Bug 2429028 (CVE-2025-71080)

Summary: CVE-2025-71080 kernel: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A race condition vulnerability was found in the Linux kernel's IPv6 routing subsystem on PREEMPT_RT kernels. When rt6_get_pcpu_route() returns NULL and the task is preempted, another task can install a per-CPU route entry. When the original task resumes and attempts cmpxchg() in rt6_make_pcpu_route(), the operation fails because the pointer is no longer NULL, triggering a BUG_ON crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-13 16:01:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT

On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().

Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.

Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
Comment 1 Jon Moroney 2026-01-15 04:40:33 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011338-CVE-2025-71080-f9ae@gregkh/T