Re: [PATCH net v2] ipv6: fix data race in fib6_metric_set() using cmpxchg

[Jakub Kicinski]

On Fri, 27 Mar 2026 10:24:47 +0800 Hangbin Liu wrote:
> --- a/net/ipv6/ip6_fib.c
> +++ b/net/ipv6/ip6_fib.c
> @@ -730,17 +730,24 @@ void fib6_metric_set(struct fib6_info *f6i, int metric, u32 val)
>  	if (!f6i)
>  		return;
>  
> -	if (f6i->fib6_metrics == &dst_default_metrics) {
> +	if (READ_ONCE(f6i->fib6_metrics) == &dst_default_metrics) {
> +		struct dst_metrics *dflt = (struct dst_metrics *)&dst_default_metrics;

Why does this exist? To cast away the const?

>  		struct dst_metrics *p = kzalloc_obj(*p, GFP_ATOMIC);
>  
>  		if (!p)
>  			return;
>  
> +		p->metrics[metric - 1] = val;
>  		refcount_set(&p->refcnt, 1);
> -		f6i->fib6_metrics = p;
> +		if (cmpxchg(&f6i->fib6_metrics, dflt, p) != dflt)
> +			kfree(p);
> +		else
> +			return;
>  	}
>  
> -	f6i->fib6_metrics->metrics[metric - 1] = val;
> +	struct dst_metrics *m = READ_ONCE(f6i->fib6_metrics);

No variable declarations in the middle of a function please.

> +	WRITE_ONCE(m->metrics[metric - 1], val);
>  }