Linux Kernel Taprio Qdisc Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's taprio queuing discipline (qdisc) implementation. This issue arises when an invalid TCA_RATE attribute is provided, causing the qdisc_create() function to destroy the newly initialized taprio qdisc. However, the hrtimer used by taprio may have already fired, leading to a race condition where net_tx_action() attempts to access a destroyed qdisc. This vulnerability was reported by syzbot and can cause a crash during net_tx_action() processing.

Impact

Exploitation of this vulnerability can lead to a kernel crash, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by creating a taprio qdisc and supplying an invalid TCA_RATE attribute. This triggers the qdisc_create() function to destroy the taprio qdisc, while the hrtimer may have already fired, creating a race condition. The net_tx_action() function will then attempt to use the freed qdisc, leading to a crash.