Linux Kernel PREEMPT_RT Race Condition Vulnerability in IPv6 Route Management

A vulnerability has been identified in the Linux kernel's handling of IPv6 per-CPU routing entries on PREEMPT_RT kernels. The issue arises in the function rt6_get_pcpu_route(), which can return NULL. This return value can be preempted, allowing another task on the same CPU to install a per-CPU routing entry. When the first task resumes, its attempt to update the routing entry fails, triggering a bug condition. This vulnerability can be reproduced by introducing a delay after the rt6_get_pcpu_route() call. The problem does not occur on non-PREEMPT_RT kernels, where such race conditions should not exist.

Impact

Exploitation of this vulnerability leads to a race condition, causing a BUG_ON assertion failure in the IPv6 routing management code.

Reproduction

To reproduce this vulnerability, add a delay after the rt6_get_pcpu_route() function call in the IPv6 routing management code. This delay allows another task to preempt the current task and modify the per-CPU routing entries, creating a race condition when the original task resumes execution.

Remediation

The vulnerability has been addressed by modifying the routing entry management to handle failures gracefully on PREEMPT_RT kernels. Users should upgrade to the latest patched version of the Linux kernel.