CVE-2025-68815

In the Linux kernel, the following vulnerability has been resolved:

net/sched: ets: Remove drr class from the active list if it changes to strict

Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1].

Doing so with the following commands:

tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1

Will trigger the following splat with list debug turned on:

[ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] listadd double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/listdebug.c:35 __listaddvalidorreport+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__listaddvalidorreport+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.289546][ T365] etsqdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfxetsqdiscchange+0x10/0x10 [ 59.290546][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutextrylockmutextrylockcommon+0xda/0x240 [ 59.291228][ T365] ? pfxutextrylockcommon+0x10/0x10 [ 59.291655][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.291993][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.292313][ T365] ? tracecontentionend+0xc8/0x110 [ 59.292656][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.293022][ T365] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 59.293351][ T365] tcmodifyqdisc+0x63a/0x1cf0

Fix this by always checking and removing an ets class from the active list when changing it to strict.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663