Commit a6bd339d authored Apr 08, 2026 by Fernando Fernandez Mancera Committed by Jakub Kicinski Apr 12, 2026

net_sched: fix skb memory leak in deferred qdisc drops

When the network stack cleans up the deferred list via qdisc_run_end(),
it operates on the root qdisc. If the root qdisc do not implement the
TCQ_F_DEQUEUE_DROPS flag the packets queue to free are never freed and
gets stranded on the child's local to_free list.

Fix this by making qdisc_dequeue_drop() aware of the root qdisc. It
fetches the root qdisc and check for the TCQ_F_DEQUEUE_DROPS flag. If
the flag is present, the packet is appended directly to the root's
to_free list. Otherwise, drop it directly as it was done before the
optimization was implemented.

Fixes: a6efc273 ("net_sched: use qdisc_dequeue_drop() in cake, codel, fq_codel")
Reported-by: Damilola Bello <damilola@aterlo.com>
Closes: https://lore.kernel.org/netdev/CAPgFtOLaedBMU0f_BxV2bXftTJSmJr018Q5uozOo5vVo6b9tjw@mail.gmail.com/

Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260408100044.4530-1-fmancera@suse.de

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 656121b1

include/net/sch_generic.h

+13 −3

Original line number	Diff line number	Diff line
		@@ -1170,12 +1170,22 @@ static inline void tcf_kfree_skb_list(struct sk_buff *skb)
		static inline void qdisc_dequeue_drop(struct Qdisc q, struct sk_buff skb,
		enum skb_drop_reason reason)
		{
		struct Qdisc *root;

		DEBUG_NET_WARN_ON_ONCE(!(q->flags & TCQ_F_DEQUEUE_DROPS));
		DEBUG_NET_WARN_ON_ONCE(q->flags & TCQ_F_NOLOCK);

		rcu_read_lock();
		root = qdisc_root_sleeping(q);

		if (root->flags & TCQ_F_DEQUEUE_DROPS) {
		tcf_set_drop_reason(skb, reason);
		skb->next = q->to_free;
		q->to_free = skb;
		skb->next = root->to_free;
		root->to_free = skb;
		} else {
		kfree_skb_reason(skb, reason);
		}
		rcu_read_unlock();
		}

		/* Instead of calling kfree_skb() while root qdisc lock is held,