)]}'
{
  "commit": "9660cea1cd92195ea50cc4031f0fb7083bb630fd",
  "tree": "4124a02746e347a01f2b46d5b297ae2b560f9eef",
  "parents": [
    "0102497d6e3054ac74c6cb6030a70e861f49c157"
  ],
  "author": {
    "name": "Jamal Hadi Salim",
    "email": "jhs@mojatatu.com",
    "time": "Thu Apr 30 11:29:55 2026 -0400"
  },
  "committer": {
    "name": "Kevin Berry",
    "email": "kpberry@google.com",
    "time": "Thu Jun 04 10:35:45 2026 -0700"
  },
  "message": "net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked\n\ncommit 458d5615272d3de535748342eb68ca492343048c upstream.\n\nWhen red qdisc has children (eg qfq qdisc) whose peek() callback is\nqdisc_peek_dequeued(), we could get a kernel panic. When the parent of such\nqdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from\nits child (red in this case), it will do the following:\n 1a. do a peek() - and when sensing there\u0027s an skb the child can offer, then\n     - the child in this case(red) calls its child\u0027s (qfq) peek.\n        qfq does the right thing and will return the gso_skb queue packet.\n        Note: if there wasnt a gso_skb entry then qfq will store it there.\n 1b. invoke a dequeue() on the child (red). And herein lies the problem.\n     - red will call the child\u0027s dequeue() which will essentially just\n       try to grab something of qfq\u0027s queue.\n\n[   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)\n[   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]\n[   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 \u003c80\u003e 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d\n[   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216\n[   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048\n[   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078\n[   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000\n[   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200\n[   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000\n[   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0\n[   78.671585][  T363] PKRU: 55555554\n[   78.671713][  T363] Call Trace:\n[   78.671843][  T363]  \u003cTASK\u003e\n[   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]\n[   78.672148][  T363]  ? __pfx__printk+0x10/0x10\n[   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0\n[   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0\n[   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red]\n[   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf]\n[   78.673566][  T363]  __qdisc_run+0x169/0x1900\n\nThe right thing to do in #1b is to grab the skb off gso_skb queue.\nThis patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()\nmethod instead.\n\nBUG\u003db/515700380\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-43496 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 77be155cba4e (\"pkt_sched: Add peek emulation for non-work-conserving qdiscs.\")\nReported-by: Manas \u003cghandatmanas@gmail.com\u003e\nReported-by: Rakshit Awasthi \u003crakshitawasthi17@gmail.com\u003e\nChange-Id: I1cac711aa46e7ab11cd81e5f76fa33dbdeda86e8\nSigned-off-by: Jamal Hadi Salim \u003cjhs@mojatatu.com\u003e\nReviewed-by: Eric Dumazet \u003cedumazet@google.com\u003e\nLink: https://patch.msgid.link/20260430152957.194015-2-jhs@mojatatu.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/156303\nReviewed-by: Kevin Liu \u003czhihuil@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "0f0701ed397e90b6faadd45e035cd5b799d8649d",
      "old_mode": 33188,
      "old_path": "net/sched/sch_red.c",
      "new_id": "a745d429a81410d620bc855b7ff9340787f8d845",
      "new_mode": 33188,
      "new_path": "net/sched/sch_red.c"
    }
  ]
}
