From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Ido Schimmel <idosch@nvidia.com>, netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
edumazet@google.com, horms@kernel.org, dsahern@kernel.org,
leo@depthfirst.com
Subject: Re: [PATCH net] ipv6: mcast: Fix use-after-free when processing MLD queries
Date: Wed, 3 Jun 2026 19:45:23 +0800 [thread overview]
Message-ID: <e750f01e-e161-47ec-9527-8a7a0a999f45@linux.dev> (raw)
In-Reply-To: <20260603101811.612594-1-idosch@nvidia.com>
On 6/3/26 6:18 PM, Ido Schimmel wrote:
> When processing an MLD query, a pointer to the multicast group address
> is retrieved when initially parsing the packet. This pointer is later
> dereferenced without being reloaded despite the fact that the skb header
> might have been reallocated following the pskb_may_pull() calls, leading
> to a use-after-free [1].
>
> Fix by copying the multicast group address when the packet is initially
> parsed.
>
> [1]
> BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
> Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
>
> Workqueue: mld mld_query_work
> Call Trace:
> <TASK>
> dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
> print_address_description.constprop.0 (mm/kasan/report.c:378)
> print_report (mm/kasan/report.c:482)
> kasan_report (mm/kasan/report.c:595)
> __mld_query_work (net/ipv6/mcast.c:1512)
> mld_query_work (net/ipv6/mcast.c:1563)
> process_one_work (kernel/workqueue.c:3314)
> worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
> kthread (kernel/kthread.c:436)
> ret_from_fork (arch/x86/kernel/process.c:158)
> ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
> </TASK>
>
> [...]
>
> Freed by task 118:
> kasan_save_stack (mm/kasan/common.c:57)
> kasan_save_track (mm/kasan/common.c:78)
> kasan_save_free_info (mm/kasan/generic.c:584)
> __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
> kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
> pskb_expand_head (net/core/skbuff.c:2335)
> __pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
> __mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
> mld_query_work (net/ipv6/mcast.c:1563)
> process_one_work (kernel/workqueue.c:3314)
> worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
> kthread (kernel/kthread.c:436)
> ret_from_fork (arch/x86/kernel/process.c:158)
> ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
>
> Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
> Reported-by: Leo Lin <leo@depthfirst.com>
> Reviewed-by: David Ahern <dahern@nvidia.com>
> Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
prev parent reply other threads:[~2026-06-03 11:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 10:18 [PATCH net] ipv6: mcast: Fix use-after-free when processing MLD queries Ido Schimmel
2026-06-03 10:54 ` Eric Dumazet
2026-06-03 11:45 ` Jiayuan Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e750f01e-e161-47ec-9527-8a7a0a999f45@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=leo@depthfirst.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox