In the Linux kernel, the following vulnerability has been resolved:
net_sched: ets: fix a race in ets_qdisc_change()
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
References
History
Thu, 03 Jul 2025 09:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. | |
| Title | net_sched: ets: fix a race in ets_qdisc_change() | |
| References |
|
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2025-07-03T08:35:17.487Z
Updated: 2025-07-03T08:35:17.487Z
Reserved: 2025-04-16T04:51:23.985Z
Link: CVE-2025-38107
Vulnrichment
No data.
NVD
Status : Awaiting Analysis
Published: 2025-07-03T09:15:24.273
Modified: 2025-07-03T15:13:53.147
Link: CVE-2025-38107
Redhat
No data.