From: Kuniyuki Iwashima <kuniyu@google.com>
To: idosch@nvidia.com
Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
horms@kernel.org, jedrzej.jagielski@intel.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, xiyou.wangcong@gmail.com,
yuyanghuang@google.com
Subject: Re: [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction
Date: Tue, 30 Jun 2026 21:13:11 +0000 [thread overview]
Message-ID: <20260630211527.3365952-1-kuniyu@google.com> (raw)
In-Reply-To: <20260630165934.GA1227354@shredder>
From: Ido Schimmel <idosch@nvidia.com>
Date: Tue, 30 Jun 2026 19:59:34 +0300
> On Tue, Jun 30, 2026 at 04:55:22PM +0900, Yuyang Huang wrote:
> > > Hi,
> > >
> > > why sending this to net-next not to net if that's a bug fix?
> > >
> > > In the v1 thread it was said
> > > >This is a long-standing bug, not a recent regression.
> > >
> > > so why do not cc stable kernel to get rid of this bug from
> > > stable kernels in such case?
> >
> > Thanks for the advise, will send this patch to stable kernel.
>
> Please target v3 at net and add a trace given you're claiming for a
> use-after-free. That way we know that the problem is real and not a
> false-positive from some tool. You can reproduce it by adding enough
> delay in inetdev_destroy():
I guess delay was added between ip_mc_destroy_dev() and
RCU_INIT_POINTER(dev->ip_ptr, NULL) ?
I feel like we should clear it first and destroy everything
as done in IPv6 addrconf_ifdown().
>
> BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x2cc/0x500
> Read of size 4 at addr ffff88810c571208 by task mausezahn/419
>
> CPU: 2 UID: 0 PID: 419 Comm: mausezahn Not tainted 7.1.0-virtme-g15d4a7c23bf6 #17 PREEMPT(lazy)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
> <IRQ>
> dump_stack_lvl+0x4d/0x70
> print_report+0x153/0x4c2
> kasan_report+0xda/0x110
> ip_check_mc_rcu+0x2cc/0x500
> ip_route_input_rcu.part.0+0x13d/0xbc0
> ip_route_input_noref+0xb6/0x110
> ip_rcv_finish_core+0x41b/0x1d90
> ip_rcv_finish+0xea/0x1b0
> ip_rcv+0xb7/0x1b0
> __netif_receive_skb_one_core+0xfc/0x180
> process_backlog+0x1ea/0x5e0
> __napi_poll+0x97/0x480
> net_rx_action+0x97c/0xfa0
> handle_softirqs+0x18c/0x4f0
> do_softirq+0x42/0x60
> </IRQ>
>
prev parent reply other threads:[~2026-06-30 21:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 2:23 [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction Yuyang Huang
2026-06-30 7:46 ` Jagielski, Jedrzej
2026-06-30 7:55 ` Yuyang Huang
2026-06-30 16:59 ` Ido Schimmel
2026-06-30 21:13 ` Kuniyuki Iwashima [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630211527.3365952-1-kuniyu@google.com \
--to=kuniyu@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=jedrzej.jagielski@intel.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yuyanghuang@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox