CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved:

net: sched: avoid qdisc reset all tx gt() vs dequeue race for lockless qdiscs

When shrinking the number of real tx queues, netif set real num tx queues() calls qdisc reset all tx gt() to flush qdiscs for queues which will no longer be used.

qdisc reset all tx gt() currently serializes qdisc reset() with qdisc lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc run begin/end() using qdisc->seqlock instead, so qdisc reset() can run concurrently with qdisc run() and free skbs while they are still being dequeued, leading to UAF.

This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs:

iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done

With KASAN enabled, this leads to reports like:

BUG: KASAN: slab-use-after-free in qdisc run+0x133f/0x1760 ... Call Trace: ... qdisc run+0x133f/0x1760 dev queue xmit+0x248f/0x3550 ip finish output2+0xa42/0x2110 ip output+0x1a7/0x410 ip send skb+0x2e6/0x480 udp send skb+0xb0a/0x1590 udp sendmsg+0x13c9/0x1fc0 ...

Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc skb with frags+0x84/0x7c0 sock alloc send pskb+0x69a/0x830 ip append data+0x1b86/0x48c0 ip make skb+0x1e8/0x2b0 udp sendmsg+0x13a6/0x1fc0 ...

Freed by task 1306 on cpu 3 at 44.558445s: ... kmem cache free+0x117/0x5e0 pfifo fast reset+0x14d/0x580 qdisc reset+0x9e/0x5f0 netif set real num tx queues+0x303/0x840 virtnet set channels+0x1bf/0x260 [virtio net] ethnl set channels+0x684/0xae0 ethnl default set doit+0x31a/0x890 ...

Serialize qdisc reset all tx gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ F NOLOCK qdiscs, matching the serialization model already used by dev reset queue().

Additionally clear QDISC STATE NON EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.