Description
In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack.
Product status
d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db (git) before c70df25214ac9b32b53e18e6ae3b8f073ffa6903
d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db (git) before 006a5035b495dec008805df249f92c22c89c3d2e
5.3
Any version before 5.3
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903
git.kernel.org/...c/006a5035b495dec008805df249f92c22c89c3d2e