CVE-2025-37953
sch_htb: make htb_deactivate() idempotent
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
sch_htb: make htb_deactivate() idempotent
In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer.
Reserved 2025-04-16 | Published 2025-05-20 | Updated 2025-05-26 | Assigner Linuxgit.kernel.org/...c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
git.kernel.org/...c/31ff70ad39485698cf779f2078132d80b57f6c07
git.kernel.org/...c/98cd7ed92753090a714f0802d4434314526fe61d
git.kernel.org/...c/c4792b9e38d2f61b07eac72f10909fa76130314b
git.kernel.org/...c/3769478610135e82b262640252d90f6efb05be71
Support options
