CVE-2026-23277

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit

teqlmasterxmit() calls netdevstartxmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand.

When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnelxmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnelxmitstats(dev, pktlen). This function does:

get_cpu_ptr(dev->tstats)

Since teqlmastersetup() does not set dev->pcpustattype to NETDEVPCPUSTATTSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. getcpu_ptr(NULL) computes NULL + __percpuoffset[cpu], resulting in a page fault.

BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnelxmit (./include/net/iptunnels.h:664 net/ipv4/iptunnelcore.c:89) Call Trace: <TASK> iptunnelxmit (net/ipv4/iptunnel.c:847) __grexmit (net/ipv4/ipgre.c:478) gretapxmit (net/ipv4/ipgre.c:779) teqlmasterxmit (net/sched/schteql.c:319) devhardstartxmit (net/core/dev.c:3887) schdirectxmit (net/sched/schgeneric.c:347) __devqueuexmit (net/core/dev.c:4802) neighdirectoutput (net/core/neighbour.c:1660) ipfinishoutput2 (net/ipv4/ip_output.c:237) __ipfinishoutput.part.0 (net/ipv4/ipoutput.c:315) ipmcoutput (net/ipv4/ipoutput.c:369) ipsendskb (net/ipv4/ipoutput.c:1508) udpsendskb (net/ipv4/udp.c:1195) udpsendmsg (net/ipv4/udp.c:1485) inetsendmsg (net/ipv4/afinet.c:859) _syssendto (net/socket.c:2206)

Fix this by setting skb->dev = slave before calling netdevstartxmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.