NAK/Cmnt: [SRU][Q/N][PATCH 0/1] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

Benjamin Wheeler benjamin.wheeler at canonical.com
Wed Mar 18 18:28:25 UTC 2026 

This already got applied into q:linux via upstream stable updates, and the
noble one should actually get re-submitted via the ESM ML.


On Mon, Mar 16, 2026 at 4:35 PM Benjamin Wheeler <
benjamin.wheeler at canonical.com> wrote:

> Buglink:
> https://bugs.launchpad.net/ubuntu/questing/+source/linux-realtime/+bug/2144318
>
> SRU Justification:
>
> [Impact]
>
> In the Linux kernel, the following vulnerability has been resolved: ipv6:
> fix a
> BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after
> rt6_get_pcpu_route() returns NULL, the current task can be preempted.
> Another
> task running on the same CPU may then execute rt6_make_pcpu_route() and
> successfully install a pcpu_rt entry. When the first task resumes
> execution, its
> cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no
> longer
> NULL, triggering the BUG_ON(prev). It’s easy to reproduce it by adding
> mdelay()
> after rt6_get_pcpu_route(). Using preempt_disable/enable is not
> appropriate here
> because ip6_rt_pcpu_alloc() may sleep.
>
> [Fix]
>
> Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free
> our
> allocation and return the existing pcpu_rt installed by another task. The
> BUG_ON
> is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races
> should not occur.
>
> [Test Plan]
>
> I have successfully compiled and boot tested each realtime derivative
> kernel this patch is
> submitted for.
>
> [Where problems could occur]
>
> Since this patch only changes code that is enabled when
> CONFIG_PREEMPT_RT is enabled, this should only affect realtime
> derivative kernels. This means that any regression or behavioral change
> potential should be limited to realtime derivative kernels only. In that
> subset, problems could occur in the network stack's ipv6 logic, since
> that is what the patch modifies.
>
> Jiayuan Chen (1):
>   ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
>
>  net/ipv6/route.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260318/4c43565d/attachment-0001.html>

More information about the kernel-team mailing list