Linux Kernel Qdisc API Parent Class Validation Vulnerability

A vulnerability exists in the Linux kernel's traffic control (tc) subsystem, specifically within the queuing discipline (qdisc) API. This issue arises when a user attempts to create or modify a qdisc by specifying a parent qdisc that does not exist. The qdisc API is supposed to reject such operations, but a flaw allows this to bypass certain checks, leading to potential inconsistencies. The problem is exacerbated in qdiscs like 'fq', 'hhf', and 'choke', which automatically reduce backlog during their initialization or modification phases. This can create a scenario where the expected child class is not found, yet the system still attempts to process it, assuming a valid class is present.

Impact

Exploitation of this vulnerability can cause traffic control qdiscs to malfunction, potentially leading to improper packet scheduling or handling.

Reproduction

To reproduce this vulnerability, add a qdisc to a network interface while specifying a parent qdisc that does not exist. Then, add another qdisc as a child of the first one. The system will invoke qdisc_tree_reduce_backlog, which expects a valid class but fails to find one, leading to a null class reference. This can disrupt the normal operation of the qdiscs involved.

Remediation

Users can avoid this vulnerability by ensuring that any parent qdisc specified exists and is properly initialized before being referenced.