net/sched: fix use-after-free in taprio_dev_notifier

jira VULN-71604
cve CVE-2025-38087
commit-author Hyunwoo Kim <[email protected]>
commit b160766

Since taprio’s taprio_dev_notifier() isn’t protected by an
RCU read-side critical section, a race with advance_sched()
can lead to a use-after-free.

Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.

Fixes: fed87cc ("net/sched: taprio: automatically calculate queueMaxSDU based on TC gate durations")
	Cc: [email protected]
	Signed-off-by: Hyunwoo Kim <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
	Reviewed-by: Eric Dumazet <[email protected]>
Link: https://patch.msgid.link/aEzIYYxt0is9upYG@v4bel-B760M-AORUS-ELITE-AX
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit b160766)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

net/sched/sch_taprio.c

@@ -1340,13 +1340,15 @@ static int taprio_dev_notifier(struct notifier_block *nb, unsigned long event,
 
 		stab = rtnl_dereference(q->root->stab);
 
-		oper = rtnl_dereference(q->oper_sched);
+		rcu_read_lock();
+		oper = rcu_dereference(q->oper_sched);
 		if (oper)
 			taprio_update_queue_max_sdu(q, oper, stab);
 
-		admin = rtnl_dereference(q->admin_sched);
+		admin = rcu_dereference(q->admin_sched);
 		if (admin)
 			taprio_update_queue_max_sdu(q, admin, stab);
+		rcu_read_unlock();
 
 		break;
 	}