net/sched: sch_qfq: do not free existing class in qfq_change_class()

Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Eric Dumazet <edumazet@google.com> 2026-01-12 17:56:56 +0000
committer: Jakub Kicinski <kuba@kernel.org> 2026-01-13 19:36:56 -0800
commit: 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (patch)
tree: 3a2b6be3c3760571a030ebecd863448bb484396c
parent: dbe6b3138fb877a368917833f713bfbbb521045e (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index f4013b547438..9d59090bbe93 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -529,8 +529,10 @@ set_change_agg:
 	return 0;
 
 destroy_class:
-	qdisc_put(cl->qdisc);
-	kfree(cl);
+	if (!existing) {
+		qdisc_put(cl->qdisc);
+		kfree(cl);
+	}
 	return err;
 }
author	Eric Dumazet <edumazet@google.com>	2026-01-12 17:56:56 +0000
committer	Jakub Kicinski <kuba@kernel.org>	2026-01-13 19:36:56 -0800
commit	3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 (patch)
tree	3a2b6be3c3760571a030ebecd863448bb484396c
parent	dbe6b3138fb877a368917833f713bfbbb521045e (diff)