Fixed
Created: Jul 28, 2025
Updated: Aug 28, 2025
Resolved Date: Aug 28, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/sched: Abort __tc_modify_qdisc if parent class does not exist[EOL][EOL]Lion's patch [1] revealed an ancient bug in the qdisc API.[EOL]Whenever a user creates/modifies a qdisc specifying as a parent another[EOL]qdisc, the qdisc API will, during grafting, detect that the user is[EOL]not trying to attach to a class and reject. However grafting is[EOL]performed after qdisc_create (and thus the qdiscs' init callback) is[EOL]executed. In qdiscs that eventually call qdisc_tree_reduce_backlog[EOL]during init or change (such as fq, hhf, choke, etc), an issue[EOL]arises. For example, executing the following commands:[EOL][EOL]sudo tc qdisc add dev lo root handle a: htb default 2[EOL]sudo tc qdisc add dev lo parent a: handle beef fq[EOL][EOL]Qdiscs such as fq, hhf, choke, etc unconditionally invoke[EOL]qdisc_tree_reduce_backlog() in their control path init() or change() which[EOL]then causes a failure to find the child class; however, that does not stop[EOL]the unconditional invocation of the assumed child qdisc's qlen_notify with[EOL]a null class. All these qdiscs make the assumption that class is non-null.[EOL][EOL]The solution is ensure that qdisc_leaf() which looks up the parent[EOL]class, and is invoked prior to qdisc_create(), should return failure on[EOL]not finding the class.[EOL]In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the[EOL]parentid doesn't correspond to a class, so that we can detect it[EOL]earlier on and abort before qdisc_create is called.[EOL][EOL][1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
CREATE(Triage):(User=admin) [CVE-2025-38457 (https://nvd.nist.gov/vuln/detail/CVE-2025-38457)
