From: Eric Dumazet <edumazet@google.com>
Date: Mon, 12 Jan 2026 17:56:56 +0000 (+0000)
Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class()
X-Git-Tag: v6.18.7~145
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e9d8f11652fa08c647bf7bba7dd8163241a332cd;p=thirdparty%2Fkernel%2Fstable.git

net/sched: sch_qfq: do not free existing class in qfq_change_class()

[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]

Fixes qfq_change_class() error case.

cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.

Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index a91a5bac8f737..9b16ad431028f 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -529,8 +529,10 @@ set_change_agg:
 	return 0;
 
 destroy_class:
-	qdisc_put(cl->qdisc);
-	kfree(cl);
+	if (!existing) {
+		qdisc_put(cl->qdisc);
+		kfree(cl);
+	}
 	return err;
 }