Re: [PATCH 1/1] net: ipv6: flowlabel: defer exclusive option free until RCU teardown

[Eric Dumazet]

On Mon, Mar 30, 2026 at 1:52 AM Ren Wei <n05ec@xxxxxxxxxx> wrote:
>
> From: Zhengchuan Liang <zcliangcn@xxxxxxxxx>
>
> `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file
> RCU read-side lock and prints `fl->opt->opt_nflen` when an option block
> is present.
>
> Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`
> drops to zero in `fl_release()`. However, the surrounding
> `struct ip6_flowlabel` remains visible in the global hash table until
> later garbage collection removes it and `fl_free_rcu()` finally tears it
> down.
>
> A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that
> early `kfree()` and dereference freed option state, triggering a crash
> in `ip6fl_seq_show()`.
>
> Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches
> the lifetime already required for the enclosing flowlabel while readers
> can still reach it under RCU.
>
> Fixes: d3aedd5ebd4b ("ipv6 flowlabel: Convert hash list to RCU.")
> Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
> Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
> Co-developed-by: Yuan Tan <yuantan098@xxxxxxxxx>
> Signed-off-by: Yuan Tan <yuantan098@xxxxxxxxx>
> Suggested-by: Xin Liu <bird@xxxxxxxxxx>
> Tested-by: Ren Wei <enjou1224z@xxxxxxxxx>
> Signed-off-by: Zhengchuan Liang <zcliangcn@xxxxxxxxx>
> Signed-off-by: Ren Wei <n05ec@xxxxxxxxxx>

Quite a long and confusing list of tags, and a long CC list ...

Please trim this next time you submit a networking patch.

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>