CVE-2026-53011

In the Linux kernel, the following vulnerability has been resolved:

net/sched: taprio: fix use-after-free in advance sched() on schedule switch

In advance sched(), when should change schedules() returns true, switch schedules() is called to promote the admin schedule to oper. switch schedules() queues the old oper schedule for RCU freeing via call rcu(), but 'next' still points into an entry of the old oper schedule. The subsequent 'next->end time = end time' and rcu assign pointer(q->current entry, next) are use-after-free.

Fix this by selecting 'next' from the new oper schedule immediately after switch schedules(), and using its pre-calculated end time. setup first end time() sets the first entry's end time to base time + interval when the schedule is installed, so the value is already correct.

The deleted 'end time = sched base time(admin)' assignment was also harmful independently: it would overwrite the new first entry's pre-calculated end time with just base time.