CVE-2021-47125 Information

Description

In the Linux kernel the following vulnerability has been resolved:

sch_htb: fix refcount leak in htb_parent_to_leaf_offload

The commit ae81feb7338c (\sch_htb: fix null pointer dereference on a null new_q) fixes a NULL pointer dereference bug but it is not correct.

Because htb_graft_helper properly handles the case when new_q is NULL and after the previous patch by skipping this call which creates an inconsistency : dev_queue->qdisc will still point to the old qdisc but cl->parent->leaf.q will point to the new one (which will be noop_qdisc because new_q was NULL). The code is based on an assumption that these two pointers are the same so it can lead to refcount leaks.

The correct fix is to add a NULL pointer check to protect qdisc_refcount_inc inside htb_parent_to_leaf_offload.

Reference

https://git.kernel.org/stable/c/2411c02d03892a5057499f8102d0cc1e0f852416 https://git.kernel.org/stable/c/944d671d5faa0d78980a3da5c0f04960ef1ad893