Bug 2382054 (CVE-2025-38350)

Summary:	CVE-2025-38350 kernel: net/sched: Always pass notifications when child class becomes empty
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	gscott, iwienand, kdudka, mcascell, mfindra, ptalbert
Target Milestone:	---	Keywords:	Security
Target Release:	---	Flags:	gscott: needinfo? (mfindra)
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A use-after-free (UAF) vulnerability was found in the Linux kernel's net/sched subsystem, specifically in the Credit-Based Shaper (CBS) qdisc implementation (sch_cbs). The vulnerability occurs because the CBS qdisc's reset function (qdisc_reset_queue()) only resets its internal queue but fails to reset its child qdisc recursively. As a result, a mismatch in queue length (qlen) occurs between CBS and its children during interface resets, eventually allowing attackers to trigger UAF on a parent HFSC scheduler.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-19 07:01:11 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Always pass notifications when child class becomes empty

Certain classful qdiscs may invoke their classes' dequeue handler on an
enqueue operation. This may unexpectedly empty the child qdisc and thus
make an in-flight class passive via qlen_notify(). Most qdiscs do not
expect such behaviour at this point in time and may re-activate the
class eventually anyways which will lead to a use-after-free.

The referenced fix commit attempted to fix this behavior for the HFSC
case by moving the backlog accounting around, though this turned out to
be incomplete since the parent's parent may run into the issue too.
The following reproducer demonstrates this use-after-free:

    tc qdisc add dev lo root handle 1: drr
    tc filter add dev lo parent 1: basic classid 1:1
    tc class add dev lo parent 1: classid 1:1 drr
    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
    tc qdisc add dev lo parent 2:1 handle 3: netem
    tc qdisc add dev lo parent 3:1 handle 4: blackhole

    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
    tc class delete dev lo classid 1:1
    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888

Since backlog accounting issues leading to a use-after-frees on stale
class pointers is a recurring pattern at this point, this patch takes
a different approach. Instead of trying to fix the accounting, the patch
ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
the child qdisc is empty. This solves the problem because deletion of
qdiscs always involves a call to qdisc_reset() and / or
qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
the following qdisc_tree_reduce_backlog() to report to the parent. Note
that this may call qlen_notify on passive classes multiple times. This
is not a problem after the recent patch series that made all the
classful qdiscs qlen_notify() handlers idempotent.

Comment 1 Michal Findra 2025-07-21 06:39:56 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025071933-CVE-2025-38350-262a@gregkh/T

Comment 7 Mauro Matteo Cascella 2025-07-24 09:16:25 UTC

*** Bug 2368253 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2025-08-25 01:39:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:14413 https://access.redhat.com/errata/RHSA-2025:14413

Comment 17 errata-xmlrpc 2025-08-25 14:14:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511

Comment 18 errata-xmlrpc 2025-08-27 00:07:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:14691 https://access.redhat.com/errata/RHSA-2025:14691

Comment 19 errata-xmlrpc 2025-08-27 00:23:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692

Comment 20 errata-xmlrpc 2025-08-27 00:27:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:14696 https://access.redhat.com/errata/RHSA-2025:14696

Comment 21 errata-xmlrpc 2025-08-27 10:39:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742

Comment 22 errata-xmlrpc 2025-08-27 11:39:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744

Comment 23 errata-xmlrpc 2025-08-27 11:40:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14746 https://access.redhat.com/errata/RHSA-2025:14746

Comment 24 errata-xmlrpc 2025-08-27 12:39:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14748 https://access.redhat.com/errata/RHSA-2025:14748

Comment 25 errata-xmlrpc 2025-08-27 13:19:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14749 https://access.redhat.com/errata/RHSA-2025:14749

Comment 26 errata-xmlrpc 2025-09-02 05:55:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:15016 https://access.redhat.com/errata/RHSA-2025:15016

Comment 27 errata-xmlrpc 2025-09-02 06:53:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035

Comment 28 errata-xmlrpc 2025-09-02 06:54:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15011 https://access.redhat.com/errata/RHSA-2025:15011

Comment 29 errata-xmlrpc 2025-09-08 10:22:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15447 https://access.redhat.com/errata/RHSA-2025:15447

Comment 30 errata-xmlrpc 2025-09-15 10:20:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15786 https://access.redhat.com/errata/RHSA-2025:15786

Comment 31 errata-xmlrpc 2025-09-15 10:38:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15785 https://access.redhat.com/errata/RHSA-2025:15785

Comment 34 errata-xmlrpc 2025-09-24 00:18:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539

Comment 35 errata-xmlrpc 2025-09-24 00:19:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541

Comment 36 errata-xmlrpc 2025-09-24 00:25:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540

Comment 37 errata-xmlrpc 2025-09-24 00:27:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538

Comment 38 errata-xmlrpc 2025-09-24 12:49:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580

Comment 39 errata-xmlrpc 2025-09-24 13:00:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582

Comment 40 errata-xmlrpc 2025-09-24 13:03:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583

Comment 41 Greg Scott 2025-09-30 20:49:06 UTC

I noticed in the CVE writeup that RHEL 9 kernel-rt is affected. Any plans to update the RHEL 9 kernel-rt with this fix?

thanks

Comment 42 Ian Wienand 2025-09-30 23:48:56 UTC

Assuming you're talking about 9.6 that is included in https://access.redhat.com/errata/RHSA-2025:15011