ACK: [SRU][F/J/O][PATCH 0/1] CVE-2025-21703
Stewart Hore
stewart.hore at canonical.com
Tue Mar 4 22:11:58 UTC 2025
On Tue, Mar 04, 2025 at 11:20:41AM -0800, Tim Whisonant wrote:
> [Impact]
>
> netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
>
> qdisc_tree_reduce_backlog() notifies parent qdisc only if child
> qdisc becomes empty, therefore we need to reduce the backlog of the
> child qdisc before calling it. Otherwise it would miss the opportunity
> to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
> since DRR uses ->qlen_notify() to maintain its active list.
>
> [Cherry Pick]
>
> Cherry picked from upstream.
>
> [Fix]
>
> Oracular: cherry picked from upstream
> Noble: not affected
> Jammy: cherry picked from upstream
> Focal: cherry picked from upstream
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the core network logic. Problems might manifest as
> anomalies in the queuing discipline backlog processing.
>
> Cong Wang (1):
> netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
>
> net/sched/sch_netem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
Acked-by: Stewart Hore <stewart.hore at canonical.com>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list