ACK/Cmnt: [SRU][F/J/N/O/P][PATCH v2 0/5] CVE-2025-37798

Stefan Bader stefan.bader at canonical.com
Tue Jun 3 14:10:33 UTC 2025 

On 27.05.25 23:46, Ian Whitfield wrote:
> [Impact]
> 
>  From the lkml thread at
> https://lore.kernel.org/all/20250403211033.166059-1-xiyou.wangcong@gmail.com/
> 
> "a vulnerability exists in fq_codel where manipulating the MTU can cause
> codel_dequeue() to drop all packets. The parent qdisc's sch->q.qlen is only
> updated via ->qlen_notify() if the fq_codel queue remains non-empty after the
> drops. This discrepancy in qlen between fq_codel and its parent can lead to a
> use-after-free condition.
> 
> Let's fix this by making all existing ->qlen_notify() idempotent so that the
> sch->q.qlen check will be no longer necessary."
> 
> Plucky received one of the fix commits via stable updates, however this patch
> alone does not complete the fix and actually may have introduced a regression.
> See the stable mailing list thread on the topic:
> https://lore.kernel.org/stable/CAHcdcOkW1D_zKh-HPsfjX-oGYhv-OwojPXVwcA=NYoO0hcCbZQ@mail.gmail.com/
> 
> These missing patches were included for the Plucky patchset, the fix commit
> which was already applied is not present in that thread. Plucky also has the
> quirk of being the only supported kernel which had the prerequisite code for the
> selftests associated with this CVE, so those are included in that thread but not
> in others.
> 
> [Backport]
> 
> All kernels required some attention to backport, see their individual commit
> trailers for more details.
> 
> Patches for sch_ets were excluded in kernels which don't have that module.
> Patches which add selftest test cases were excluded when the test file being
> edited was not present in the tree.
> 
> The sch_htb change in the original patchset required a fix commit:
> 376947861013 ("sch_htb: make htb_deactivate() idempotent")
> 
> [Fix]
> 
> Plucky:   backport of missing patches and selftests
> Oracular: backport of fix patches
> Noble:    backport of fix patches
> Jammy:    backport of fix patches
> Focal:    backport of fix patches
> Bionic:   sent to ESM ML
> Xenial:   sent to ESM ML
> 
> [Test Case]
> 
> Compile and boot tested. The selftests added in Plucky by this patchset were
> run successfully.
> 
> [Where problems could occur]
> 
> This fix affects users of the codel (Controlled Delay) queuing discipline
> component. An issue with this fix would be visible to the user as network
> scheduler queue mismanagement, which could result in a denial of service
> exploit.
> 
> v2: Added 376947861013 ("sch_htb: make htb_deactivate() idempotent")
> 
> Cong Wang (10):
>    sch_htb: make htb_qlen_notify() idempotent
>    sch_drr: make drr_qlen_notify() idempotent
>    sch_hfsc: make hfsc_qlen_notify() idempotent
>    sch_qfq: make qfq_qlen_notify() idempotent
>    sch_ets: make est_qlen_notify() idempotent
>    selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent
> 
>   net/sched/sch_drr.c                           |   7 +-
>   net/sched/sch_ets.c                           |   8 +-
>   net/sched/sch_hfsc.c                          |   8 +-
>   net/sched/sch_htb.c                           |   2 +
>   net/sched/sch_qfq.c                           |   7 +-
>   .../tc-testing/tc-tests/infra/qdiscs.json     | 157 +++++++++++++++++-
>   6 files changed, 177 insertions(+), 12 deletions(-)
> 

For Focal lets finish here and future submission go to ESM. For PLucky 
it sounds worrying that we already applied the last change which relies 
on the other calls being idempotent... Anyway:


Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250603/046fbce1/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250603/046fbce1/attachment-0001.sig>

More information about the kernel-team mailing list