CVE-2025-38468

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree<br /> <br /> htb_lookup_leaf has a BUG_ON that can trigger with the following:<br /> <br /> tc qdisc del dev lo root<br /> tc qdisc add dev lo root handle 1: htb default 1<br /> tc class add dev lo parent 1: classid 1:1 htb rate 64bit<br /> tc qdisc add dev lo parent 1:1 handle 2: netem<br /> tc qdisc add dev lo parent 2:1 handle 3: blackhole<br /> ping -I lo -c1 -W0.001 127.0.0.1<br /> <br /> The root cause is the following:<br /> <br /> 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on<br /> the selected leaf qdisc<br /> 2. netem_dequeue calls enqueue on the child qdisc<br /> 3. blackhole_enqueue drops the packet and returns a value that is not<br /> just NET_XMIT_SUCCESS<br /> 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and<br /> since qlen is now 0, it calls htb_qlen_notify -&gt; htb_deactivate -&gt;<br /> htb_deactiviate_prios -&gt; htb_remove_class_from_row -&gt; htb_safe_rb_erase<br /> 5. As this is the only class in the selected hprio rbtree,<br /> __rb_change_child in __rb_erase_augmented sets the rb_root pointer to<br /> NULL<br /> 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,<br /> which causes htb_dequeue_tree to call htb_lookup_leaf with the same<br /> hprio rbtree, and fail the BUG_ON<br /> <br /> The function graph for this scenario is shown here:<br /> 0) | htb_enqueue() {<br /> 0) + 13.635 us | netem_enqueue();<br /> 0) 4.719 us | htb_activate_prios();<br /> 0) # 2249.199 us | }<br /> 0) | htb_dequeue() {<br /> 0) 2.355 us | htb_lookup_leaf();<br /> 0) | netem_dequeue() {<br /> 0) + 11.061 us | blackhole_enqueue();<br /> 0) | qdisc_tree_reduce_backlog() {<br /> 0) | qdisc_lookup_rcu() {<br /> 0) 1.873 us | qdisc_match_from_root();<br /> 0) 6.292 us | }<br /> 0) 1.894 us | htb_search();<br /> 0) | htb_qlen_notify() {<br /> 0) 2.655 us | htb_deactivate_prios();<br /> 0) 6.933 us | }<br /> 0) + 25.227 us | }<br /> 0) 1.983 us | blackhole_dequeue();<br /> 0) + 86.553 us | }<br /> 0) # 2932.761 us | qdisc_warn_nonwc();<br /> 0) | htb_lookup_leaf() {<br /> 0) | BUG_ON();<br /> ------------------------------------------<br /> <br /> The full original bug report can be seen here [1].<br /> <br /> We can fix this just by returning NULL instead of the BUG_ON,<br /> as htb_dequeue_tree returns NULL when htb_lookup_leaf returns<br /> NULL.<br /> <br /> [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/