Fixed
Created: Jul 20, 2025
Updated: Aug 28, 2025
Resolved Date: Aug 28, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/sched: Always pass notifications when child class becomes empty[EOL][EOL]Certain classful qdiscs may invoke their classes' dequeue handler on an[EOL]enqueue operation. This may unexpectedly empty the child qdisc and thus[EOL]make an in-flight class passive via qlen_notify(). Most qdiscs do not[EOL]expect such behaviour at this point in time and may re-activate the[EOL]class eventually anyways which will lead to a use-after-free.[EOL][EOL]The referenced fix commit attempted to fix this behavior for the HFSC[EOL]case by moving the backlog accounting around, though this turned out to[EOL]be incomplete since the parent's parent may run into the issue too.[EOL]The following reproducer demonstrates this use-after-free:[EOL][EOL] tc qdisc add dev lo root handle 1: drr[EOL] tc filter add dev lo parent 1: basic classid 1:1[EOL] tc class add dev lo parent 1: classid 1:1 drr[EOL] tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1[EOL] tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0[EOL] tc qdisc add dev lo parent 2:1 handle 3: netem[EOL] tc qdisc add dev lo parent 3:1 handle 4: blackhole[EOL][EOL] echo 1 ( socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888[EOL) tc class delete dev lo classid 1:1EOL] echo 1 ( socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888[EOL)EOL]Since backlog accounting issues leading to a use-after-frees on stale[EOL]class pointers is a recurring pattern at this point, this patch takes[EOL]a different approach. Instead of trying to fix the accounting, the patch[EOL]ensures that qdisc_tree_reduce_backlog always calls qlen_notify when[EOL]the child qdisc is empty. This solves the problem because deletion of[EOL]qdiscs always involves a call to qdisc_reset() and / or[EOL]qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing[EOL]the following qdisc_tree_reduce_backlog() to report to the parent. Note[EOL]that this may call qlen_notify on passive classes multiple times. This[EOL]is not a problem after the recent patch series that made all the[EOL]classful qdiscs qlen_notify() handlers idempotent.
CREATE(Triage):(User=admin) [CVE-2025-38350 (https://nvd.nist.gov/vuln/detail/CVE-2025-38350)
