[SRU Lunar, Jammy, OEM-6.1, Focal 1/1] net/sched: sch_hfsc: Ensure inner classes have fsc curve

[Thadeu Lima de Souza Cascardo]

From: Budimir Markovic <markovicbudimir at gmail.com>

HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.

Don't allow non-root classes without HFSC_FSC to become parents.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir at gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir at gmail.com>
Acked-by: Jamal Hadi Salim <jhs at mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(cherry picked from commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f)
CVE-2023-4623
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 net/sched/sch_hfsc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 92ad4115e473..2af4adb7e84e 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1012,6 +1012,10 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 		if (parent == NULL)
 			return -ENOENT;
 	}
+	if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
+		NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC");
+		return -EINVAL;
+	}
 
 	if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
 		return -EINVAL;
-- 
2.34.1