Re: [PATCH 1/2] net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked

Next message: Paolo Bonzini: "[PATCH 5.15.y v2 2/8] KVM: x86/mmu: Stop passing &quot;direct&quot; to mmu_alloc_root()"
Previous message: Paolo Bonzini: "[PATCH 5.15.y v2 8/8] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level"
In reply to: Victor Nogueira: "Re: [PATCH 1/2] net/sched: sch_taprio: Replace direct dequeue call with peek and qdisc_dequeue_peeked"
Next in thread: Bryam Vargas via B4 Relay: "[PATCH 2/2] net/sched: sch_multiq: Replace direct dequeue call with peek and qdisc_dequeue_peeked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jamal Hadi Salim

Date: Fri Jun 26 2026 - 13:48:18 EST

On Fri, Jun 26, 2026 at 1:16 PM Victor Nogueira <victor@xxxxxxxxxxxx> wrote:
>
> On 25/06/2026 06:51, Bryam Vargas via B4 Relay wrote:
> > From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
> >
> > When taprio's software path peeks a non-work-conserving child qdisc, the
> > child stashes the peeked skb in its gso_skb; taprio_dequeue_from_txq()
> > then takes the packet with a direct child ->dequeue() call, which ignores
> > that stash, orphans the peeked skb and desyncs the child's qlen/backlog.
> > With a qfq child this re-enters the child on an emptied list and
> > dereferences NULL, panicking the kernel from softirq on ordinary egress.
> >
> > Take the packet through qdisc_dequeue_peeked(), as sch_red and sch_sfb
> > now do. The helper returns the child's stashed skb first and is a no-op
> > when there is none, so a work-conserving child is unaffected and the
> > gated path now consumes the skb whose length was charged to the budget.
> >
> > Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Cc: Vladimir Oltean <vladimir.oltean@xxxxxxx>
> > Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>

Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>

cheers,
jamal