Linux Kernel Fragmentation Deadlock Vulnerability in Connection Tracking

A deadlock vulnerability has been identified in the Linux kernel's connection tracking system, specifically within the networking component that handles IP fragmentation. This issue arises because the connection tracking module can become stuck, preventing it from releasing network resources, which can lead to system hangs. The deadlock occurs when the IP defragmentation process leaves behind fragmented packets that are not properly cleaned up, causing the connection tracking system to loop indefinitely while trying to process these remnants. The problem is exacerbated by the order in which network modules are loaded and unloaded, particularly with IPv6 defragmentation, which can interfere with the normal operation of connection tracking. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a deadlock in the connection tracking system, leading to system hangs and unresponsive behavior, particularly when loading certain network drivers that rely on IP fragmentation handling.

Reproduction

The vulnerability can be reproduced by loading a network driver that interacts with IP fragmentation, such as 'ipvlan', which triggers the connection tracking system to process fragmented packets. Following this, the 'ip_defrag.sh' test script can be run, which exposes the deadlock by leaving behind unprocessed fragmented packets. This can be observed by monitoring the connection tracking cleanup process, which will get stuck indefinitely, unable to release network resources.

Remediation

The vulnerability has been addressed in a commit that flushes the fragmentation queues during the network namespace exit process, ensuring that all pending fragmented packets are properly handled before the connection tracking system is cleaned up. Users can apply this patch to their kernel to resolve the issue.