git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Kuniyuki Iwashima <kuniyu@google.com>
	Thu, 4 Jun 2026 22:46:26 +0000 (22:46 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Tue, 9 Jun 2026 00:06:23 +0000 (17:06 -0700)
commit	2c309a863dd6e609b10caa55a362dc48d2e04564
tree	5f2d1b6986fcd730b0041a590c398398f68f5f24	tree \| snapshot
parent	a543cb49e603f88917e3258bbcb59a60d9c3c2fa	commit \| diff

ip6mr: Free mr_table after RCU grace period.

Since default_device_exit_batch() is called after ->exit_rtnl(),
idev->mc_ifc_work could finally call mroute6_is_socket() under RCU
while ->exit_rtnl() is running. [0]

With CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=n, ip6mr_fib_lookup() does
not check if net->ipv6.mrt6 is NULL. If ip6mr_net_exit_batch()
set net->ipv6.mrt6 to NULL and freed it, the mrt->mroute_sk access
could result in null-ptr-deref or use-after-free.

Let's prepare for that situation by applying RCU rule to ip6mr
table similarly.

!check_net(net) is added in ip6mr_cache_unresolved() and
mroute_clean_tables() to synchronise the two by mfc_unres_lock
so that ip6mr_cache_unresolved() will not queue skb after
mroute_clean_tables() purged &mrt->mfc_unres_queue.

rcu_read_lock() in reg_vif_xmit() is moved up to cover
ip6mr_fib_lookup() as with ipmr.

Link: https://lore.kernel.org/netdev/20260407184202.34cfe2d6@kernel.org/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260604224712.3209821-9-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>