Linux Kernel ETS Race Condition Vulnerability in Queue Management

A race condition vulnerability has been identified in the Linux kernel's Ethernet Traffic Scheduling (ETS) component. This issue arises in the 'ets_qdisc_change()' function, where the Stochastic Fairness Queueing (SFQ) perturb timer can inadvertently disrupt the timing of operations. The race condition occurs when one CPU thread locks the queue discipline (qdisc) root, flushes the backlog, and then unlocks it, while another thread simultaneously modifies the qdisc, potentially leading to an underflow in the parent's queue length. This vulnerability can be exploited to manipulate queue management improperly.

Impact

Exploitation of this vulnerability can cause an underflow in a parent's queue length, disrupting normal traffic scheduling and potentially leading to degraded network performance.

Remediation

The vulnerability can be addressed by replacing 'qdisc_tree_flush_backlog()' with 'qdisc_purge_queue()' in the 'ets_qdisc_change()' function. This change ensures that all packets are removed from the queue discipline before releasing the lock, preventing the race condition.