git.ipfire.org Git - thirdparty/linux.git/commit

author	Jiayuan Chen <jiayuan.chen@linux.dev>
	Wed, 27 May 2026 05:31:31 +0000 (13:31 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Fri, 29 May 2026 19:41:00 +0000 (12:41 -0700)
commit	9c7da87c2dc860bb17ca1ece942495d28b1ce3b9
tree	d7fd1bb4dd324a79e403e40f5aff59fd1cd252ea	tree \| snapshot
parent	9f72412bcf60144f252b0d6205106abf14344abc	commit \| diff

ipv6: fix possible infinite loop in fib6_select_path()

Found while auditing the same pattern Sashiko reported in
rt6_fill_node() [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").

Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
without waiting for RCU readers; first->fib6_siblings.next then
still points into the old ring and this softirq-side walker never
reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
always WRITE_ONCE()s first->fib6_nsiblings to 0 before
list_del_rcu(), so an inside-loop check is a reliable detach signal.

[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev

Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>