CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs<br /> <br /> When shrinking the number of real tx queues,<br /> netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush<br /> qdiscs for queues which will no longer be used.<br /> <br /> qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with<br /> qdisc_lock(). However, for lockless qdiscs, the dequeue path is<br /> serialized by qdisc_run_begin/end() using qdisc-&gt;seqlock instead, so<br /> qdisc_reset() can run concurrently with __qdisc_run() and free skbs<br /> while they are still being dequeued, leading to UAF.<br /> <br /> This can easily be reproduced on e.g. virtio-net by imposing heavy<br /> traffic while frequently changing the number of queue pairs:<br /> <br /> iperf3 -ub0 -c $peer -t 0 &amp;<br /> while :; do<br /> ethtool -L eth0 combined 1<br /> ethtool -L eth0 combined 2<br /> done<br /> <br /> With KASAN enabled, this leads to reports like:<br /> <br /> BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760<br /> ...<br /> Call Trace:<br /> <br /> ...<br /> __qdisc_run+0x133f/0x1760<br /> __dev_queue_xmit+0x248f/0x3550<br /> ip_finish_output2+0xa42/0x2110<br /> ip_output+0x1a7/0x410<br /> ip_send_skb+0x2e6/0x480<br /> udp_send_skb+0xb0a/0x1590<br /> udp_sendmsg+0x13c9/0x1fc0<br /> ...<br /> <br /> <br /> Allocated by task 1270 on cpu 5 at 44.558414s:<br /> ...<br /> alloc_skb_with_frags+0x84/0x7c0<br /> sock_alloc_send_pskb+0x69a/0x830<br /> __ip_append_data+0x1b86/0x48c0<br /> ip_make_skb+0x1e8/0x2b0<br /> udp_sendmsg+0x13a6/0x1fc0<br /> ...<br /> <br /> Freed by task 1306 on cpu 3 at 44.558445s:<br /> ...<br /> kmem_cache_free+0x117/0x5e0<br /> pfifo_fast_reset+0x14d/0x580<br /> qdisc_reset+0x9e/0x5f0<br /> netif_set_real_num_tx_queues+0x303/0x840<br /> virtnet_set_channels+0x1bf/0x260 [virtio_net]<br /> ethnl_set_channels+0x684/0xae0<br /> ethnl_default_set_doit+0x31a/0x890<br /> ...<br /> <br /> Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by<br /> taking qdisc-&gt;seqlock for TCQ_F_NOLOCK qdiscs, matching the<br /> serialization model already used by dev_reset_queue().<br /> <br /> Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state<br /> reflects an empty queue, avoiding needless re-scheduling.