Re: [PATCH 1/2] net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked

Next message: Daniel Palmer: "[no subject]"
Previous message: Krishnamoorthy, Saravanakrishnan: "Re: [PATCH 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub"
In reply to: Bryam Vargas via B4 Relay: "[PATCH 1/2] net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked"
Next in thread: Jamal Hadi Salim: "Re: [PATCH 1/2] net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Victor Nogueira

Date: Fri Jun 26 2026 - 13:17:15 EST

On 25/06/2026 06:51, Bryam Vargas via B4 Relay wrote:

From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

When taprio's software path peeks a non-work-conserving child qdisc, the
child stashes the peeked skb in its gso_skb; taprio_dequeue_from_txq()
then takes the packet with a direct child ->dequeue() call, which ignores
that stash, orphans the peeked skb and desyncs the child's qlen/backlog.
With a qfq child this re-enters the child on an emptied list and
dereferences NULL, panicking the kernel from softirq on ordinary egress.

Take the packet through qdisc_dequeue_peeked(), as sch_red and sch_sfb
now do. The helper returns the child's stashed skb first and is a no-op
when there is none, so a work-conserving child is unaffected and the
gated path now consumes the skb whose length was charged to the budget.

Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
Cc: stable@xxxxxxxxxxxxxxx
Cc: Vladimir Oltean <vladimir.oltean@xxxxxxx>
Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>