[SRU][O/N/J/F][PATCH 0/1] CVE-2025-21971

[Tim Whisonant]

SRU Justification:

[Impact]

net_sched: Prevent creation of classes with TC_H_ROOT

The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination
condition when traversing up the qdisc tree to update parent backlog
counters. However, if a class is created with classid TC_H_ROOT, the
traversal terminates prematurely at this class instead of reaching the
actual root qdisc, causing parent statistics to be incorrectly maintained.
In case of DRR, this could lead to a crash as reported by Mingi Cho.

Prevent the creation of any Qdisc class with classid TC_H_ROOT
(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

[Fix]

Oracular: cherry picked from upstream
Noble:    cherry picked from upstream
Jammy:    cherry picked from upstream
Focal:    cherry picked from upstream
Bionic:   patch sent to ESM ML
Xenial:   patch sent to ESM ML
Trusty:   out of scope (medium CVE)

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the core network scheduling code in the traffic
class creation logic. Errors may concern failure to create certain
types of queueing discipline objects (Qdisc).

Cong Wang (1):
  net_sched: Prevent creation of classes with TC_H_ROOT

 net/sched/sch_api.c | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.43.0