CVE-2025-37752

In the Linux kernel, the following vulnerability has been resolved:

netsched: schsfq: move the limit validation

It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed.

Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations:

tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

This fixes the following syzkaller reported crash:

------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/schsfq.c:203:6 index 65535 is out of range for type 'struct sfqhead[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x201/0x300 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] _ubsanhandleoutofbounds+0xf5/0x120 lib/ubsan.c:429 sfqlink net/sched/schsfq.c:203 [inline] sfqdec+0x53c/0x610 net/sched/schsfq.c:231 sfqdequeue+0x34e/0x8c0 net/sched/schsfq.c:493 sfqreset+0x17/0x60 net/sched/schsfq.c:518 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 tbfreset+0x41/0x110 net/sched/schtbf.c:339 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 devresetqueue+0x100/0x1b0 net/sched/schgeneric.c:1311 netdevforeachtxqueue include/linux/netdevice.h:2590 [inline] devdeactivatemany+0x7e5/0xe70 net/sched/schgeneric.c:1375