CVE-2026-45845

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: taprio: fix NULL pointer dereference in class dump<br /> <br /> When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft()<br /> is called with new == NULL and stores NULL into q-&gt;qdiscs[cl - 1].<br /> Subsequent RTM_GETTCLASS dump operations walk all classes via<br /> taprio_walk() and call taprio_dump_class(), which calls taprio_leaf()<br /> returning the NULL pointer, then dereferences it to read child-&gt;handle,<br /> causing a kernel NULL pointer dereference.<br /> <br /> The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel<br /> with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user<br /> namespaces enabled, an unprivileged local user can trigger a kernel<br /> panic by creating a taprio qdisc inside a new network namespace,<br /> grafting an explicit child qdisc, deleting it, and requesting a class<br /> dump. The RTM_GETTCLASS dump itself requires no capability.<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]<br /> RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)<br /> Call Trace:<br /> <br /> tc_fill_tclass (net/sched/sch_api.c:1966)<br /> qdisc_class_dump (net/sched/sch_api.c:2326)<br /> taprio_walk (net/sched/sch_taprio.c:2514)<br /> tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)<br /> tc_dump_tclass_root (net/sched/sch_api.c:2370)<br /> tc_dump_tclass (net/sched/sch_api.c:2431)<br /> rtnl_dumpit (net/core/rtnetlink.c:6864)<br /> netlink_dump (net/netlink/af_netlink.c:2325)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> <br /> <br /> Fix this by substituting &amp;noop_qdisc when new is NULL in<br /> taprio_graft(), a common pattern used by other qdiscs (e.g.,<br /> multiq_graft()) to ensure the q-&gt;qdiscs[] slots are never NULL.<br /> This makes control-plane dump paths safe without requiring individual<br /> NULL checks.<br /> <br /> Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq)<br /> previously had explicit NULL guards that would drop/skip the packet<br /> cleanly, update those checks to test for &amp;noop_qdisc instead. Without<br /> this, packets would reach taprio_enqueue_one() which increments the root<br /> qdisc&amp;#39;s qlen and backlog before calling the child&amp;#39;s enqueue; noop_qdisc<br /> drops the packet but those counters are never rolled back, permanently<br /> inflating the root qdisc&amp;#39;s statistics.<br /> <br /> After this change *old can be a valid qdisc, NULL, or &amp;noop_qdisc.<br /> Only call qdisc_put(*old) in the first case to avoid decreasing<br /> noop_qdisc&amp;#39;s refcount, which was never increased.