CVE-2025-38684 in Linuxinformation

Résumé

par VulDB • 09/06/2026

Based on the crash trace and the provided links, this is a **kernel panic/oops in the Linux networking subsystem**, specifically within the **ETS (Enhanced Transmission Selection) qdisc** (`sch_ets`).

### **Summary of the Issue** The crash occurs in `ets_class_qlen_notify` when modifying an ETS qdisc via `tc` (traffic control). The root cause is a **race condition or use-after-free** related to how ETS handles class backlog notifications during qdisc changes.

---

### **Detailed Analysis**

#### **1. Crash Location** - **Function:** `ets_class_qlen_notify+0x65/0x90 [sch_ets]`
- **Context:** Called from `qdisc_tree_reduce_backlog`, which is invoked during `ets_qdisc_change` (when modifying the qdisc configuration). - **Trigger:** A user-space `tc` command (via `rtnetlink`) is modifying the ETS qdisc.

#### **2. Root Cause** The ETS qdisc maintains a list of classes. When the qdisc is modified (`ets_qdisc_change`), it may need to adjust the backlog (queue length) of classes. The function `ets_class_qlen_notify` is called to notify the class about changes in queue length.

The bug likely involves: - **Dereferencing a freed or invalid pointer:** The `qdisc` or `class` pointer passed to `ets_class_qlen_notify` may have been freed or is no longer valid during the modification process. - **Race Condition:** Multiple threads or contexts might be accessing the qdisc structure concurrently without proper locking.

#### **3. Relevant Patches/Fixes** The links provided point to discussions and patches in the Linux kernel netdev mailing list:

- **[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/**
- This is likely a patch from **Davide Caratti** (Red Hat) addressing the issue. - The patch probably adds proper locking or checks to prevent accessing invalid pointers during qdisc changes.

- **[2] https://lore.kernel.org/netdev/[email protected]/**
- This may be a report or discussion about the bug, possibly from a user or developer encountering the crash.

#### **4. How to Fix/Workaround** - **Update Kernel:** If you are using a kernel version older than the one where this patch was merged, **upgrade to a newer kernel** that includes the fix. - **Avoid Concurrent Modifications:** Do not modify ETS qdiscs while traffic is being actively shaped or while other `tc` commands are running concurrently. - **Apply Patch:** If you cannot upgrade, you can manually apply the patch from the mailing list to your kernel source.

---

### **Steps to Verify** 1. **Check Kernel Version:** ```bash uname -r ``` 2. **Check for Patch:** Search the kernel source tree for the patch title or commit hash from the mailing list links. 3. **Reproduce:** Try to reproduce the crash by modifying the ETS qdisc while traffic is active.

---

### **Conclusion** This is a known bug in the ETS qdisc implementation. The fix involves ensuring proper synchronization and pointer validity checks during qdisc modifications. Upgrading to a kernel version that includes the fix from the netdev mailing list is the recommended solution.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsable

Linux

Réserver

16/04/2025

Divulgation

04/09/2025

Modérer

accepté

Entrée

VDB-322537

CPE

prêt

EPSS

0.00160

KEV

non

Activités

très faible

Sources

Do you know our Splunk app?

Download it now for free!