ACK: [SRU][F/J/N/O/P][PATCH v2 0/5] CVE-2025-37798

Edoardo Canepa edoardo.canepa at canonical.com
Tue Jun 10 07:16:13 UTC 2025 

On 27/05/25 23:46, Ian Whitfield wrote:
> [Impact]
>
>  From the lkml thread at
> https://lore.kernel.org/all/20250403211033.166059-1-xiyou.wangcong@gmail.com/
>
> "a vulnerability exists in fq_codel where manipulating the MTU can cause
> codel_dequeue() to drop all packets. The parent qdisc's sch->q.qlen is only
> updated via ->qlen_notify() if the fq_codel queue remains non-empty after the
> drops. This discrepancy in qlen between fq_codel and its parent can lead to a
> use-after-free condition.
>
> Let's fix this by making all existing ->qlen_notify() idempotent so that the
> sch->q.qlen check will be no longer necessary."
>
> Plucky received one of the fix commits via stable updates, however this patch
> alone does not complete the fix and actually may have introduced a regression.
> See the stable mailing list thread on the topic:
> https://lore.kernel.org/stable/CAHcdcOkW1D_zKh-HPsfjX-oGYhv-OwojPXVwcA=NYoO0hcCbZQ@mail.gmail.com/
>
> These missing patches were included for the Plucky patchset, the fix commit
> which was already applied is not present in that thread. Plucky also has the
> quirk of being the only supported kernel which had the prerequisite code for the
> selftests associated with this CVE, so those are included in that thread but not
> in others.
>
> [Backport]
>
> All kernels required some attention to backport, see their individual commit
> trailers for more details.
>
> Patches for sch_ets were excluded in kernels which don't have that module.
> Patches which add selftest test cases were excluded when the test file being
> edited was not present in the tree.
>
> The sch_htb change in the original patchset required a fix commit:
> 376947861013 ("sch_htb: make htb_deactivate() idempotent")
>
> [Fix]
>
> Plucky:   backport of missing patches and selftests
> Oracular: backport of fix patches
> Noble:    backport of fix patches
> Jammy:    backport of fix patches
> Focal:    backport of fix patches
> Bionic:   sent to ESM ML
> Xenial:   sent to ESM ML
>
> [Test Case]
>
> Compile and boot tested. The selftests added in Plucky by this patchset were
> run successfully.
>
> [Where problems could occur]
>
> This fix affects users of the codel (Controlled Delay) queuing discipline
> component. An issue with this fix would be visible to the user as network
> scheduler queue mismanagement, which could result in a denial of service
> exploit.
>
> v2: Added 376947861013 ("sch_htb: make htb_deactivate() idempotent")
>
> Cong Wang (10):
>    sch_htb: make htb_qlen_notify() idempotent
>    sch_drr: make drr_qlen_notify() idempotent
>    sch_hfsc: make hfsc_qlen_notify() idempotent
>    sch_qfq: make qfq_qlen_notify() idempotent
>    sch_ets: make est_qlen_notify() idempotent
>    selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
>    selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent
>
>   net/sched/sch_drr.c                           |   7 +-
>   net/sched/sch_ets.c                           |   8 +-
>   net/sched/sch_hfsc.c                          |   8 +-
>   net/sched/sch_htb.c                           |   2 +
>   net/sched/sch_qfq.c                           |   7 +-
>   .../tc-testing/tc-tests/infra/qdiscs.json     | 157 +++++++++++++++++-
>   6 files changed, 177 insertions(+), 12 deletions(-)
>
Acked-by: Edoardo Canepa <edoardo.canepa at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250610/b25661e1/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250610/b25661e1/attachment-0001.sig>

More information about the kernel-team mailing list