CVE-2026-23413

In the Linux kernel, the following vulnerability has been resolved:

clsact: Fix use-after-free in init/destroy rollback asymmetry

Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsactinit() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcfblockgetext(). Upon failure, the kernel will trigger the clsact_destroy() callback.

Commit 1cb6f0bae504 ("bpf: Fix too early release of tcxentry") details the way how the transition is happening. If tcfblockgetext on the q->ingressblock ends up failing, we took the tcxminiqinc reference count on the ingress side, but not yet on the egress side. clsactdestroy() tests whether the {ingress,egress}entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egressentry from the previous clsact instance.

What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called miniqdiscpairinited, and utilizes that upon clsactdestroy() in order to fix the use-after-free scenario. Convert the ingress_destroy() side as well so both are consistent to each other.