Critical Vulnerability Information Vulnerability Description: - The HFSC (Hierarchical Fair Service Curve) scheduler has a reentrancy issue when adding classes to the eltree, causing a class to be added twice. - When using the HFSC_RSC flag, it is possible to bypass checks and insert a class twice, leading to an infinite loop or UAF (Use After Free). Impact Conditions: - UAF may occur when HFSC is used in conjunction with NETEM. - If TBF is added as the root qdisc and configured with a very low rate, it can prevent packets from being dequeued, allowing exploitation of this behavior for subsequent insertions and triggering UAF. Mitigation: - Explicitly check in whether a class is already in the eltree, especially when the HFSC_RSC flag is set. Related Links: - HFSC RSC usage with init_ed - cl_nactive field - init_vf function Reporters and Testers: - Reporters: Savino Dicanosa, William Liu, Jamal Hadi Salim - Tester: Victor Nogueira - Signer: Pedro Tammela