{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39677", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.112Z", "datePublished": "2025-09-05T17:20:43.145Z", "dateUpdated": "2025-09-05T17:20:43.145Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-05T17:20:43.145Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix backlog accounting in qdisc_dequeue_internal\n\nThis issue applies for the following qdiscs: hhf, fq, fq_codel, and\nfq_pie, and occurs in their change handlers when adjusting to the new\nlimit. The problem is the following in the values passed to the\nsubsequent qdisc_tree_reduce_backlog call given a tbf parent:\n\n When the tbf parent runs out of tokens, skbs of these qdiscs will\n be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,\n which accounts for both qlen and backlog. However, in the case of\n qdisc_dequeue_internal, ONLY qlen is accounted for when pulling\n from gso_skb. This means that these qdiscs are missing a\n qdisc_qstats_backlog_dec when dropping packets to satisfy the\n new limit in their change handlers.\n\n One can observe this issue with the following (with tc patched to\n support a limit of 0):\n\n export TARGET=fq\n tc qdisc del dev lo root\n tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms\n tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000\n echo ''; echo 'add child'; tc -s -d qdisc show dev lo\n ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null\n echo ''; echo 'after ping'; tc -s -d qdisc show dev lo\n tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0\n echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo\n tc qdisc replace dev lo handle 2: parent 1:1 sfq\n echo ''; echo 'post graft'; tc -s -d qdisc show dev lo\n\n The second to last show command shows 0 packets but a positive\n number (74) of backlog bytes. The problem becomes clearer in the\n last show command, where qdisc_purge_queue triggers\n qdisc_tree_reduce_backlog with the positive backlog and causes an\n underflow in the tbf parent's backlog (4096 Mb instead of 0).\n\nTo fix this issue, the codepath for all clients of qdisc_dequeue_internal\nhas been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.\nqdisc_dequeue_internal handles the backlog adjustments for all cases that\ndo not directly use the dequeue handler.\n\nThe old fq_codel_change limit adjustment loop accumulated the arguments to\nthe subsequent qdisc_tree_reduce_backlog call through the cstats field.\nHowever, this is confusing and error prone as fq_codel_dequeue could also\npotentially mutate this field (which qdisc_dequeue_internal calls in the\nnon gso_skb case), so we have unified the code here with other qdiscs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/sch_generic.h", "net/sched/sch_codel.c", "net/sched/sch_fq.c", "net/sched/sch_fq_codel.c", "net/sched/sch_fq_pie.c", "net/sched/sch_hhf.c", "net/sched/sch_pie.c"], "versions": [{"version": "4b549a2ef4bef9965d97cbd992ba67930cd3e0fe", "lessThan": "a225f44d84b8900d679c5f5a9ea46fe9c0cc7802", "status": "affected", "versionType": "git"}, {"version": "4b549a2ef4bef9965d97cbd992ba67930cd3e0fe", "lessThan": "52bf272636bda69587952b35ae97690b8dc89941", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/sch_generic.h", "net/sched/sch_codel.c", "net/sched/sch_fq.c", "net/sched/sch_fq_codel.c", "net/sched/sch_fq_pie.c", "net/sched/sch_hhf.c", "net/sched/sch_pie.c"], "versions": [{"version": "3.5", "status": "affected"}, {"version": "0", "lessThan": "3.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.4", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.16.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.17-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a225f44d84b8900d679c5f5a9ea46fe9c0cc7802"}, {"url": "https://git.kernel.org/stable/c/52bf272636bda69587952b35ae97690b8dc89941"}], "title": "net/sched: Fix backlog accounting in qdisc_dequeue_internal", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix backlog accounting in qdisc_dequeue_internal\n\nThis issue applies for the following qdiscs: hhf, fq, fq_codel, and\nfq_pie, and occurs in their change handlers when adjusting to the new\nlimit. The problem is the following in the values passed to the\nsubsequent qdisc_tree_reduce_backlog call given a tbf parent:\n\n When the tbf parent runs out of tokens, skbs of these qdiscs will\n be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued,\n which accounts for both qlen and backlog. However, in the case of\n qdisc_dequeue_internal, ONLY qlen is accounted for when pulling\n from gso_skb. This means that these qdiscs are missing a\n qdisc_qstats_backlog_dec when dropping packets to satisfy the\n new limit in their change handlers.\n\n One can observe this issue with the following (with tc patched to\n support a limit of 0):\n\n export TARGET=fq\n tc qdisc del dev lo root\n tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms\n tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000\n echo ''; echo 'add child'; tc -s -d qdisc show dev lo\n ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null\n echo ''; echo 'after ping'; tc -s -d qdisc show dev lo\n tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0\n echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo\n tc qdisc replace dev lo handle 2: parent 1:1 sfq\n echo ''; echo 'post graft'; tc -s -d qdisc show dev lo\n\n The second to last show command shows 0 packets but a positive\n number (74) of backlog bytes. The problem becomes clearer in the\n last show command, where qdisc_purge_queue triggers\n qdisc_tree_reduce_backlog with the positive backlog and causes an\n underflow in the tbf parent's backlog (4096 Mb instead of 0).\n\nTo fix this issue, the codepath for all clients of qdisc_dequeue_internal\nhas been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel.\nqdisc_dequeue_internal handles the backlog adjustments for all cases that\ndo not directly use the dequeue handler.\n\nThe old fq_codel_change limit adjustment loop accumulated the arguments to\nthe subsequent qdisc_tree_reduce_backlog call through the cstats field.\nHowever, this is confusing and error prone as fq_codel_dequeue could also\npotentially mutate this field (which qdisc_dequeue_internal calls in the\nnon gso_skb case), so we have unified the code here with other qdiscs."}], "id": "CVE-2025-39677", "lastModified": "2025-09-05T18:15:44.043", "metrics": {}, "published": "2025-09-05T18:15:44.043", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/52bf272636bda69587952b35ae97690b8dc89941"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a225f44d84b8900d679c5f5a9ea46fe9c0cc7802"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}