Critical Vulnerability Information Vulnerability Description: - HFSC (Hierarchical Fair Service Curve) has a reentrancy issue when inserting classes repeatedly into the eltree. - When using HFSC with NETEM, a specific bypass can circumvent checks, leading to a Use After Free (UAF) error. Specific Issue: - The patch only checks the field to determine if it's the first insertion, but this field is incremented only in . - Using the flag (which invokes ) can bypass the check, allowing a class to be inserted twice into the eltree, resulting in an infinite loop or UAF. Mitigation: - Explicitly check in whether the class is already in the eltree, especially when the flag is set. Related Links: - [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 - [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 - [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 - [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 - [5] https://lore.kernel.org/netdev/8DuRWwfgqjORDLDmB1IfbrsZg96x50DHJclilxsEBNe2D6NMoiqR_eIRIG0LOjMc3r16nUUZtArXx4oZBIIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ Reporters and Testers: - Reporters: Savino Dicarosa, William Liu, Jamal Hadi Salim - Tester: Victor Nogueira - Signer: Pedro Tammela