ACK: [SRU][J/N/Q][PATCH 0/1] CVE-2026-23074

Austin Rhodes austin.rhodes at canonical.com
Thu Feb 19 22:19:24 UTC 2026 

Acked-by: Austin Rhodes <austin.rhodes at canonical.com>

On 2/9/26 15:45, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> net/sched: Enforce that teql can only be used as root qdisc
>
> Design intent of teql is that it is only supposed to be used as root qdisc.
> We need to check for that constraint.
>
> Although not important, I will describe the scenario that unearthed this
> issue for the curious.
>
> GangMin Kim <km.kim1503 at gmail.com> managed to concot a scenario as follows:
>
> ROOT qdisc 1:0 (QFQ)
>    ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
>    └── class 1:2 (weight=1, lmax=1514) teql
>
> GangMin sends a packet which is enqueued to 1:1 (netem).
> Any invocation of dequeue by QFQ from this class will not return a packet
> until after 6.4s. In the meantime, a second packet is sent and it lands on
> 1:2. teql's enqueue will return success and this will activate class 1:2.
> Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
> at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
> peek always returns NULL), dequeue will never be called and thus the qlen
> will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
> the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
> qlen was not incremented, qfq fails to deactivate the class, but still
> frees its pointers from the aggregate. So when the first packet is
> rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
> accessed causing GangMin's causing a UAF.
>
> [Fix]
>
> Questing: applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry-picked from upstream
> Focal:    sent to forgejo
> Bionic:   sent to ESM ML
> Xenial:   sent to ESM ML
> Trusty:   sent to ESM ML
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change is applied to the True Link Equalizer (TEQL)
> packet scheduling queueing discipline to avoid a use
> after free. Issues might arise in workloads utilizing
> this queueing discipline.
>
> Jamal Hadi Salim (1):
>    net/sched: Enforce that teql can only be used as root qdisc
>
>   net/sched/sch_teql.c | 5 +++++
>   1 file changed, 5 insertions(+)
>

More information about the kernel-team mailing list