net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

jira LE-4321
cve CVE-2025-37797
Rebuild_History Non-Buildable kernel-4.18.0-553.77.1.el8_10
commit-author Cong Wang <[email protected]>
commit 6ccbda4

Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: Gerrard Tai <[email protected]>
	Signed-off-by: Cong Wang <[email protected]>
	Reviewed-by: Jamal Hadi Salim <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 6ccbda4)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

net/sched/sch_hfsc.c

@@ -1647,10 +1647,16 @@ hfsc_dequeue(struct Qdisc *sch)
 		if (cl->qdisc->q.qlen != 0) {
 			/* update ed */
 			next_len = qdisc_peek_len(cl->qdisc);
-			if (realtime)
-				update_ed(cl, next_len);
-			else
-				update_d(cl, next_len);
+			/* Check queue length again since some qdisc implementations
+			 * (e.g., netem/codel) might empty the queue during the peek
+			 * operation.
+			 */
+			if (cl->qdisc->q.qlen != 0) {
+				if (realtime)
+					update_ed(cl, next_len);
+				else
+					update_d(cl, next_len);
+			}
 		} else {
 			/* the class becomes passive */
 			eltree_remove(cl);