[SRU X/C v2] Fix kernel panic in ip6_expire_frag_queue()

Stefan Bader stefan.bader at canonical.com
Thu Jun 6 10:24:06 UTC 2019

BugLink: https://bugs.launchpad.net/bugs/1824687

== Impact ==

Since 05c0b86b96 "ipv6: frags: rewrite ip6_expire_frag_queue()"
the 16.04/4.4 kernel crashes whenever that functions gets called
(on busy systems this can be every 3-4 hours).
While this potentially affects Cosmic and later, too, the fix differs
on later kernels (Bionic is not yet affected as it does not yet carry
updates to the frags handling).

== Fix ==

For Xenial and Cosmic, the proposed fix would be additional changes
to ip6_expipre_frag_queue(), taken from follow-up changes to ip_expire().
[Note: for Cosmic this applies with fuzz #1, when applying this needs
 double-checking for being correct]
For Disco, I would hold back because we have a backlog of stable patches
there and depending on what got backported to 5.0.y there would be a
simpler fix.

For current development kernels, one just needs to ensure that the
following upstream change is included:
   47d3d7fdb10a "ip6: fix skb leak in ip6frag_expire_frag_queue()".

== Testcase ==

Unfortunately this could not be re-created locally. But a test kernel
which had the proposed fix applied was showing good testing.

== Risk of Regression ==

The modified function is only called in rare cases and the positive
testing in production would cover this. So I would consider it low.


More information about the kernel-team mailing list