Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-20 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 383493b9940e3d1b5517424081b3e072e20ec43c
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 6b1f563d670162e188a0f2aec39c24b67b106e17
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 57c153249143333bbf4ecf927bdf8aa2696ee397
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 59b06d8b9bdb6b64b3c534c18da68bce5ccd31be
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 81a43e8005366f16e629d8c95dfe05beaa8d36a7
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 0bad9c86edd22dec4df83c2b29872d66fd8a2ff4
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 21ea283c2750c8307aa35ee832b0951cc993c27d
affected

039f50629b7f860f36644ed1f34b27da9aa62f43 (git) before 0cc0c2e661af418bbf7074179ea5cfffc0a5c466
affected

Default status
affected

4.5
affected

Any version before 4.5
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.19 (semver)
unaffected

6.19.9 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/383493b9940e3d1b5517424081b3e072e20ec43c

git.kernel.org/...c/6b1f563d670162e188a0f2aec39c24b67b106e17

git.kernel.org/...c/57c153249143333bbf4ecf927bdf8aa2696ee397

git.kernel.org/...c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31be

git.kernel.org/...c/81a43e8005366f16e629d8c95dfe05beaa8d36a7

git.kernel.org/...c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4

git.kernel.org/...c/21ea283c2750c8307aa35ee832b0951cc993c27d

git.kernel.org/...c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466

cve.org (CVE-2026-23277)

nvd.nist.gov (CVE-2026-23277)

Download JSON