CVE-2025-38457

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Abort __tc_modify_qdisc if parent class does not exist<br /> <br /> Lion&amp;#39;s patch [1] revealed an ancient bug in the qdisc API.<br /> Whenever a user creates/modifies a qdisc specifying as a parent another<br /> qdisc, the qdisc API will, during grafting, detect that the user is<br /> not trying to attach to a class and reject. However grafting is<br /> performed after qdisc_create (and thus the qdiscs&amp;#39; init callback) is<br /> executed. In qdiscs that eventually call qdisc_tree_reduce_backlog<br /> during init or change (such as fq, hhf, choke, etc), an issue<br /> arises. For example, executing the following commands:<br /> <br /> sudo tc qdisc add dev lo root handle a: htb default 2<br /> sudo tc qdisc add dev lo parent a: handle beef fq<br /> <br /> Qdiscs such as fq, hhf, choke, etc unconditionally invoke<br /> qdisc_tree_reduce_backlog() in their control path init() or change() which<br /> then causes a failure to find the child class; however, that does not stop<br /> the unconditional invocation of the assumed child qdisc&amp;#39;s qlen_notify with<br /> a null class. All these qdiscs make the assumption that class is non-null.<br /> <br /> The solution is ensure that qdisc_leaf() which looks up the parent<br /> class, and is invoked prior to qdisc_create(), should return failure on<br /> not finding the class.<br /> In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the<br /> parentid doesn&amp;#39;t correspond to a class, so that we can detect it<br /> earlier on and abort before qdisc_create is called.<br /> <br /> [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/