APPLIED: [SRU][J/N/O/P][PATCH v2 0/5] CVE-2025-37798

Mehmet Basaran mehmet.basaran at canonical.com
Wed Jun 11 13:01:38 UTC 2025 

Applied to jammy:linux master-next branch.
Applied to noble:linux master-next branch.

Applied to oracular:linux master-next branch. Following patch was already applied via upstream (LP: #2111782). We will probably not release these changes beacuse oracular kernel will be EOL.
 - a2d292fc52b2 codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()

Applied to pluck:linux master-next branch. Following patches were already applied via upstream (LP: #2113881)
 - 5e332d3ee6b8 sch_ets: make est_qlen_notify() idempotent
 - f16514c24539 sch_qfq: make qfq_qlen_notify() idempotent
 - d72ddeb4bc18 sch_hfsc: make hfsc_qlen_notify() idempotent
 - 9f3e5498e28a sch_drr: make drr_qlen_notify() idempotent
 - 6b6af6f33a30 sch_htb: make htb_qlen_notify() idempotent

-------------- next part --------------
Ian Whitfield <ian.whitfield at canonical.com> writes:

> [Impact]
>
> From the lkml thread at
> https://lore.kernel.org/all/20250403211033.166059-1-xiyou.wangcong@gmail.com/
>
> "a vulnerability exists in fq_codel where manipulating the MTU can cause
> codel_dequeue() to drop all packets. The parent qdisc's sch->q.qlen is only
> updated via ->qlen_notify() if the fq_codel queue remains non-empty after the
> drops. This discrepancy in qlen between fq_codel and its parent can lead to a
> use-after-free condition.
>
> Let's fix this by making all existing ->qlen_notify() idempotent so that the
> sch->q.qlen check will be no longer necessary."
>
> Plucky received one of the fix commits via stable updates, however this patch
> alone does not complete the fix and actually may have introduced a regression.
> See the stable mailing list thread on the topic:
> https://lore.kernel.org/stable/CAHcdcOkW1D_zKh-HPsfjX-oGYhv-OwojPXVwcA=NYoO0hcCbZQ@mail.gmail.com/
>
> These missing patches were included for the Plucky patchset, the fix commit
> which was already applied is not present in that thread. Plucky also has the
> quirk of being the only supported kernel which had the prerequisite code for the
> selftests associated with this CVE, so those are included in that thread but not
> in others.
>
> [Backport]
>
> All kernels required some attention to backport, see their individual commit
> trailers for more details.
>
> Patches for sch_ets were excluded in kernels which don't have that module.
> Patches which add selftest test cases were excluded when the test file being
> edited was not present in the tree.
>
> The sch_htb change in the original patchset required a fix commit:
> 376947861013 ("sch_htb: make htb_deactivate() idempotent")
>
> [Fix]
>
> Plucky:   backport of missing patches and selftests
> Oracular: backport of fix patches
> Noble:    backport of fix patches
> Jammy:    backport of fix patches
> Focal:    backport of fix patches
> Bionic:   sent to ESM ML
> Xenial:   sent to ESM ML
>
> [Test Case]
>
> Compile and boot tested. The selftests added in Plucky by this patchset were
> run successfully.
>
> [Where problems could occur]
>
> This fix affects users of the codel (Controlled Delay) queuing discipline
> component. An issue with this fix would be visible to the user as network
> scheduler queue mismanagement, which could result in a denial of service
> exploit.
>
> v2: Added 376947861013 ("sch_htb: make htb_deactivate() idempotent")
>
> Cong Wang (10):
>   sch_htb: make htb_qlen_notify() idempotent
>   sch_drr: make drr_qlen_notify() idempotent
>   sch_hfsc: make hfsc_qlen_notify() idempotent
>   sch_qfq: make qfq_qlen_notify() idempotent
>   sch_ets: make est_qlen_notify() idempotent
>   selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
>   selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
>   selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
>   selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
>   selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent
>
>  net/sched/sch_drr.c                           |   7 +-
>  net/sched/sch_ets.c                           |   8 +-
>  net/sched/sch_hfsc.c                          |   8 +-
>  net/sched/sch_htb.c                           |   2 +
>  net/sched/sch_qfq.c                           |   7 +-
>  .../tc-testing/tc-tests/infra/qdiscs.json     | 157 +++++++++++++++++-
>  6 files changed, 177 insertions(+), 12 deletions(-)
>
> -- 
> 2.43.0
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250611/597972c5/attachment-0001.sig>

More information about the kernel-team mailing list