ipv6: Fix soft lockups in fib6_select_path under high next hop churn

Summary

CVECVE-2024-56703
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2024-12-28 10:15:18 UTC
Updated2026-07-14 13:17:13 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-835 | CWE-835 CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')


VersionSourceTypeScoreSeverityVector
3.1[email protected]Primary5.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
3.1ADPDECLARED5.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
3.1134c704f-9b21-4f2e-91b3-4a467353bcc0Secondary5.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83 d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 git Not specified
CNA Linux Linux affected 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83 52da02521ede55fb86546c3fffd9377b3261b91f git Not specified
CNA Linux Linux affected 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83 11edcd026012ac18acee0f1514db3ed1b160fc6f git Not specified
CNA Linux Linux affected 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83 34a949e7a0869dfa31a40416d2a56973fae1807b git Not specified
CNA Linux Linux affected 66f5d6ce53e665477d2a33e8f539d4fa4ca81c83 d9ccb18f83ea2bb654289b6ecf014fd267cc988b git Not specified
CNA Linux Linux affected 4.15 Not specified
CNA Linux Linux unaffected 4.15 semver Not specified
CNA Linux Linux unaffected 6.1.128 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.75 6.6.* semver Not specified
CNA Linux Linux unaffected 6.11.11 6.11.* semver Not specified
CNA Linux Linux unaffected 6.12.2 6.12.* semver Not specified
CNA Linux Linux unaffected 6.13 * original_commit_for_fix Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP affected V3.1.6 * custom Not specified
ADP Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP affected V3.1.6 * custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/11edcd026012ac18acee0f1514db3ed1b160fc6f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/d9ccb18f83ea2bb654289b6ecf014fd267cc988b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-019113.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/52da02521ede55fb86546c3fffd9377b3261b91f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/34a949e7a0869dfa31a40416d2a56973fae1807b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2025/03/msg00001.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org
git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report