CVE-2024-40905

In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix possible race in _fib6droppcpufrom()

syzbot found a race in _fib6droppcpufrom() [1]

If compiler reads more than once (*ppcpurt), second read could read NULL, if another cpu clears the value in rt6getpcpuroute().

Add a READ_ONCE() to prevent this race.

Also add rcureadlock()/rcureadunlock() because we rely on RCU protection while dereferencing pcpu_rt.

[1]

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6droppcpufrom.part.0+0x10a/0x370 net/ipv6/ip6fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6droppcpu_from net/ipv6/ip6fib.c:966 [inline] fib6droppcpufrom net/ipv6/ip6fib.c:1027 [inline] fib6purgert+0x7f2/0x9f0 net/ipv6/ip6fib.c:1038 fib6delroute net/ipv6/ip6fib.c:1998 [inline] fib6del+0xa70/0x17b0 net/ipv6/ip6fib.c:2043 fib6cleannode+0x426/0x5b0 net/ipv6/ip6fib.c:2205 fib6walkcontinue+0x44f/0x8d0 net/ipv6/ip6fib.c:2127 fib6walk+0x182/0x370 net/ipv6/ip6fib.c:2175 fib6cleantree+0xd7/0x120 net/ipv6/ip6fib.c:2255 __fib6cleanall+0x100/0x2d0 net/ipv6/ip6fib.c:2271 rt6syncdowndev net/ipv6/route.c:4906 [inline] rt6disableip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconfifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconfnotify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifiercallchain+0xb9/0x410 kernel/notifier.c:93 callnetdevicenotifiersinfo+0xbe/0x140 net/core/dev.c:1992 callnetdevicenotifiersextack net/core/dev.c:2030 [inline] callnetdevicenotifiers net/core/dev.c:2044 [inline] devclosemany+0x333/0x6a0 net/core/dev.c:1585 unregisternetdevicemanynotify+0x46d/0x19f0 net/core/dev.c:11193 unregisternetdevicemany net/core/dev.c:11276 [inline] defaultdeviceexitbatch+0x85b/0xae0 net/core/dev.c:11759 opsexitlist+0x128/0x180 net/core/netnamespace.c:178 cleanupnet+0x5b7/0xbf0 net/core/netnamespace.c:640 processonework+0x9fb/0x1b60 kernel/workqueue.c:3231 processscheduledworks kernel/workqueue.c:3312 [inline] workerthread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 retfromfork+0x45/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244