Home

Description

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

PUBLISHED Reserved 2025-04-16 | Published 2025-07-03 | Updated 2025-11-03 | Assigner Linux

Product status

Default status
unaffected

699d82e9a6db29d509a71f1f2f4316231e6232e6 (git) before eb7b74e9754e1ba2088f914ad1f57a778b11894b
affected

ce881ddbdc028fb1988b66e40e45ca0529c23b46 (git) before 0b479d0aa488cb478eb2e1d8868be946ac8afb4f
affected

b05972f01e7d30419987a1f221b5593668fd6448 (git) before 347867cb424edae5fec1622712c8dd0a2c42918f
affected

b05972f01e7d30419987a1f221b5593668fd6448 (git) before 0383b25488a545be168744336847549d4a2d3d6c
affected

b05972f01e7d30419987a1f221b5593668fd6448 (git) before 073f64c03516bcfaf790f8edc772e0cfb8a84ec3
affected

b05972f01e7d30419987a1f221b5593668fd6448 (git) before fed94bd51d62d2e0e006aa61480e94e5cd0582b0
affected

b05972f01e7d30419987a1f221b5593668fd6448 (git) before d92adacdd8c2960be856e0b82acc5b7c5395fddb
affected

fffa19b5e58c34004a0d6f642d9c24b11d213994 (git)
affected

fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d (git)
affected

Default status
affected

6.0
affected

Any version before 6.0
unaffected

5.10.239 (semver)
unaffected

5.15.186 (semver)
unaffected

6.1.142 (semver)
unaffected

6.6.94 (semver)
unaffected

6.12.34 (semver)
unaffected

6.15.3 (semver)
unaffected

6.16 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/10/msg00008.html

lists.debian.org/debian-lts-announce/2025/10/msg00007.html

git.kernel.org/...c/eb7b74e9754e1ba2088f914ad1f57a778b11894b

git.kernel.org/...c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f

git.kernel.org/...c/347867cb424edae5fec1622712c8dd0a2c42918f

git.kernel.org/...c/0383b25488a545be168744336847549d4a2d3d6c

git.kernel.org/...c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3

git.kernel.org/...c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0

git.kernel.org/...c/d92adacdd8c2960be856e0b82acc5b7c5395fddb

cve.org (CVE-2025-38107)

nvd.nist.gov (CVE-2025-38107)

Download JSON