_from_agg in the lock but moving the left part out can solve this issue. Fixes: 5e28d5a ("net/sched: sch_qfq: Fix race condition on qfq_aggregate") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit cf074ec) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
@@ -537,9 +537,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 
 static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
 {
-	struct qfq_sched *q = qdisc_priv(sch);
-
-	qfq_rm_from_agg(q, cl);
 	gen_kill_estimator(&cl->rate_est);
 	qdisc_put(cl->qdisc);
 	kfree(cl);
@@ -558,10 +555,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg,
 
 	qdisc_purge_queue(cl->qdisc);
 	qdisc_class_hash_remove(&q->clhash, &cl->common);
-	qfq_destroy_class(sch, cl);
+	qfq_rm_from_agg(q, cl);
 
 	sch_tree_unlock(sch);
 
+	qfq_destroy_class(sch, cl);
 	return 0;
 }
 
@@ -1502,6 +1500,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)
 	for (i = 0; i < q->clhash.hashsize; i++) {
 		hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],
 					  common.hnode) {
+			qfq_rm_from_agg(q, cl);
 			qfq_destroy_class(sch, cl);
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -537,9 +537,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,`
`537`	`537`
`538`	`538`	`static void qfq_destroy_class(struct Qdisc sch, struct qfq_class cl)`
`539`	`539`	`{`
`540`		`- struct qfq_sched *q = qdisc_priv(sch);`
`541`		`-`
`542`		`- qfq_rm_from_agg(q, cl);`
`543`	`540`	`gen_kill_estimator(&cl->rate_est);`
`544`	`541`	`qdisc_put(cl->qdisc);`
`545`	`542`	`kfree(cl);`
`@@ -558,10 +555,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg,`
`558`	`555`
`559`	`556`	`qdisc_purge_queue(cl->qdisc);`
`560`	`557`	`qdisc_class_hash_remove(&q->clhash, &cl->common);`
`561`		`- qfq_destroy_class(sch, cl);`
	`558`	`+ qfq_rm_from_agg(q, cl);`
`562`	`559`
`563`	`560`	`sch_tree_unlock(sch);`
`564`	`561`
	`562`	`+ qfq_destroy_class(sch, cl);`
`565`	`563`	`return 0;`
`566`	`564`	`}`
`567`	`565`
`@@ -1502,6 +1500,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)`
`1502`	`1500`	`for (i = 0; i < q->clhash.hashsize; i++) {`
`1503`	`1501`	`hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],`
`1504`	`1502`	`common.hnode) {`
	`1503`	`+ qfq_rm_from_agg(q, cl);`
`1505`	`1504`	`qfq_destroy_class(sch, cl);`
`1506`	`1505`	`}`
`1507`	`1506`	`}`