Netdev List
 help / color / mirror / Atom feed
From: Kuniyuki Iwashima <kuniyu@google.com>
To: idosch@nvidia.com
Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
	 horms@kernel.org, jedrzej.jagielski@intel.com, kuba@kernel.org,
	 linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com,  xiyou.wangcong@gmail.com,
	yuyanghuang@google.com
Subject: Re: [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction
Date: Tue, 30 Jun 2026 21:13:11 +0000	[thread overview]
Message-ID: <20260630211527.3365952-1-kuniyu@google.com> (raw)
In-Reply-To: <20260630165934.GA1227354@shredder>

From: Ido Schimmel <idosch@nvidia.com>
Date: Tue, 30 Jun 2026 19:59:34 +0300
> On Tue, Jun 30, 2026 at 04:55:22PM +0900, Yuyang Huang wrote:
> > > Hi,
> > >
> > > why sending this to net-next not to net if that's a bug fix?
> > >
> > > In the v1 thread it was said
> > > >This is a long-standing bug, not a recent regression.
> > >
> > > so why do not cc stable kernel to get rid of this bug from
> > > stable kernels in such case?
> > 
> > Thanks for the advise, will send this patch to stable kernel.
> 
> Please target v3 at net and add a trace given you're claiming for a
> use-after-free. That way we know that the problem is real and not a
> false-positive from some tool. You can reproduce it by adding enough
> delay in inetdev_destroy():

I guess delay was added between ip_mc_destroy_dev() and
RCU_INIT_POINTER(dev->ip_ptr, NULL) ?

I feel like we should clear it first and destroy everything
as done in IPv6 addrconf_ifdown().


> 
> BUG: KASAN: slab-use-after-free in ip_check_mc_rcu+0x2cc/0x500
> Read of size 4 at addr ffff88810c571208 by task mausezahn/419
> 
> CPU: 2 UID: 0 PID: 419 Comm: mausezahn Not tainted 7.1.0-virtme-g15d4a7c23bf6 #17 PREEMPT(lazy)
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> Call Trace:
>  <IRQ>
>  dump_stack_lvl+0x4d/0x70
>  print_report+0x153/0x4c2
>  kasan_report+0xda/0x110
>  ip_check_mc_rcu+0x2cc/0x500
>  ip_route_input_rcu.part.0+0x13d/0xbc0
>  ip_route_input_noref+0xb6/0x110
>  ip_rcv_finish_core+0x41b/0x1d90
>  ip_rcv_finish+0xea/0x1b0
>  ip_rcv+0xb7/0x1b0
>  __netif_receive_skb_one_core+0xfc/0x180
>  process_backlog+0x1ea/0x5e0
>  __napi_poll+0x97/0x480
>  net_rx_action+0x97c/0xfa0
>  handle_softirqs+0x18c/0x4f0
>  do_softirq+0x42/0x60
>  </IRQ>
> 

      reply	other threads:[~2026-06-30 21:15 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  2:23 [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction Yuyang Huang
2026-06-30  7:46 ` Jagielski, Jedrzej
2026-06-30  7:55   ` Yuyang Huang
2026-06-30 16:59     ` Ido Schimmel
2026-06-30 21:13       ` Kuniyuki Iwashima [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630211527.3365952-1-kuniyu@google.com \
    --to=kuniyu@google.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=idosch@nvidia.com \
    --cc=jedrzej.jagielski@intel.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=xiyou.wangcong@gmail.com \
    --cc=yuyanghuang@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox