From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44F652D7DD9 for ; Fri, 20 Mar 2026 08:14:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773994443; cv=none; b=pDZyKRsyDt62qd62an4vMc1Z6jAHxmjVEOhzrmixVgwRBoHkyqyCz/FDAaCJMTnKALCOp70+K2kaQXrzyYR2rkYjIhFYomjVtLEz4nZWXn42PLNhWDCWC7qpAcU0gSeOCMJIQdY8lMYNts31RBLvNmXHaOs8C2LYdeN+J+TZfso= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773994443; c=relaxed/simple; bh=zG/t77msEvADmMMJsW1wNFtKNE29vMcyJqfrVB3mvj0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dqX4Drh1hgggbksVpzpC4bznLxPap8N0jFKGzAmoqSWWL2QDiYL9AmRDtGdfxH+Wnkgv3Tyd2H7uqC/CU5Zi6NJ454/OobYCELFHEQEJWcig+AJyINd5t7bLnxBSXWVD6fkw/jfKIUA4I8GMzwnL6bTqvvYz6Pkw/YWOgCg6/3U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=1LJaXxni; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="1LJaXxni" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8351AC4CEF7; Fri, 20 Mar 2026 08:14:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1773994442; bh=zG/t77msEvADmMMJsW1wNFtKNE29vMcyJqfrVB3mvj0=; h=From:To:Cc:Subject:Date:Reply-To:From; b=1LJaXxnilFmjVsahxtNL1+QKK58S3rHVRr+EnwjDQitNrmXqRJhx90gJEUa6XuyFV RetEdvDN41Lla5QovbLVQ+jE2wqlxUb4Th46nbhrpDyiufmFzc/WPBchmFvmojsqNm 5HVAqmWaWaIAlsl2s6U6P/DksDm5xtrGmff3cxao= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-23277: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit Date: Fri, 20 Mar 2026 09:13:38 +0100 Message-ID: <2026032036-CVE-2026-23277-e478@gregkh> X-Mailer: git-send-email 2.53.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3881; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=oYybnDuKFeGg1IAgS3k5FD8AHZsgUvmOWBibLeLwelI=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl7GTe8n/2lunTthOKiCZ2KVkVzthQaRbpMKbnNx5/Gn 57r2NvfEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABNRjWOYK+wWbvDBM0PugvNs UalCceEfa2PaGObXvwi0Md6qNSPSd87HfQ+SVKuatxYDAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats. The Linux kernel CVE team has assigned CVE-2026-23277 to this issue. Affected and fixed versions =========================== Issue introduced in 4.5 with commit 039f50629b7f860f36644ed1f34b27da9aa62f43 and fixed in 6.18.19 with commit 0bad9c86edd22dec4df83c2b29872d66fd8a2ff4 Issue introduced in 4.5 with commit 039f50629b7f860f36644ed1f34b27da9aa62f43 and fixed in 6.19.9 with commit 21ea283c2750c8307aa35ee832b0951cc993c27d Issue introduced in 4.5 with commit 039f50629b7f860f36644ed1f34b27da9aa62f43 and fixed in 7.0-rc4 with commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-23277 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sched/sch_teql.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4 https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466