NAK/Cmnt: [SRU][Q/N][PATCH 0/1] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

Stefan Bader stefan.bader at canonical.com
Thu Mar 19 07:15:13 UTC 2026 

On 18/03/2026 19:28, Benjamin Wheeler wrote:
> This already got applied into q:linux via upstream stable updates, and 
> the noble one should actually get re-submitted via the ESM ML.

Why? Noble is still supported...


-Stefan
> 
> 
> On Mon, Mar 16, 2026 at 4:35 PM Benjamin Wheeler 
> <benjamin.wheeler at canonical.com <mailto:benjamin.wheeler at canonical.com>> 
> wrote:
> 
>     Buglink: https://bugs.launchpad.net/ubuntu/questing/+source/linux-
>     realtime/+bug/2144318 <https://bugs.launchpad.net/ubuntu/questing/
>     +source/linux-realtime/+bug/2144318>
> 
>     SRU Justification:
> 
>     [Impact]
> 
>     In the Linux kernel, the following vulnerability has been resolved:
>     ipv6: fix a
>     BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels,
>     after
>     rt6_get_pcpu_route() returns NULL, the current task can be
>     preempted. Another
>     task running on the same CPU may then execute rt6_make_pcpu_route() and
>     successfully install a pcpu_rt entry. When the first task resumes
>     execution, its
>     cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no
>     longer
>     NULL, triggering the BUG_ON(prev). It’s easy to reproduce it by
>     adding mdelay()
>     after rt6_get_pcpu_route(). Using preempt_disable/enable is not
>     appropriate here
>     because ip6_rt_pcpu_alloc() may sleep.
> 
>     [Fix]
> 
>     Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
>     free our
>     allocation and return the existing pcpu_rt installed by another
>     task. The BUG_ON
>     is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such
>     races should not occur.
> 
>     [Test Plan]
> 
>     I have successfully compiled and boot tested each realtime
>     derivative kernel this patch is
>     submitted for.
> 
>     [Where problems could occur]
> 
>     Since this patch only changes code that is enabled when
>     CONFIG_PREEMPT_RT is enabled, this should only affect realtime
>     derivative kernels. This means that any regression or behavioral change
>     potential should be limited to realtime derivative kernels only. In that
>     subset, problems could occur in the network stack's ipv6 logic, since
>     that is what the patch modifies.
> 
>     Jiayuan Chen (1):
>        ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
> 
>       net/ipv6/route.c | 13 ++++++++++++-
>       1 file changed, 12 insertions(+), 1 deletion(-)
> 
>     -- 
>     2.43.0
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260319/f449a5cf/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260319/f449a5cf/attachment-0001.sig>

More information about the kernel-team mailing list