Linux Kernel Lockless Qdisc Dequeue Race Condition Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's networking scheduler, specifically within lockless queue disciplines (qdiscs). This issue arises when the number of transmission queues is reduced. The function netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to reset qdiscs for queues that are no longer needed. However, qdisc_reset_all_tx_gt() synchronizes qdisc_reset() using a general qdisc lock. In contrast, lockless qdiscs manage the dequeue process with a sequence lock, allowing qdisc_reset() to execute simultaneously with the dequeue operation. This concurrency can result in qdisc_reset() freeing socket buffers (skbs) that are still being processed, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where memory that is still in use is improperly released, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced on virtio-net by generating heavy traffic with iperf3 while simultaneously changing the number of queue pairs using ethtool. This combination creates a race condition that the vulnerability exploits.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.