sch_hfsc: fix null pointer deref and double free on init failure

Depending on where ->init fails we can get a null pointer deref due to
uninitialized hires timer (watchdog) or a double free of the qdisc hash
because it is already freed by ->destroy().

Fixes: 8d5537387505 ("net/sched/hfsc: allocate tcf block for hfsc root class")
Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 7 deletions

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index fd15200f8627..11ab8dace901 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1418,6 +1418,8 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)
         struct tc_hfsc_qopt *qopt;
         int err;
 
+        qdisc_watchdog_init(&q->watchdog, sch);
+
         if (opt == NULL || nla_len(opt) < sizeof(*qopt))
                 return -EINVAL;
         qopt = nla_data(opt);
@@ -1430,7 +1432,7 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)
 
         err = tcf_block_get(&q->root.block, &q->root.filter_list);
         if (err)
-                goto err_tcf;
+                return err;
 
         q->root.cl_common.classid = sch->handle;
         q->root.refcnt  = 1;
@@ -1448,13 +1450,7 @@ hfsc_init_qdisc(struct Qdisc *sch, struct nlattr *opt)
         qdisc_class_hash_insert(&q->clhash, &q->root.cl_common);
         qdisc_class_hash_grow(sch, &q->clhash);
 
-        qdisc_watchdog_init(&q->watchdog, sch);
-
         return 0;
-
-err_tcf:
-        qdisc_class_hash_destroy(&q->clhash);
-        return err;
 }
 
 static int