From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: stable-rt@vger.kernel.org
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>,
Clark Williams <clrkwllms@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH net v4] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Date: Mon, 12 Jan 2026 16:49:47 +0100 [thread overview]
Message-ID: <20260112154947.5C8DFdQb@linutronix.de> (raw)
In-Reply-To: <20251223051413.124687-1-jiayuan.chen@linux.dev>
On 2025-12-23 13:14:12 [+0800], Jiayuan Chen wrote:
> On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
> current task can be preempted. Another task running on the same CPU
> may then execute rt6_make_pcpu_route() and successfully install a
> pcpu_rt entry. When the first task resumes execution, its cmpxchg()
> in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
> NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
> mdelay() after rt6_get_pcpu_route().
>
> Using preempt_disable/enable is not appropriate here because
> ip6_rt_pcpu_alloc() may sleep.
>
> Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
> free our allocation and return the existing pcpu_rt installed by
> another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
> kernels where such races should not occur.
>
> Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6
> Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
> Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
This is upstream as commit
1adaea51c61b5 ("ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT")
and should be backported down to v6.12 due to the fixes tag. RT wise it
should be broken since its introduction so if the stable team could take
it down to v5.10-rt, that would be nice.
Sebastian
prev parent reply other threads:[~2026-01-12 15:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-23 5:14 [PATCH net v4] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT Jiayuan Chen
2025-12-30 11:20 ` patchwork-bot+netdevbpf
2026-01-12 15:49 ` Sebastian Andrzej Siewior [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260112154947.5C8DFdQb@linutronix.de \
--to=bigeasy@linutronix.de \
--cc=clrkwllms@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=linux-rt-devel@lists.linux.dev \
--cc=rostedt@goodmis.org \
--cc=stable-rt@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox