CVE-2026-43496 in Linux
要約
〜によって VulDB • 2026年05月21日
Linux kernel networking subsystem, specifically related to qdisc (queueing discipline) handling and GSO (Generic Segmentation Offload).
### Analysis of the Log Snippet
The provided log is a **kernel Oops or panic trace** (or at least a warning trace) from a Linux kernel. Key observations:
1. **Context**: The trace occurs in task `T363` at timestamp `78.67...` seconds after boot. 2. **Call Trace**: * `__qdisc_run`: The main qdisc dequeue loop. * `tbf_dequeue.cold`: The Token Bucket Filter qdisc dequeue function. * `red_dequeue`: The Random Early Detection qdisc dequeue function. * `? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]`: A reference to the QFQ qdisc, likely as a caller or part of a chain.
* Various helper functions like `srso_alias_return_thunk`, `lockdep_hardirqs_on_prepare`, etc. 3. **Registers**: Standard x86_64 register dump. `CR2` (`000055db4c6a30a8`) indicates the faulting address if this was a page fault, but the trace doesn't explicitly say "Oops: 0000 [#1]". However, the presence of a call trace usually implies a crash or a severe warning (like a BUG_ON or WARN_ON).
4. **Key Functions**: The trace shows a chain of qdiscs: `qfq` -> `red` -> `tbf`. This suggests a stacked qdisc configuration where packets are being dequeued through these layers.
### The Patch Description
The text following the log provides the **fix**:
> "The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead."
#### Interpretation
1. **Problem**: In some qdisc implementation (likely `sch_qfq` or one of the stacked qdiscs), there was a bug in how it handled GSO (Generic Segmentation Offload) skbs. Specifically, in a code path labeled "#1b", the code was incorrectly handling the `gso_skb` queue. 2. **Consequence**: This incorrect handling likely led to the crash/warning seen in the log. It might have caused use-after-free, double-free, or accessing invalid memory when trying to dequeue packets. 3. **Solution**: The fix changes the code in path "#1b" to use `qdisc_dequeue_peeked()` instead of whatever method was used before. * `qdisc_dequeue_peeked()` is a qdisc helper function that safely dequeues a packet from the qdisc's queue, often used when you want to peek at the next packet without fully removing it from the queue's accounting in certain contexts, or to handle GSO skbs correctly by ensuring the underlying GSO skb is properly managed. * The comment "grab the skb off gso_skb queue" suggests that the qdisc maintains a separate queue for GSO skbs, and the fix ensures that when a packet is needed, it is correctly taken from this GSO queue if applicable.
### Conclusion
This is a **bug fix patch** for the Linux kernel's networking qdisc subsystem. It addresses a crash or corruption issue that occurred when dequeuing packets through a stack of qdiscs (specifically involving QFQ, RED, and TBF) by correcting how GSO skbs are handled in a specific code path. The fix involves using the `qdisc_dequeue_peeked()` function to properly manage the GSO skb queue.
Once again VulDB remains the best source for vulnerability data.