[SRU][Q/N][PATCH 0/1] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

[Benjamin Wheeler]

Buglink: https://bugs.launchpad.net/ubuntu/questing/+source/linux-realtime/+bug/2144318

SRU Justification:

[Impact]

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a
BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after 
rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another 
task running on the same CPU may then execute rt6_make_pcpu_route() and 
successfully install a pcpu_rt entry. When the first task resumes execution, its
cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer 
NULL, triggering the BUG_ON(prev). It’s easy to reproduce it by adding mdelay() 
after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here
because ip6_rt_pcpu_alloc() may sleep.

[Fix]

Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our 
allocation and return the existing pcpu_rt installed by another task. The BUG_ON
is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur.

[Test Plan]

I have successfully compiled and boot tested each realtime derivative kernel this patch is
submitted for.

[Where problems could occur]

Since this patch only changes code that is enabled when
CONFIG_PREEMPT_RT is enabled, this should only affect realtime
derivative kernels. This means that any regression or behavioral change
potential should be limited to realtime derivative kernels only. In that
subset, problems could occur in the network stack's ipv6 logic, since 
that is what the patch modifies.

Jiayuan Chen (1):
  ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

 net/ipv6/route.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

-- 
2.43.0