DEBIAN-CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved:  net: sched: avoid qdiscresetalltxgt() vs dequeue race for lockless qdiscs  When shrinking the number of real tx queues, netifsetrealnumtxqueues() calls qdiscresetalltxgt() to flush qdiscs for queues which will no longer be used.  qdiscresetalltxgt() currently serializes qdiscreset() with qdisclock(). However, for lockless qdiscs, the dequeue path is serialized by qdiscrunbegin/end() using qdisc->seqlock instead, so qdiscreset() can run concurrently with _qdiscrun() and free skbs while they are still being dequeued, leading to UAF.  This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs:    iperf3 -ub0 -c $peer -t 0 &   while :; do     ethtool -L eth0 combined 1     ethtool -L eth0 combined 2   done  With KASAN enabled, this leads to reports like:    BUG: KASAN: slab-use-after-free in qdiscrun+0x133f/0x1760   ...   Call Trace:    <TASK>    ...    qdiscrun+0x133f/0x1760    devqueuexmit+0x248f/0x3550    ipfinishoutput2+0xa42/0x2110    ipoutput+0x1a7/0x410    ipsendskb+0x2e6/0x480    udpsendskb+0xb0a/0x1590    udpsendmsg+0x13c9/0x1fc0    ...    </TASK>    Allocated by task 1270 on cpu 5 at 44.558414s:    ...    allocskbwithfrags+0x84/0x7c0    sockallocsendpskb+0x69a/0x830    _ipappenddata+0x1b86/0x48c0    ipmakeskb+0x1e8/0x2b0    udpsendmsg+0x13a6/0x1fc0    ...    Freed by task 1306 on cpu 3 at 44.558445s:    ...    kmemcachefree+0x117/0x5e0    pfifofastreset+0x14d/0x580    qdiscreset+0x9e/0x5f0    netifsetrealnumtxqueues+0x303/0x840    virtnetsetchannels+0x1bf/0x260 [virtionet]    ethnlsetchannels+0x684/0xae0    ethnldefaultsetdoit+0x31a/0x890    ...  Serialize qdiscresetalltxgt() against the lockless dequeue path by taking qdisc->seqlock for TCQFNOLOCK qdiscs, matching the serialization model already used by devresetqueue().  Additionally clear QDISCSTATENON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.