NAK/Cmnt: [SRU][Q/N][PATCH 0/1] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

Benjamin Wheeler benjamin.wheeler at canonical.com
Mon Mar 23 14:22:34 UTC 2026 

The patches should have only gone into noble:linux-realtime (my mistake).
Also the Pro kernels tend to have patches sent to ESM ML.


On Thu, Mar 19, 2026 at 3:15 AM Stefan Bader <stefan.bader at canonical.com>
wrote:

> On 18/03/2026 19:28, Benjamin Wheeler wrote:
> > This already got applied into q:linux via upstream stable updates, and
> > the noble one should actually get re-submitted via the ESM ML.
>
> Why? Noble is still supported...
>
>
> -Stefan
> >
> >
> > On Mon, Mar 16, 2026 at 4:35 PM Benjamin Wheeler
> > <benjamin.wheeler at canonical.com <mailto:benjamin.wheeler at canonical.com>>
>
> > wrote:
> >
> >     Buglink: https://bugs.launchpad.net/ubuntu/questing/+source/linux-
> >     realtime/+bug/2144318 <https://bugs.launchpad.net/ubuntu/questing/
> >     +source/linux-realtime/+bug/2144318>
> >
> >     SRU Justification:
> >
> >     [Impact]
> >
> >     In the Linux kernel, the following vulnerability has been resolved:
> >     ipv6: fix a
> >     BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels,
> >     after
> >     rt6_get_pcpu_route() returns NULL, the current task can be
> >     preempted. Another
> >     task running on the same CPU may then execute rt6_make_pcpu_route()
> and
> >     successfully install a pcpu_rt entry. When the first task resumes
> >     execution, its
> >     cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no
> >     longer
> >     NULL, triggering the BUG_ON(prev). It’s easy to reproduce it by
> >     adding mdelay()
> >     after rt6_get_pcpu_route(). Using preempt_disable/enable is not
> >     appropriate here
> >     because ip6_rt_pcpu_alloc() may sleep.
> >
> >     [Fix]
> >
> >     Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
> >     free our
> >     allocation and return the existing pcpu_rt installed by another
> >     task. The BUG_ON
> >     is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such
> >     races should not occur.
> >
> >     [Test Plan]
> >
> >     I have successfully compiled and boot tested each realtime
> >     derivative kernel this patch is
> >     submitted for.
> >
> >     [Where problems could occur]
> >
> >     Since this patch only changes code that is enabled when
> >     CONFIG_PREEMPT_RT is enabled, this should only affect realtime
> >     derivative kernels. This means that any regression or behavioral
> change
> >     potential should be limited to realtime derivative kernels only. In
> that
> >     subset, problems could occur in the network stack's ipv6 logic, since
> >     that is what the patch modifies.
> >
> >     Jiayuan Chen (1):
> >        ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
> >
> >       net/ipv6/route.c | 13 ++++++++++++-
> >       1 file changed, 12 insertions(+), 1 deletion(-)
> >
> >     --
> >     2.43.0
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260323/4b79e8a9/attachment.html>

More information about the kernel-team mailing list