Is current INET_ECN_set_ce() safe with cloned skb?

Is current INET_ECN_set_ce() safe with cloned skb?

[Stephen Hemminger]

While doing changes to netem, Sashiko flagged that INET_ECN_set_ce is not
safe on a cloned skb. This wasn't something that was in any of the patches
it was a "drive by" in the review.

But it got me thinking it may have found a pre-existing bug.
The function INET_ECN_set_ce() modifies the skb to set ECN;
but skb is likely a clone from TCP. So modifying the IP header
to set ECN will modify the version that TCP is holding as well.

The same pattern applies to cake, choke, dualpi2, fq, fq_pie, gred,
pie, red, sfb, sfq. I.e all the qdisc that do ECN.

Is this a real bug? Is TCP just working around it?

BPF is already has fix for this but qdisc usage does not.

Re: Is current INET_ECN_set_ce() safe with cloned skb?

[Eric Dumazet]

On Sat, May 9, 2026 at 10:01 AM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> While doing changes to netem, Sashiko flagged that INET_ECN_set_ce is not
> safe on a cloned skb. This wasn't something that was in any of the patches
> it was a "drive by" in the review.
>
> But it got me thinking it may have found a pre-existing bug.
> The function INET_ECN_set_ce() modifies the skb to set ECN;
> but skb is likely a clone from TCP. So modifying the IP header
> to set ECN will modify the version that TCP is holding as well.
>
> The same pattern applies to cake, choke, dualpi2, fq, fq_pie, gred,
> pie, red, sfb, sfq. I.e all the qdisc that do ECN.
>
> Is this a real bug? Is TCP just working around it?
>
> BPF is already has fix for this but qdisc usage does not.

TCP does not care, all headers can be changed freely by lower layers.