CVE-2025-68325

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop<br /> <br /> In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen<br /> and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes<br /> that the parent qdisc will enqueue the current packet. However, this<br /> assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent<br /> qdisc stops enqueuing current packet, leaving the tree qlen/backlog<br /> accounting inconsistent. This mismatch can lead to a NULL dereference<br /> (e.g., when the parent Qdisc is qfq_qdisc).<br /> <br /> This patch computes the qlen/backlog delta in a more robust way by<br /> observing the difference before and after the series of cake_drop()<br /> calls, and then compensates the qdisc tree accounting if cake_enqueue()<br /> returns NET_XMIT_CN.<br /> <br /> To ensure correct compensation when ACK thinning is enabled, a new<br /> variable is introduced to keep qlen unchanged.