net: sched: sch_multiq: fix possible OOB write in multiq_tune()

jira VULN-8976
cve CVE-2024-36978
commit-author Hangyu Hua <hbh25y@gmail.com>
commit affc18f

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.

Fixes: c2999f7 ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
	Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
	Acked-by: Cong Wang <cong.wang@bytedance.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit affc18f)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

net/sched/sch_multiq.c

@@ -197,7 +197,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt,
 
 	qopt->bands = qdisc_dev(sch)->real_num_tx_queues;
 
-	removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands),
+	removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands),
 			  GFP_KERNEL);
 	if (!removed)
 		return -ENOMEM;