In the Linux kernel, the following vulnerability has been resolved:
netsched: prio: fix a race in priotune()
Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time.
The race is as follows:
CPU 0 CPU 1 | | [5]: lock root | [6]: rehash | [7]: qdisctreereduce_backlog() | This can be abused to underflow a parent's qlen.
Calling qdiscpurgequeue() instead of qdisctreeflush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.