Commit 6ccbda44e2cc for kernel

commit 6ccbda44e2cc3d26fd22af54c650d6d5d801addf
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Thu Apr 17 11:47:31 2025 -0700

    net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

    Similarly to the previous patch, we need to safe guard hfsc_dequeue()
    too. But for this one, we don't have a reliable reproducer.

    Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
    Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Link: https://patch.msgid.link/20250417184732.943057-3-xiyou.wangcong@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index b368ac0595d5..6c8ef826cec0 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1641,10 +1641,16 @@ hfsc_dequeue(struct Qdisc *sch)
 		if (cl->qdisc->q.qlen != 0) {
 			/* update ed */
 			next_len = qdisc_peek_len(cl->qdisc);
-			if (realtime)
-				update_ed(cl, next_len);
-			else
-				update_d(cl, next_len);
+			/* Check queue length again since some qdisc implementations
+			 * (e.g., netem/codel) might empty the queue during the peek
+			 * operation.
+			 */
+			if (cl->qdisc->q.qlen != 0) {
+				if (realtime)
+					update_ed(cl, next_len);
+				else
+					update_d(cl, next_len);
+			}
 		} else {
 			/* the class becomes passive */
 			eltree_remove(cl);