CVE-2026-23413

In the Linux kernel, the following vulnerability has been resolved:

clsact: Fix use-after-free in init/destroy rollback asymmetry

Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf block get ext(). Upon failure, the kernel will trigger the clsact destroy() callback.

Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx entry") details the way how the transition is happening. If tcf block get ext on the q->ingress block ends up failing, we took the tcx miniq inc reference count on the ingress side, but not yet on the egress side. clsact destroy() tests whether the {ingress,egress} entry was non-NULL. However, even in midway failure on the replacement, both are in fact non-NULL with a valid egress entry from the previous clsact instance.

What we really need to test for is whether the qdisc instance-specific ingress or egress side previously got initialized. This adds a small helper for checking the miniq initialization called mini qdisc pair inited, and utilizes that upon clsact destroy() in order to fix the use-after-free scenario. Convert the ingress destroy() side as well so both are consistent to each other.