DEBIAN-CVE-2025-39677
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-39677
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-39677.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-39677
- Upstream
- Published
- 2025-09-05T18:15:44Z
- Modified
- 2025-09-25T02:29:12.186035Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdiscdequeueinternal This issue applies for the following qdiscs: hhf, fq, fqcodel, and fqpie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisctreereducebacklog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gsoskb. Their peek handlers are qdiscpeekdequeued, which accounts for both qlen and backlog. However, in the case of qdiscdequeueinternal, ONLY qlen is accounted for when pulling from gsoskb. This means that these qdiscs are missing a qdiscqstatsbacklogdec when dropping packets to satisfy the new limit in their change handlers. One can observe this issue with the following (with tc patched to support a limit of 0): export TARGET=fq tc qdisc del dev lo root tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 echo ''; echo 'add child'; tc -s -d qdisc show dev lo ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null echo ''; echo 'after ping'; tc -s -d qdisc show dev lo tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo tc qdisc replace dev lo handle 2: parent 1:1 sfq echo ''; echo 'post graft'; tc -s -d qdisc show dev lo The second to last show command shows 0 packets but a positive number (74) of backlog bytes. The problem becomes clearer in the last show command, where qdiscpurgequeue triggers qdisctreereducebacklog with the positive backlog and causes an underflow in the tbf parent's backlog (4096 Mb instead of 0). To fix this issue, the codepath for all clients of qdiscdequeueinternal has been simplified: codel, pie, hhf, fq, fqpie, and fqcodel. qdiscdequeueinternal handles the backlog adjustments for all cases that do not directly use the dequeue handler. The old fqcodelchange limit adjustment loop accumulated the arguments to the subsequent qdisctreereducebacklog call through the cstats field. However, this is confusing and error prone as fqcodeldequeue could also potentially mutate this field (which qdiscdequeueinternal calls in the non gso_skb case), so we have unified the code here with other qdiscs.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.16.5-1