* [PATCH v1 net 0/2] ipmr/ip6mr: Fix mr_mfc.unres.unresolved corruption.
@ 2026-02-22 19:50 Kuniyuki Iwashima
2026-02-22 19:50 ` [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve() Kuniyuki Iwashima
2026-02-22 19:50 ` [PATCH v1 net 2/2] ip6mr: Fix mr_mfc.unres.unresolved corruption in ip6mr_cache_resolve() Kuniyuki Iwashima
0 siblings, 2 replies; 5+ messages in thread
From: Kuniyuki Iwashima @ 2026-02-22 19:50 UTC (permalink / raw)
To: David S . Miller, David Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev
ipmr_cache_resolve() / ip6mr_cache_resolve() dequeues
skb from mr_mfc.unres.unresolved with no protection.
Patch 1 / 2 replace __skb_dequeue() with skb_dequeue()
in ipmr_cache_resolve() / ip6mr_cache_resolve().
Kuniyuki Iwashima (2):
ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve().
ip6mr: Fix mr_mfc.unres.unresolved corruption in
ip6mr_cache_resolve().
net/ipv4/ipmr.c | 2 +-
net/ipv6/ip6mr.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.53.0.371.g1d285c8824-goog
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve().
2026-02-22 19:50 [PATCH v1 net 0/2] ipmr/ip6mr: Fix mr_mfc.unres.unresolved corruption Kuniyuki Iwashima
@ 2026-02-22 19:50 ` Kuniyuki Iwashima
2026-02-23 10:15 ` Eric Dumazet
2026-02-22 19:50 ` [PATCH v1 net 2/2] ip6mr: Fix mr_mfc.unres.unresolved corruption in ip6mr_cache_resolve() Kuniyuki Iwashima
1 sibling, 1 reply; 5+ messages in thread
From: Kuniyuki Iwashima @ 2026-02-22 19:50 UTC (permalink / raw)
To: David S . Miller, David Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev
mr_mfc.unres.unresolved is filled by skb_queue_tail() under
spin_lock_bh(&mfc_unres_lock) in ipmr_cache_unresolved().
ipmr_cache_resolve() is called from ipmr_mfc_add() after
releasing the spinlock, so nothing protects the queue.
Let's use skb_dequeue() instead.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/ipv4/ipmr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 131382c388e9..62fe54cf7705 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1002,7 +1002,7 @@ static void ipmr_cache_resolve(struct net *net, struct mr_table *mrt,
struct nlmsgerr *e;
/* Play the pending entries through our router */
- while ((skb = __skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
+ while ((skb = skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
if (ip_hdr(skb)->version == 0) {
struct nlmsghdr *nlh = skb_pull(skb,
sizeof(struct iphdr));
--
2.53.0.371.g1d285c8824-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v1 net 2/2] ip6mr: Fix mr_mfc.unres.unresolved corruption in ip6mr_cache_resolve().
2026-02-22 19:50 [PATCH v1 net 0/2] ipmr/ip6mr: Fix mr_mfc.unres.unresolved corruption Kuniyuki Iwashima
2026-02-22 19:50 ` [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve() Kuniyuki Iwashima
@ 2026-02-22 19:50 ` Kuniyuki Iwashima
1 sibling, 0 replies; 5+ messages in thread
From: Kuniyuki Iwashima @ 2026-02-22 19:50 UTC (permalink / raw)
To: David S . Miller, David Ahern, Eric Dumazet, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev
mr_mfc.unres.unresolved is filled by skb_queue_tail() under
spin_lock_bh(&mfc_unres_lock) in ip6mr_cache_unresolved().
ip6mr_cache_resolve() is called from ip6mr_mfc_add() after
releasing the spinlock, so nothing protects the queue.
Let's use skb_dequeue() instead.
Fixes: 7bc570c8b4f7 ("[IPV6] MROUTE: Support multicast forwarding.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/ipv6/ip6mr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index e047a4680ab0..97c406e58b39 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1031,7 +1031,7 @@ static void ip6mr_cache_resolve(struct net *net, struct mr_table *mrt,
* Play the pending entries through our router
*/
- while ((skb = __skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
+ while ((skb = skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
if (ipv6_hdr(skb)->version == 0) {
struct nlmsghdr *nlh = skb_pull(skb,
sizeof(struct ipv6hdr));
--
2.53.0.371.g1d285c8824-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve().
2026-02-22 19:50 ` [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve() Kuniyuki Iwashima
@ 2026-02-23 10:15 ` Eric Dumazet
2026-02-23 18:35 ` Kuniyuki Iwashima
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2026-02-23 10:15 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: David S . Miller, David Ahern, Jakub Kicinski, Paolo Abeni,
Simon Horman, Kuniyuki Iwashima, netdev
On Sun, Feb 22, 2026 at 8:50 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
>
> mr_mfc.unres.unresolved is filled by skb_queue_tail() under
> spin_lock_bh(&mfc_unres_lock) in ipmr_cache_unresolved().
>
> ipmr_cache_resolve() is called from ipmr_mfc_add() after
> releasing the spinlock, so nothing protects the queue.
>
> Let's use skb_dequeue() instead.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
> net/ipv4/ipmr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index 131382c388e9..62fe54cf7705 100644
> --- a/net/ipv4/ipmr.c
> +++ b/net/ipv4/ipmr.c
> @@ -1002,7 +1002,7 @@ static void ipmr_cache_resolve(struct net *net, struct mr_table *mrt,
> struct nlmsgerr *e;
>
> /* Play the pending entries through our router */
> - while ((skb = __skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
> + while ((skb = skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
> if (ip_hdr(skb)->version == 0) {
> struct nlmsghdr *nlh = skb_pull(skb,
> sizeof(struct iphdr));
> --
> 2.53.0.371.g1d285c8824-goog
Are you sure this is needed ?
ipmr_mfc_add()
..
if (found) {
ipmr_cache_resolve(net, mrt, uc, c);
ipmr_cache_resolve(net, mrt, uc, c); // This would still be racy
}
My understanding of this code is that ipmr_mfc_add() removed uc from
&mrt->mfc_unres_queue
under the mfc_unres_lock spinlock protection.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve().
2026-02-23 10:15 ` Eric Dumazet
@ 2026-02-23 18:35 ` Kuniyuki Iwashima
0 siblings, 0 replies; 5+ messages in thread
From: Kuniyuki Iwashima @ 2026-02-23 18:35 UTC (permalink / raw)
To: Eric Dumazet
Cc: David S . Miller, David Ahern, Jakub Kicinski, Paolo Abeni,
Simon Horman, Kuniyuki Iwashima, netdev
On Mon, Feb 23, 2026 at 2:15 AM Eric Dumazet <edumazet@google.com> wrote:
>
> On Sun, Feb 22, 2026 at 8:50 PM Kuniyuki Iwashima <kuniyu@google.com> wrote:
> >
> > mr_mfc.unres.unresolved is filled by skb_queue_tail() under
> > spin_lock_bh(&mfc_unres_lock) in ipmr_cache_unresolved().
> >
> > ipmr_cache_resolve() is called from ipmr_mfc_add() after
> > releasing the spinlock, so nothing protects the queue.
> >
> > Let's use skb_dequeue() instead.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> > ---
> > net/ipv4/ipmr.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> > index 131382c388e9..62fe54cf7705 100644
> > --- a/net/ipv4/ipmr.c
> > +++ b/net/ipv4/ipmr.c
> > @@ -1002,7 +1002,7 @@ static void ipmr_cache_resolve(struct net *net, struct mr_table *mrt,
> > struct nlmsgerr *e;
> >
> > /* Play the pending entries through our router */
> > - while ((skb = __skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
> > + while ((skb = skb_dequeue(&uc->_c.mfc_un.unres.unresolved))) {
> > if (ip_hdr(skb)->version == 0) {
> > struct nlmsghdr *nlh = skb_pull(skb,
> > sizeof(struct iphdr));
> > --
> > 2.53.0.371.g1d285c8824-goog
>
> Are you sure this is needed ?
>
> ipmr_mfc_add()
> ..
> if (found) {
> ipmr_cache_resolve(net, mrt, uc, c);
> ipmr_cache_resolve(net, mrt, uc, c); // This would still be racy
> }
>
> My understanding of this code is that ipmr_mfc_add() removed uc from
> &mrt->mfc_unres_queue
> under the mfc_unres_lock spinlock protection.
Ah you are right, maybe I missed the list_del() somehow.
Thank you!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-02-23 18:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-22 19:50 [PATCH v1 net 0/2] ipmr/ip6mr: Fix mr_mfc.unres.unresolved corruption Kuniyuki Iwashima
2026-02-22 19:50 ` [PATCH v1 net 1/2] ipmr: Fix mr_mfc.unres.unresolved corruption in ipmr_cache_resolve() Kuniyuki Iwashima
2026-02-23 10:15 ` Eric Dumazet
2026-02-23 18:35 ` Kuniyuki Iwashima
2026-02-22 19:50 ` [PATCH v1 net 2/2] ip6mr: Fix mr_mfc.unres.unresolved corruption in ip6mr_cache_resolve() Kuniyuki Iwashima
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox