[SRU][F/J/N/O/P][PATCH v2 0/5] CVE-2025-37798

Ian Whitfield ian.whitfield at canonical.com
Tue May 27 21:46:45 UTC 2025 

[Impact]

>From the lkml thread at
https://lore.kernel.org/all/20250403211033.166059-1-xiyou.wangcong@gmail.com/

"a vulnerability exists in fq_codel where manipulating the MTU can cause
codel_dequeue() to drop all packets. The parent qdisc's sch->q.qlen is only
updated via ->qlen_notify() if the fq_codel queue remains non-empty after the
drops. This discrepancy in qlen between fq_codel and its parent can lead to a
use-after-free condition.

Let's fix this by making all existing ->qlen_notify() idempotent so that the
sch->q.qlen check will be no longer necessary."

Plucky received one of the fix commits via stable updates, however this patch
alone does not complete the fix and actually may have introduced a regression.
See the stable mailing list thread on the topic:
https://lore.kernel.org/stable/CAHcdcOkW1D_zKh-HPsfjX-oGYhv-OwojPXVwcA=NYoO0hcCbZQ@mail.gmail.com/

These missing patches were included for the Plucky patchset, the fix commit
which was already applied is not present in that thread. Plucky also has the
quirk of being the only supported kernel which had the prerequisite code for the
selftests associated with this CVE, so those are included in that thread but not
in others.

[Backport]

All kernels required some attention to backport, see their individual commit
trailers for more details.

Patches for sch_ets were excluded in kernels which don't have that module.
Patches which add selftest test cases were excluded when the test file being
edited was not present in the tree.

The sch_htb change in the original patchset required a fix commit:
376947861013 ("sch_htb: make htb_deactivate() idempotent")

[Fix]

Plucky:   backport of missing patches and selftests
Oracular: backport of fix patches
Noble:    backport of fix patches
Jammy:    backport of fix patches
Focal:    backport of fix patches
Bionic:   sent to ESM ML
Xenial:   sent to ESM ML

[Test Case]

Compile and boot tested. The selftests added in Plucky by this patchset were
run successfully.

[Where problems could occur]

This fix affects users of the codel (Controlled Delay) queuing discipline
component. An issue with this fix would be visible to the user as network
scheduler queue mismanagement, which could result in a denial of service
exploit.

v2: Added 376947861013 ("sch_htb: make htb_deactivate() idempotent")

Cong Wang (10):
  sch_htb: make htb_qlen_notify() idempotent
  sch_drr: make drr_qlen_notify() idempotent
  sch_hfsc: make hfsc_qlen_notify() idempotent
  sch_qfq: make qfq_qlen_notify() idempotent
  sch_ets: make est_qlen_notify() idempotent
  selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
  selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
  selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
  selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
  selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent

 net/sched/sch_drr.c                           |   7 +-
 net/sched/sch_ets.c                           |   8 +-
 net/sched/sch_hfsc.c                          |   8 +-
 net/sched/sch_htb.c                           |   2 +
 net/sched/sch_qfq.c                           |   7 +-
 .../tc-testing/tc-tests/infra/qdiscs.json     | 157 +++++++++++++++++-
 6 files changed, 177 insertions(+), 12 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list