ipv6: fix possible race in __fib6_drop_pcpu_from()

Summary

CVE	CVE-2024-40905
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-07-12 13:15:13 UTC
Updated	2026-05-12 12:16:59 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible race in __fib6_drop_pcpu_from() syzbot found a race in __fib6_drop_pcpu_from() [1] If compiler reads more than once (*ppcpu_rt), second read could read NULL, if another cpu clears the value in rt6_get_pcpu_route(). Add a READ_ONCE() to prevent this race. Also add rcu_read_lock()/rcu_read_unlock() because we rely on RCU protection while dereferencing pcpu_rt. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097] CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: netns cleanup_net RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984 Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48 RSP: 0018:ffffc900040df070 EFLAGS: 00010206 RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16 RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091 RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8 R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline] fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline] fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038 fib6_del_route net/ipv6/ip6_fib.c:1998 [inline] fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043 fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205 fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127 fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175 fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255 __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271 rt6_sync_down_dev net/ipv6/route.c:4906 [inline] rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911 addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855 addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline] call_netdevice_notifiers net/core/dev.c:2044 [inline] dev_close_many+0x333/0x6a0 net/core/dev.c:1585 unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193 unregister_netdevice_many net/core/dev.c:11276 [inline] default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Risk And Classification

Primary CVSS: v3.1 4.7 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-476

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 c90af1cced2f669a7b2304584be4ada495eaa0e5 git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 c693698787660c97950bc1f93a8dd19d8307153d git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 a0bc020592b54a8f3fa2b7f244b6e39e526c2e12 git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 2498960dac9b6fc49b6d1574f7cd1a4872744adf git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 7e796c3fefa8b17b30e7252886ae8cffacd2b9ef git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 09e5a5a80e205922151136069e440477d6816914 git	Not specified
CNA	Linux	Linux	affected d52d3997f843ffefaa8d8462790ffcaca6c74192 b01e1c030770ff3b4fe37fc7cc6bca03f594133f git	Not specified
CNA	Linux	Linux	affected 4.2	Not specified
CNA	Linux	Linux	unaffected 4.2 semver	Not specified
CNA	Linux	Linux	unaffected 5.4.279 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.221 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.162 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.95 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.35 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.9.6 6.9.* semver	Not specified
CNA	Linux	Linux	unaffected 6.10 * original_commit_for_fix	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	affected V3.1 custom	Not specified
ADP	Siemens	RUGGEDCOM RST2428P	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family	unaffected * custom	Not specified
ADP	Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 Family	affected V3.1 custom	Not specified
ADP	Siemens	SCALANCE XCM-/XRM-/XCH-/XRH-300 Family	unaffected * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem	affected * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/09e5a5a80e205922151136069e440477d6816914	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/a0bc020592b54a8f3fa2b7f244b6e39e526c2e12	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/b01e1c030770ff3b4fe37fc7cc6bca03f594133f	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/2498960dac9b6fc49b6d1574f7cd1a4872744adf	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/7e796c3fefa8b17b30e7252886ae8cffacd2b9ef	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/c693698787660c97950bc1f93a8dd19d8307153d	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-265688.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/c90af1cced2f669a7b2304584be4ada495eaa0e5	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
cert-portal.siemens.com/productcert/html/ssa-613116.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-355557.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
lists.debian.org/debian-lts-announce/2025/01/msg00001.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.