CVE-2024-56703

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Fix soft lockups in fib6_select_path under high next hop churn<br /> <br /> Soft lockups have been observed on a cluster of Linux-based edge routers<br /> located in a highly dynamic environment. Using the `bird` service, these<br /> routers continuously update BGP-advertised routes due to frequently<br /> changing nexthop destinations, while also managing significant IPv6<br /> traffic. The lockups occur during the traversal of the multipath<br /> circular linked-list in the `fib6_select_path` function, particularly<br /> while iterating through the siblings in the list. The issue typically<br /> arises when the nodes of the linked list are unexpectedly deleted<br /> concurrently on a different core—indicated by their &amp;#39;next&amp;#39; and<br /> &amp;#39;previous&amp;#39; elements pointing back to the node itself and their reference<br /> count dropping to zero. This results in an infinite loop, leading to a<br /> soft lockup that triggers a system panic via the watchdog timer.<br /> <br /> Apply RCU primitives in the problematic code sections to resolve the<br /> issue. Where necessary, update the references to fib6_siblings to<br /> annotate or use the RCU APIs.<br /> <br /> Include a test script that reproduces the issue. The script<br /> periodically updates the routing table while generating a heavy load<br /> of outgoing IPv6 traffic through multiple iperf3 clients. It<br /> consistently induces infinite soft lockups within a couple of minutes.<br /> <br /> Kernel log:<br /> <br /> 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb<br /> 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3<br /> 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4<br /> 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03<br /> 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f<br /> 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756<br /> 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af<br /> 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d<br /> -- --<br /> 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb<br /> [exception RIP: fib6_select_path+299]<br /> RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287<br /> RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000<br /> RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618<br /> RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830<br /> R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c<br /> 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c<br /> 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5<br /> 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47<br /> 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0<br /> 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274<br /> 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474<br /> 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615<br /> 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec<br /> 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3<br /> 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9<br /> 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]<br /> 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]<br /> 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]<br /> 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000<br /> 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581<br /> 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9<br /> 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47<br /> 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30<br /> 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f<br /> 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64<br /> 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb