CVE-2025-38457

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Abort _tcmodify_qdisc if parent class does not exist

Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisccreate (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisctreereducebacklog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands:

sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq

Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisctreereducebacklog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlennotify with a null class. All these qdiscs make the assumption that class is non-null.

The solution is ensure that qdiscleaf() which looks up the parent class, and is invoked prior to qdisccreate(), should return failure on not finding the class. In this patch, we leverage qdiscleaf to return ERRPTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called.

[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/