We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38457

net/sched: Abort __tc_modify_qdisc if parent class does not exist



Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

Reserved 2025-04-16 | Published 2025-07-25 | Updated 2025-07-25 | Assigner Linux

Product status

Default status
unaffected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 923a276c74e25073ae391e930792ac86a9f77f1e
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 90436e72c9622c2f70389070088325a3232d339f
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 25452638f133ac19d75af3f928327d8016952c8e
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 23c165dde88eac405eebb59051ea1fe139a45803
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before 8ecd651ef24ab50123692a4e3e25db93cb11602a
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before e28a383d6485c3bb51dc5953552f76c4dea33eea
affected

5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 before ffdde7bf5a439aaa1955ebd581f5c64ab1533963
affected

Default status
affected

2.6.20
affected

Any version before 2.6.20
unaffected

5.4.296
unaffected

5.10.240
unaffected

5.15.189
unaffected

6.1.146
unaffected

6.6.99
unaffected

6.12.39
unaffected

6.15.7
unaffected

6.16-rc6
unaffected

References

git.kernel.org/...c/923a276c74e25073ae391e930792ac86a9f77f1e

git.kernel.org/...c/90436e72c9622c2f70389070088325a3232d339f

git.kernel.org/...c/25452638f133ac19d75af3f928327d8016952c8e

git.kernel.org/...c/23c165dde88eac405eebb59051ea1fe139a45803

git.kernel.org/...c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af

git.kernel.org/...c/8ecd651ef24ab50123692a4e3e25db93cb11602a

git.kernel.org/...c/e28a383d6485c3bb51dc5953552f76c4dea33eea

git.kernel.org/...c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963

cve.org (CVE-2025-38457)

nvd.nist.gov (CVE-2025-38457)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38457

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.