AZL-74360

In the Linux kernel, the following vulnerability has been resolved:

inet: frags: flush pending skbs in fqdirpreexit()

We have been seeing occasional deadlocks on pernetopsrwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports.

On closer inspection the Reader holding the lock was conntrack looping forever in nfconntrackcleanupnetlist(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references.

The problem is that since conntrack depends on nfdefragipv6, nfdefragipv6 will load first. Since nfdefragipv6 loads first its netns exit hooks run after conntrack's netns exit hook.

Flush all fragment queue SKBs during fqdirpreexit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush.

The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.