Acknowledged
Created: Jun 9, 2025
Updated: Jun 12, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()[EOL][EOL]When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the[EOL]child qdisc's peek() operation before incrementing sch->q.qlen and[EOL]sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may[EOL]trigger an immediate dequeue and potential packet drop. In such cases,[EOL]qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog[EOL]have not yet been updated, leading to inconsistent queue accounting. This[EOL]can leave an empty HFSC class in the active list, causing further[EOL]consequences like use-after-free.[EOL][EOL]This patch fixes the bug by moving the increment of sch->q.qlen and[EOL]sch->qstats.backlog before the call to the child qdisc's peek() operation.[EOL]This ensures that queue length and backlog are always accurate when packet[EOL]drops or dequeues are triggered during the peek.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38000 (https://nvd.nist.gov/vuln/detail/CVE-2025-38000)
