Bug 2382054 (CVE-2025-38350) - CVE-2025-38350 kernel: net/sched: Always pass notifications when child class becomes empty [NEEDINFO]
Summary: CVE-2025-38350 kernel: net/sched: Always pass notifications when child class ...
Keywords:
Status: NEW
Alias: CVE-2025-38350
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
: 2368253 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-19 07:01 UTC by OSIDB Bzimport
Modified: 2025-10-03 14:03 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
gscott: needinfo? (mfindra)
gscott: needinfo? (ptalbert)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:14413 0 None None None 2025-08-25 01:39:35 UTC
Red Hat Product Errata RHSA-2025:14511 0 None None None 2025-08-25 14:14:05 UTC
Red Hat Product Errata RHSA-2025:14691 0 None None None 2025-08-27 00:07:48 UTC
Red Hat Product Errata RHSA-2025:14692 0 None None None 2025-08-27 00:23:22 UTC
Red Hat Product Errata RHSA-2025:14696 0 None None None 2025-08-27 00:28:00 UTC
Red Hat Product Errata RHSA-2025:14742 0 None None None 2025-08-27 10:40:01 UTC
Red Hat Product Errata RHSA-2025:14744 0 None None None 2025-08-27 11:39:59 UTC
Red Hat Product Errata RHSA-2025:14746 0 None None None 2025-08-27 11:40:56 UTC
Red Hat Product Errata RHSA-2025:14748 0 None None None 2025-08-27 12:39:55 UTC
Red Hat Product Errata RHSA-2025:14749 0 None None None 2025-08-27 13:19:53 UTC
Red Hat Product Errata RHSA-2025:15011 0 None None None 2025-09-02 06:54:23 UTC
Red Hat Product Errata RHSA-2025:15016 0 None None None 2025-09-02 05:55:20 UTC
Red Hat Product Errata RHSA-2025:15035 0 None None None 2025-09-02 06:53:35 UTC
Red Hat Product Errata RHSA-2025:15447 0 None None None 2025-09-08 10:22:55 UTC
Red Hat Product Errata RHSA-2025:15785 0 None None None 2025-09-15 10:38:26 UTC
Red Hat Product Errata RHSA-2025:15786 0 None None None 2025-09-15 10:20:18 UTC
Red Hat Product Errata RHSA-2025:16538 0 None None None 2025-09-24 00:27:32 UTC
Red Hat Product Errata RHSA-2025:16539 0 None None None 2025-09-24 00:18:11 UTC
Red Hat Product Errata RHSA-2025:16540 0 None None None 2025-09-24 00:25:17 UTC
Red Hat Product Errata RHSA-2025:16541 0 None None None 2025-09-24 00:19:26 UTC
Red Hat Product Errata RHSA-2025:16580 0 None None None 2025-09-24 12:49:03 UTC
Red Hat Product Errata RHSA-2025:16582 0 None None None 2025-09-24 13:00:18 UTC
Red Hat Product Errata RHSA-2025:16583 0 None None None 2025-09-24 13:03:08 UTC

Description OSIDB Bzimport 2025-07-19 07:01:11 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/sched: Always pass notifications when child class becomes empty

Certain classful qdiscs may invoke their classes' dequeue handler on an
enqueue operation. This may unexpectedly empty the child qdisc and thus
make an in-flight class passive via qlen_notify(). Most qdiscs do not
expect such behaviour at this point in time and may re-activate the
class eventually anyways which will lead to a use-after-free.

The referenced fix commit attempted to fix this behavior for the HFSC
case by moving the backlog accounting around, though this turned out to
be incomplete since the parent's parent may run into the issue too.
The following reproducer demonstrates this use-after-free:

    tc qdisc add dev lo root handle 1: drr
    tc filter add dev lo parent 1: basic classid 1:1
    tc class add dev lo parent 1: classid 1:1 drr
    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
    tc qdisc add dev lo parent 2:1 handle 3: netem
    tc qdisc add dev lo parent 3:1 handle 4: blackhole

    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
    tc class delete dev lo classid 1:1
    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888

Since backlog accounting issues leading to a use-after-frees on stale
class pointers is a recurring pattern at this point, this patch takes
a different approach. Instead of trying to fix the accounting, the patch
ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
the child qdisc is empty. This solves the problem because deletion of
qdiscs always involves a call to qdisc_reset() and / or
qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
the following qdisc_tree_reduce_backlog() to report to the parent. Note
that this may call qlen_notify on passive classes multiple times. This
is not a problem after the recent patch series that made all the
classful qdiscs qlen_notify() handlers idempotent.
Comment 1 Michal Findra 2025-07-21 06:39:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025071933-CVE-2025-38350-262a@gregkh/T
Comment 7 Mauro Matteo Cascella 2025-07-24 09:16:25 UTC 
*** Bug 2368253 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2025-08-25 01:39:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:14413 https://access.redhat.com/errata/RHSA-2025:14413
Comment 17 errata-xmlrpc 2025-08-25 14:14:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511
Comment 18 errata-xmlrpc 2025-08-27 00:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:14691 https://access.redhat.com/errata/RHSA-2025:14691
Comment 19 errata-xmlrpc 2025-08-27 00:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692
Comment 20 errata-xmlrpc 2025-08-27 00:27:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:14696 https://access.redhat.com/errata/RHSA-2025:14696
Comment 21 errata-xmlrpc 2025-08-27 10:39:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742
Comment 22 errata-xmlrpc 2025-08-27 11:39:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744
Comment 23 errata-xmlrpc 2025-08-27 11:40:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14746 https://access.redhat.com/errata/RHSA-2025:14746
Comment 24 errata-xmlrpc 2025-08-27 12:39:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14748 https://access.redhat.com/errata/RHSA-2025:14748
Comment 25 errata-xmlrpc 2025-08-27 13:19:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14749 https://access.redhat.com/errata/RHSA-2025:14749
Comment 26 errata-xmlrpc 2025-09-02 05:55:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:15016 https://access.redhat.com/errata/RHSA-2025:15016
Comment 27 errata-xmlrpc 2025-09-02 06:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035
Comment 28 errata-xmlrpc 2025-09-02 06:54:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15011 https://access.redhat.com/errata/RHSA-2025:15011
Comment 29 errata-xmlrpc 2025-09-08 10:22:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15447 https://access.redhat.com/errata/RHSA-2025:15447
Comment 30 errata-xmlrpc 2025-09-15 10:20:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15786 https://access.redhat.com/errata/RHSA-2025:15786
Comment 31 errata-xmlrpc 2025-09-15 10:38:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15785 https://access.redhat.com/errata/RHSA-2025:15785
Comment 34 errata-xmlrpc 2025-09-24 00:18:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539
Comment 35 errata-xmlrpc 2025-09-24 00:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541
Comment 36 errata-xmlrpc 2025-09-24 00:25:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540
Comment 37 errata-xmlrpc 2025-09-24 00:27:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538
Comment 38 errata-xmlrpc 2025-09-24 12:49:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580
Comment 39 errata-xmlrpc 2025-09-24 13:00:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582
Comment 40 errata-xmlrpc 2025-09-24 13:03:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583
Comment 41 Greg Scott 2025-09-30 20:49:06 UTC 
I noticed in the CVE writeup that RHEL 9 kernel-rt is affected. Any plans to update the RHEL 9 kernel-rt with this fix?

thanks
Comment 42 Ian Wienand 2025-09-30 23:48:56 UTC 
Assuming you're talking about 9.6 that is included in https://access.redhat.com/errata/RHSA-2025:15011
Note You need to log in before you can comment on or make changes to this bug.