[SRU][J/N/O/P][PATCH 0/1] CVE-2025-38083

[Tim Whisonant]

SRU Justification:

[Impact]

net_sched: prio: fix a race in prio_tune()

Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.

The race is as follows:

CPU 0                                 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
 |
 |                                    [5]: lock root
 |                                    [6]: rehash
 |                                    [7]: qdisc_tree_reduce_backlog()
 |
[4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.

[Fix]

Plucky:   applied Jammy patch
Oracular: applied Jammy patch
Noble:    applied Jammy patch
Jammy:    cherry picked from upstream
Focal:    patch sent to ESM ML
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the Simple 3-band priority (network) scheduler.
Issues might manifset as packet drops or other unexpected behavior
in the networking stack.

Eric Dumazet (1):
  net_sched: prio: fix a race in prio_tune()

 net/sched/sch_prio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0