CVE-2021-47125

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_htb: fix refcount leak in htb_parent_to_leaf_offload<br /> <br /> The commit ae81feb7338c ("sch_htb: fix null pointer dereference<br /> on a null new_q") fixes a NULL pointer dereference bug, but it<br /> is not correct.<br /> <br /> Because htb_graft_helper properly handles the case when new_q<br /> is NULL, and after the previous patch by skipping this call<br /> which creates an inconsistency : dev_queue-&gt;qdisc will still<br /> point to the old qdisc, but cl-&gt;parent-&gt;leaf.q will point to<br /> the new one (which will be noop_qdisc, because new_q was NULL).<br /> The code is based on an assumption that these two pointers are<br /> the same, so it can lead to refcount leaks.<br /> <br /> The correct fix is to add a NULL pointer check to protect<br /> qdisc_refcount_inc inside htb_parent_to_leaf_offload.