Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference. The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478) Call Trace: <TASK> tc_fill_tclass (net/sched/sch_api.c:1966) qdisc_class_dump (net/sched/sch_api.c:2326) taprio_walk (net/sched/sch_taprio.c:2514) tc_dump_tclass_qdisc (net/sched/sch_api.c:2352) tc_dump_tclass_root (net/sched/sch_api.c:2370) tc_dump_tclass (net/sched/sch_api.c:2431) rtnl_dumpit (net/core/rtnetlink.c:6864) netlink_dump (net/netlink/af_netlink.c:2325) rtnetlink_rcv_msg (net/core/rtnetlink.c:6959) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks. Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics. After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-27 | Assigner Linux

Product status

Default status
unaffected

665338b2a7a0139337d1f85be65ed16e487f84c1 (git) before ec2501e361b08b50bcb1e7b3253fc861abbda28d
affected

665338b2a7a0139337d1f85be65ed16e487f84c1 (git) before d02e2fbf60de46678e2ea698a6a904fd21e1cc31
affected

665338b2a7a0139337d1f85be65ed16e487f84c1 (git) before 48b26d48e76221dc90b02bf5428bab53643461ca
affected

665338b2a7a0139337d1f85be65ed16e487f84c1 (git) before 8f1ff8866cb9f655e5faea6994eb902960be8e04
affected

665338b2a7a0139337d1f85be65ed16e487f84c1 (git) before 3d07ca5c0fae311226f737963984bd94bb159a87
affected

Default status
affected

6.6
affected

Any version before 6.6
unaffected

6.6.141 (semver)
unaffected

6.12.91 (semver)
unaffected

6.18.33 (semver)
unaffected

7.0.10 (semver)
unaffected

7.1-rc2 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ec2501e361b08b50bcb1e7b3253fc861abbda28d

git.kernel.org/...c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31

git.kernel.org/...c/48b26d48e76221dc90b02bf5428bab53643461ca

git.kernel.org/...c/8f1ff8866cb9f655e5faea6994eb902960be8e04

git.kernel.org/...c/3d07ca5c0fae311226f737963984bd94bb159a87

cve.org (CVE-2026-45845)

nvd.nist.gov (CVE-2026-45845)

Download JSON