In the Linux kernel, following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() qdisc_tree_reduce_backlog() htb_qlen_notify() htb_deactivate() htb_next_rb_node() htb_deactivate() For htb_next_rb_node(), after calling 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For although checked qlen before it, in case of qlen==0 qdisc_tree_reduce_backlog(), may call again which triggers warning inside. To fix issues here, need to: 1) Make idempotent, that is, simply return if we before. 2) htb_next_rb_node() safe against ptr==NULL. Many thanks Alan for testing and reproducer.