Linux Kernel QMAN Race Condition Vulnerability in Dynamic FQID Handling

A race condition vulnerability has been identified in the Linux kernel's QMAN (Queue Manager) component, specifically within the dynamic FQID (Flow Queue Identifier) management. This vulnerability occurs when the QMAN_FQ_FLAG_DYNAMIC_FQID flag is set, leading to a conflict between the state of the fq_table and the allocation or deallocation of FQIDs from the pool. The issue arises in the qman_destroy_fq function, where the WARN_ON macro triggers a warning if the fq_table indicates an active entry for the FQID being destroyed. The vulnerability can be exploited by manipulating the timing of FQID releases and allocations across different threads, potentially causing the system to incorrectly handle queue states and identifiers.

Impact

Exploitation of this vulnerability can lead to incorrect queue management, where freed FQIDs are prematurely reallocated, causing state inconsistencies that could disrupt normal operations or processing flows.

Reproduction

The vulnerability can be reproduced by creating a QMAN flow queue with the QMAN_FQ_FLAG_DYNAMIC_FQID flag enabled. Once the queue is established, initiate a destruction process for the queue while simultaneously allocating a new FQID. This can be done by releasing the current FQID, shutting down the flow queue, and freeing the FQID from the pool. At this point, the FQID becomes available for allocation again. In a separate thread, allocate a new FQID, which may inadvertently retrieve the just-freed identifier. Then, modify the queue's FQID and index, and reinsert it into the fq_table. This sequence of actions will trigger the race condition, as the qman_create_fq function will warn about the unexpected table state.

Remediation

The vulnerability has been addressed by modifying the qman_destroy_fq function to ensure that the fq_table entry is cleared before freeing the FQID, using a memory barrier to synchronize the operations. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.