From: Ido Schimmel <idosch@nvidia.com>
To: Yuyang Huang <sigefriedhyy@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH net-next 2/2] ipv6: mcast: annotate igmp6 timer expiry race
Date: Tue, 9 Jun 2026 10:44:47 +0300 [thread overview]
Message-ID: <20260609074447.GA663407@shredder> (raw)
In-Reply-To: <20260605145759.59639-3-sigefriedhyy@gmail.com>
On Fri, Jun 05, 2026 at 11:57:59PM +0900, Yuyang Huang wrote:
> /proc/net/igmp6 walks IPv6 multicast memberships under RCU and reads
> mca_work.timer.expires to print the remaining multicast timer. The
> delayed-work timer can be updated concurrently.
>
> Annotate the intentional lockless procfs snapshot with READ_ONCE().
>
> Signed-off-by: Yuyang Huang <sigefriedhyy@gmail.com>
> ---
> net/ipv6/mcast.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
> index bd3972730aa0..184e57469086 100644
> --- a/net/ipv6/mcast.c
> +++ b/net/ipv6/mcast.c
> @@ -2983,6 +2983,7 @@ static int igmp6_mc_seq_show(struct seq_file *seq, void *v)
> {
> struct ifmcaddr6 *im = (struct ifmcaddr6 *)v;
> struct igmp6_mc_iter_state *state = igmp6_mc_seq_private(seq);
> + unsigned long expires = READ_ONCE(im->mca_work.timer.expires);
> unsigned int mca_flags = READ_ONCE(im->mca_flags);
The comment from Sashiko about inverting the order looks valid. In the write
path, the MAF_TIMER_RUNNING flag is always set after modifying the timer:
"
Does unconditionally hoisting the read of timer.expires before mca_flags
create a time-of-check to time-of-use race?
If a newly allocated multicast group has expires initialized to 0, this
sequence could happen in igmp6_mc_seq_show():
CPU1 reads expires as 0:
expires = READ_ONCE(im->mca_work.timer.expires);
CPU2 concurrently arms the timer and sets the flag:
mod_delayed_work(...)
im->mca_flags |= MAF_TIMER_RUNNING;
CPU1 then reads mca_flags:
mca_flags = READ_ONCE(im->mca_flags);
Because the MAF_TIMER_RUNNING flag is now set, CPU1 evaluates the timer
output as (expires - jiffies), which is (0 - jiffies). Does this
underflow and cause /proc/net/igmp6 to print a massive garbage timer value?
"
>
> seq_printf(seq,
> @@ -2991,7 +2992,7 @@ static int igmp6_mc_seq_show(struct seq_file *seq, void *v)
> &im->mca_addr,
> READ_ONCE(im->mca_users), mca_flags,
> (mca_flags & MAF_TIMER_RUNNING) ?
> - jiffies_to_clock_t(im->mca_work.timer.expires - jiffies) : 0);
> + jiffies_to_clock_t(expires - jiffies) : 0);
> return 0;
> }
>
> --
> 2.43.0
>
next prev parent reply other threads:[~2026-06-09 7:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 14:57 [PATCH net-next 0/2] ipv6: mcast: annotate data races in /proc/net/igmp6 Yuyang Huang
2026-06-05 14:57 ` [PATCH net-next 1/2] ipv6: mcast: annotate data-races around mca_flags Yuyang Huang
2026-06-09 7:45 ` Ido Schimmel
2026-06-05 14:57 ` [PATCH net-next 2/2] ipv6: mcast: annotate igmp6 timer expiry race Yuyang Huang
2026-06-09 7:44 ` Ido Schimmel [this message]
2026-06-09 8:03 ` Yuyang Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609074447.GA663407@shredder \
--to=idosch@nvidia.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sigefriedhyy@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.