Linux Kernel Netem Backlog Accounting Vulnerability in Classful Qdisc

A vulnerability in the Linux kernel's netem module can lead to incorrect backlog accounting when used with a child qdisc. The issue arises because netem's 'qlen' only reflects packets in its internal FIFO, neglecting updates from child qdiscs about created or dropped socket buffers (SKBs). This can cause netem to misrepresent the number of packets, potentially leading to a halt in packet processing when 'qlen' reaches a certain limit, even if the FIFO is not full.

Impact

The vulnerability can cause netem to stop accepting packets, creating a bottleneck in traffic management. This occurs because netem incorrectly believes its FIFO is full, based on a miscalculated 'qlen' that does not accurately reflect the actual backlog of packets.

Reproduction

To reproduce this vulnerability, enable Generic Segmentation Offload (GSO) on the sender machine. Then, configure netem as the root qdisc and token bucket filter (tbf) as its child on the outgoing interface. After setting this up, send bulk TCP traffic through the interface, such as by using an iPerf3 client. Monitor the qdisc statistics to observe how netem's backlog incorrectly indicates it is at capacity, causing it to stop processing incoming packets.

Remediation

This vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.