From: Paolo Abeni Date: Wed, 8 Jul 2026 12:41:04 +0000 (+0200) Subject: Merge branch 'ipv4-ipv6-fix-uaf-and-memory-leak-in-igmp-mld' X-Git-Tag: v7.2-rc3~29^2~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d27e29a90bc6a717b97c6ddcd866db7bd8e4adc;p=thirdparty%2Fkernel%2Flinux.git Merge branch 'ipv4-ipv6-fix-uaf-and-memory-leak-in-igmp-mld' Eric Dumazet says: ==================== ipv4/ipv6: Fix UAF and memory leak in IGMP/MLD This series addresses two potential UAF vulnerabilities and memory leaks in the IPv4 IGMP and IPv6 MLD subsystems. The first two patches fix a UAF where the packet receive path races with device teardown. If the device refcount has already hit 0 (but the memory is still held by RCU), incoming IGMP/MLD packets trying to schedule delayed work or timers would call refcount_inc() on the 0 refcount, triggering a warning and eventually leading to a UAF when the work runs after the device has been freed. This is fixed by introducing safe hold helpers using refcount_inc_not_zero(). In MLD, we also ensure we only enqueue the skb if we successfully acquired the device reference, to avoid leaking skbs when the device is being destroyed. The third patch fixes memory leaks in IPv4 IGMP when timers are deleted or stopped. When a timer is deleted (in igmp_mod_timer) or stopped (in igmp_stop_timer) and not re-armed, the code dropped the group refcount using refcount_dec(). However, if the group was concurrently removed from the list, this decrement could drop the refcount to 0 without triggering the cleanup/free path, leaking the group structure. This is fixed by using ip_ma_put() instead, and deferring the put until after the lock is released. ==================== Link: https://patch.msgid.link/20260705181756.963063-1-edumazet@google.com Signed-off-by: Paolo Abeni --- 6d27e29a90bc6a717b97c6ddcd866db7bd8e4adc