cve/published/2025/CVE-2025-37953.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37953: sch_htb: make htb_deactivate() idempotent

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sch_htb: make htb_deactivate() idempotent

 Alan reported a NULL pointer dereference in htb_next_rb_node()
 after we made htb_qlen_notify() idempotent.

 It turns out in the following case it introduced some regression:

 htb_dequeue_tree():
   |-> fq_codel_dequeue()
     |-> qdisc_tree_reduce_backlog()
       |-> htb_qlen_notify()
         |-> htb_deactivate()
   |-> htb_next_rb_node()
   |-> htb_deactivate()

 For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
 clprio[prio]->ptr could be already set to  NULL, which means
 htb_next_rb_node() is vulnerable here.

 For htb_deactivate(), although we checked qlen before calling it, in
 case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
 which triggers the warning inside.

 To fix the issues here, we need to:

 1) Make htb_deactivate() idempotent, that is, simply return if we
    already call it before.
 2) Make htb_next_rb_node() safe against ptr==NULL.

 Many thanks to Alan for testing and for the reproducer.

 The Linux kernel CVE team has assigned CVE-2025-37953 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.138 with commit 73cf6af13153d62f9b76eff422eea79dbc70f15e and fixed in 6.1.139 with commit c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
 	Issue introduced in 6.6.90 with commit bbbf5e0f87078b715e7a665d662a2c0e77f044ae and fixed in 6.6.91 with commit 31ff70ad39485698cf779f2078132d80b57f6c07
 	Issue introduced in 6.12.28 with commit 0a188c0e197383683fd093ab1ea6ce9a5869a6ea and fixed in 6.12.29 with commit 98cd7ed92753090a714f0802d4434314526fe61d
 	Issue introduced in 6.14.6 with commit a61f1b5921761fbaf166231418bc1db301e5bf59 and fixed in 6.14.7 with commit c4792b9e38d2f61b07eac72f10909fa76130314b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37953
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/sched/sch_htb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
 	https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
 	https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
 	https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
 	https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
 	https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37953: sch_htb: make htb_deactivate() idempotent

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sch_htb: make htb_deactivate() idempotent

	Alan reported a NULL pointer dereference in htb_next_rb_node()
	after we made htb_qlen_notify() idempotent.

	It turns out in the following case it introduced some regression:

	htb_dequeue_tree():
	\|-> fq_codel_dequeue()
	\|-> qdisc_tree_reduce_backlog()
	\|-> htb_qlen_notify()
	\|-> htb_deactivate()
	\|-> htb_next_rb_node()
	\|-> htb_deactivate()

	For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
	clprio[prio]->ptr could be already set to NULL, which means
	htb_next_rb_node() is vulnerable here.

	For htb_deactivate(), although we checked qlen before calling it, in
	case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
	which triggers the warning inside.

	To fix the issues here, we need to:

	1) Make htb_deactivate() idempotent, that is, simply return if we
	already call it before.
	2) Make htb_next_rb_node() safe against ptr==NULL.

	Many thanks to Alan for testing and for the reproducer.

	The Linux kernel CVE team has assigned CVE-2025-37953 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.138 with commit 73cf6af13153d62f9b76eff422eea79dbc70f15e and fixed in 6.1.139 with commit c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
	Issue introduced in 6.6.90 with commit bbbf5e0f87078b715e7a665d662a2c0e77f044ae and fixed in 6.6.91 with commit 31ff70ad39485698cf779f2078132d80b57f6c07
	Issue introduced in 6.12.28 with commit 0a188c0e197383683fd093ab1ea6ce9a5869a6ea and fixed in 6.12.29 with commit 98cd7ed92753090a714f0802d4434314526fe61d
	Issue introduced in 6.14.6 with commit a61f1b5921761fbaf166231418bc1db301e5bf59 and fixed in 6.14.7 with commit c4792b9e38d2f61b07eac72f10909fa76130314b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37953
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/sched/sch_htb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
	https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
	https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
	https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
	https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
	https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71