CVE-2025-37953

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_htb: make htb_deactivate() idempotent<br /> <br /> Alan reported a NULL pointer dereference in htb_next_rb_node()<br /> after we made htb_qlen_notify() idempotent.<br /> <br /> It turns out in the following case it introduced some regression:<br /> <br /> htb_dequeue_tree():<br /> |-&gt; fq_codel_dequeue()<br /> |-&gt; qdisc_tree_reduce_backlog()<br /> |-&gt; htb_qlen_notify()<br /> |-&gt; htb_deactivate()<br /> |-&gt; htb_next_rb_node()<br /> |-&gt; htb_deactivate()<br /> <br /> For htb_next_rb_node(), after calling the 1st htb_deactivate(), the<br /> clprio[prio]-&gt;ptr could be already set to NULL, which means<br /> htb_next_rb_node() is vulnerable here.<br /> <br /> For htb_deactivate(), although we checked qlen before calling it, in<br /> case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again<br /> which triggers the warning inside.<br /> <br /> To fix the issues here, we need to:<br /> <br /> 1) Make htb_deactivate() idempotent, that is, simply return if we<br /> already call it before.<br /> 2) Make htb_next_rb_node() safe against ptr==NULL.<br /> <br /> Many thanks to Alan for testing and for the reproducer.