CVE-2026-53080

In the Linux kernel, the following vulnerability has been resolved:

net/sched: cls fw: fix NULL dereference of "old" filters before change()

Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched: protect filter chain list with filter chain lock mutex") TC filters are added to a shared block and published to datapath before their ->change() function is called. This is a problem for cls fw: an invalid filter created with the "old" method can still classify some packets before it is destroyed by the validation logic added by Xiang. Therefore, insisting with repeated runs of the following script:

can still make fw classify() hit the WARN ON() in [2]:

WARNING: ./include/net/pkt cls.h:88 at fw classify+0x244/0x250 [cls fw], CPU#18: mausezahn/1399 Modules linked in: cls fw(E) act skbedit(E) CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full) Tainted: [E]=UNSIGNED MODULE Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014 RIP: 0010:fw classify+0x244/0x250 [cls fw] Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202 RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004 RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40 RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0 R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000 R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000 FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0 Call Trace: tcf classify+0x17d/0x5c0 tc run+0x9d/0x150 dev queue xmit+0x2ab/0x14d0 ip finish output2+0x340/0x8f0 ip output+0xa4/0x250 raw sendmsg+0x147d/0x14b0 sys sendto+0x1cc/0x1f0 x64 sys sendto+0x24/0x30 do syscall 64+0x126/0xf80 entry SYSCALL 64 after hwframe+0x77/0x7f RIP: 0033:0x7fca40e822ba Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003 RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000 irq event stamp: 1045778 hardirqs last enabled at (1045784): [] up console sem+0x52/0x60 hardirqs last disabled at (1045789): [] up console sem+0x37/0x60 softirqs last enabled at (1045426): [] alloc skb+0x207/0x260 softirqs last disabled at (1045434): [] dev queue xmit+0x78/0x14d0

Then, because of the value in the packet's mark, dereference on 'q->handle' with NULL 'q' occurs:

BUG: kernel NULL pointer dereference, address: 0000000000000038 [...] RIP: 0010:fw classify+0x1fe/0x250 [cls fw] [...]

Skip "old-style" classification on shared blocks, so that the NULL dereference is fixed and WARN ON() is not hit anymore in the short lifetime of invalid cls fw "old-style" filters.

[1] https://sashiko.dev/#/patchset/2 ---truncated---