CVE-2025-37752

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net_sched: sch_sfq: move the limit validation<br /> <br /> It is not sufficient to directly validate the limit on the data that<br /> the user passes as it can be updated based on how the other parameters<br /> are changed.<br /> <br /> Move the check at the end of the configuration update process to also<br /> catch scenarios where the limit is indirectly updated, for example<br /> with the following configurations:<br /> <br /> tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1<br /> tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1<br /> <br /> This fixes the following syzkaller reported crash:<br /> <br /> ------------[ cut here ]------------<br /> UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6<br /> index 65535 is out of range for type &amp;#39;struct sfq_head[128]&amp;#39;<br /> CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120<br /> ubsan_epilogue lib/ubsan.c:231 [inline]<br /> __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429<br /> sfq_link net/sched/sch_sfq.c:203 [inline]<br /> sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231<br /> sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493<br /> sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518<br /> qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035<br /> tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339<br /> qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035<br /> dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311<br /> netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]<br /> dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375