Linux Kernel QFQ Scheduler Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's QFQ (Quantum Fairness Queueing) scheduler. This issue arises because the 'agg' variable can be altered in the 'qfq_change_agg' function, which is called during the 'qfq_enqueue' process. Concurrent access by other threads may lead to a NULL dereference in 'qfq_dump_class' or a use-after-free condition in 'qfq_delete_class'. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a NULL pointer dereference or a use-after-free condition, both of which can cause memory corruption and potentially allow for arbitrary code execution.

Remediation

The vulnerability has been addressed by moving the 'qfq_destroy_class' function into a critical section and adding protection with 'sch_tree_lock' for the 'qfq_dump_class' and 'qfq_dump_class_stats' functions.