CVE-2026-23449

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: Fix double-free in teqlmasterxmit

Whenever a TEQL devices has a lockless Qdisc as root, qdiscreset should be called using the seqlock to avoid racing with the datapath. Failure to do so may cause crashes like the following:

[ 238.028993][ T318] BUG: KASAN: double-free in skbreleasedata (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task pocteqluafke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: pocteqlke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dumpstacklvl (lib/dumpstack.c:122) [ 238.029928][ T318] printreport (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029969][ T318] kasanreportinvalidfree (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029989][ T318] checkslaballocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmemcachefree (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skbreleasedata (net/core/skbuff.c:1139) ... [ 238.030025][ T318] skskbreasondrop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifofastreset (./include/linux/ptrring.h:171 ./include/linux/ptrring.h:309 ./include/linux/skbarray.h:98 net/sched/schgeneric.c:827) [ 238.030039][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdiscreset (net/sched/schgeneric.c:1034) [ 238.030062][ T318] teqldestroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdiscdestroy (./include/net/pktsched.h:328 net/sched/schgeneric.c:1077) [ 238.030077][ T318] qdiscgraft (net/sched/schapi.c:1062 net/sched/schapi.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfxqdiscgraft (net/sched/schapi.c:1091) [ 238.030095][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tcgetqdisc (net/sched/schapi.c:1529 net/sched/schapi.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasansavestack (mm/kasan/common.c:58) [ 238.073884][ T318] kasansavetrack (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasanslaballoc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cacheallocnodenoprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmallocreserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __allocskb (net/core/skbuff.c:713) [ 238.076834][ T318] allocskbwithfrags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sockallocsendpskb (net/core/sock.c:2997) [ 238.077520][ T318] packetsendmsg (net/packet/afpacket.c:2926 net/packet/afpacket.c:3019 net/packet/afpacket.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasansavestack (mm/kasan/common.c:58) [ 238.083481][ T318] kasansavetrack (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasansavefreeinfo (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasanslabfree (mm/ ---truncated---