]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
ipv6: mcast: Fix potential UAF in MLD delayed work
authorEric Dumazet <edumazet@google.com>
Sun, 5 Jul 2026 18:17:55 +0000 (18:17 +0000)
committerPaolo Abeni <pabeni@redhat.com>
Wed, 8 Jul 2026 12:41:01 +0000 (14:41 +0200)
commit9b26518b6896a16b809b1e42986f4ebac7bccc1e
treefa4c8586487e9d668c7e58bc960a0b0edf063a5d
parent7b19c0f81ed1fdaec6bc522569be367199a9edf3
ipv6: mcast: Fix potential UAF in MLD delayed work

A race condition exists between device teardown and incoming MLD query
processing, leading to a Use-After-Free in the MLD delayed work.

During device destruction, the primary reference to inet6_dev is dropped,
which can drop its refcount to 0. The actual freeing of inet6_dev memory
is deferred via RCU.

Concurrently, the packet receive path runs under RCU read lock and obtains
the inet6_dev pointer. Because the memory is RCU-protected, CPU-0 can
safely dereference inet6_dev even if its refcount has hit 0.

However, if CPU-0 calls igmp6_event_query() and schedules delayed work, it
attempts to acquire a reference using in6_dev_hold(). This increments the
refcount from 0 to 1, triggering a "refcount_t: addition on 0" warning.
Since the inet6_dev memory is still scheduled to be freed after the RCU
grace period, the device is freed while the work is still scheduled.
When the work runs, it accesses the freed memory, causing a kernel panic.

Fix this by using refcount_inc_not_zero() (via a new helper
in6_dev_hold_safe()) to prevent acquiring a reference if the device is
already being destroyed. If the refcount is 0, we do not schedule the work.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260705181756.963063-3-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
include/net/addrconf.h
net/ipv6/mcast.c