Re: [PATCH 2/2] net/sched: sch_multiq: Replace direct dequeue call with peek and qdisc_dequeue_peeked

Next message: Paolo Bonzini: "[PATCH 5.15.y v2 4/8] KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes"
Previous message: Paolo Bonzini: "[PATCH 5.15.y v2 2/8] KVM: x86/mmu: Stop passing &quot;direct&quot; to mmu_alloc_root()"
In reply to: Victor Nogueira: "Re: [PATCH 2/2] net/sched: sch_multiq: Replace direct dequeue call with peek and qdisc_dequeue_peeked"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH 0/2] net/sched: finish the qdisc_dequeue_peeked conversion (taprio, multiq)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jamal Hadi Salim

Date: Fri Jun 26 2026 - 13:48:59 EST

On Fri, Jun 26, 2026 at 1:18 PM Victor Nogueira <victor@xxxxxxxxxxxx> wrote:
>
> On 25/06/2026 06:51, Bryam Vargas via B4 Relay wrote:
> > From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
> >
> > multiq_dequeue() takes a packet from a band's child with a direct
> > ->dequeue() call after multiq_peek() peeked it. When the child is
> > non-work-conserving the peek stashes the skb in the child's gso_skb, so
> > the direct dequeue returns a different skb and orphans the stash,
> > desyncing the child's qlen/backlog. With a qfq child reached through a
> > peeking parent (e.g. tbf) this re-enters the child on an emptied list and
> > dereferences NULL, panicking the kernel from softirq on ordinary egress.
> >
> > Take the packet through qdisc_dequeue_peeked(), as sch_prio already does
> > and as sch_red and sch_sfb were just fixed to do. The helper is a no-op
> > when the child has no stash, so a work-conserving child is unaffected.
> >
> > Fixes: 77be155cba4e ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>

Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>

cheers,
jamal