CVE-2024-56751

In the Linux kernel, the following vulnerability has been resolved:

ipv6: release nexthop on device removal

The CI is hitting some aperiodic hangup at device removal time in the pmtu.sh self-test:

unregisternetdevice: waiting for vethA-R1 to become free. Usage count = 6 reftracker: vethA-R1@ffff888013df15d8 has 1/5 users at dstinit+0x84/0x4a0 dstalloc+0x97/0x150 ip6dstalloc+0x23/0x90 ip6rtpcpualloc+0x1e6/0x520 ip6polroute+0x56f/0x840 fib6rulelookup+0x334/0x630 ip6routeoutputflags+0x259/0x480 ip6dstlookuptail.constprop.0+0x5c2/0x940 ip6dstlookupflow+0x88/0x190 udptunnel6dstlookup+0x2a7/0x4c0 vxlanxmitone+0xbde/0x4a50 [vxlan] vxlanxmit+0x9ad/0xf20 [vxlan] devhardstartxmit+0x10e/0x360 _devqueuexmit+0xf95/0x18c0 arpsolicit+0x4a2/0xe00 neighprobe+0xaa/0xf0

While the first suspect is the dstcache, explicitly tracking the dst owing the last device reference via probes proved such dst is held by the nexthop in the originating fib6info.

Similar to commit f5b51fe804ec ("ipv6: route: purge exception on removal"), we need to explicitly release the originating fib info when disconnecting a to-be-removed device from a live ipv6 dst: move the fib6info cleanup into ip6dst_ifdown().

Tested running:

./pmtu.sh cleanupipv6exception

in a tight loop for more than 400 iterations with no spat, running an unpatched kernel I observed a splat every ~10 iterations.