CVE-2025-21647

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched: sch_cake: add bounds checks to host bulk flow fairness counts<br /> <br /> Even though we fixed a logic error in the commit cited below, syzbot<br /> still managed to trigger an underflow of the per-host bulk flow<br /> counters, leading to an out of bounds memory access.<br /> <br /> To avoid any such logic errors causing out of bounds memory accesses,<br /> this commit factors out all accesses to the per-host bulk flow counters<br /> to a series of helpers that perform bounds-checking before any<br /> increments and decrements. This also has the benefit of improving<br /> readability by moving the conditional checks for the flow mode into<br /> these helpers, instead of having them spread out throughout the<br /> code (which was the cause of the original logic error).<br /> <br /> As part of this change, the flow quantum calculation is consolidated<br /> into a helper function, which means that the dithering applied to the<br /> ost load scaling is now applied both in the DRR rotation and when a<br /> sparse flow&amp;#39;s quantum is first initiated. The only user-visible effect<br /> of this is that the maximum packet size that can be sent while a flow<br /> stays sparse will now vary with +/- one byte in some cases. This should<br /> not make a noticeable difference in practice, and thus it&amp;#39;s not worth<br /> complicating the code to preserve the old behaviour.