From: Jakub Kicinski <kuba@kernel.org>
To: David Ahern <dsahern@kernel.org>
Cc: davem@davemloft.net, netdev@vger.kernel.org, edumazet@google.com,
pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org
Subject: Re: [PATCH net] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
Date: Mon, 2 Mar 2026 06:43:18 -0800 [thread overview]
Message-ID: <20260302064318.6d55533d@kernel.org> (raw)
In-Reply-To: <859d39ff-cb1e-4f3f-b154-d8bf2c7997c9@kernel.org>
On Sun, 1 Mar 2026 18:38:53 -0700 David Ahern wrote:
> > @@ -1063,7 +1063,8 @@ static struct net_device *ip6_rt_get_dev_rcu(const struct fib6_result *res)
> > */
> > if (netif_is_l3_slave(dev) &&
> > !rt6_need_strict(&res->f6i->fib6_dst.addr))
> > - dev = l3mdev_master_dev_rcu(dev);
> > + dev = l3mdev_master_dev_rcu(dev) ? :
> > + dev_net(dev)->loopback_dev;
>
> how can the flag on the netdev say there is L3 master, yet the device
> not be there within an rcu window?
1) We call netif_is_l3_slave() twice, once here and then again in
l3mdev_master_dev_rcu(), the flag may get cleared in between the two.
2)
static int do_vrf_del_slave(struct net_device *dev, struct net_device *port_dev)
{
netdev_upper_dev_unlink(port_dev, dev);
// No sync RCU here, also I'd say the order is inverted?
port_dev->priv_flags &= ~IFF_L3MDEV_SLAVE;
next prev parent reply other threads:[~2026-03-02 14:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-01 19:45 [PATCH net] ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() Jakub Kicinski
2026-03-02 1:38 ` David Ahern
2026-03-02 14:43 ` Jakub Kicinski [this message]
2026-03-03 0:09 ` David Ahern
2026-03-04 1:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260302064318.6d55533d@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.