Re: [PATCH net v3] ipv6: fix data race in fib6_metric_set() using cmpxchg

Next message: Denis Benato: "Re: [PATCH] HID: gpd: fix report descriptor on GPD Win handheld (2f24:0137)"
Previous message: Claudio Imbrenda: "[PATCH v2 5/5] KVM: s390: selftests: enable some common memory-related tests"
Next in thread: Jakub Kicinski: "Re: [PATCH net v3] ipv6: fix data race in fib6_metric_set() using cmpxchg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Wed Apr 01 2026 - 13:56:15 EST

On Mon, Mar 30, 2026 at 9:17 PM Hangbin Liu <liuhangbin@xxxxxxxxx> wrote:
>
> fib6_metric_set() may be called concurrently from softirq context without
> holding the FIB table lock. A typical path is:
>
> ndisc_router_discovery()
> spin_unlock_bh(&table->tb6_lock) <- lock released
> fib6_metric_set(rt, RTAX_HOPLIMIT, ...) <- lockless call
>
> When two CPUs process Router Advertisement packets for the same router
> simultaneously, they can both arrive at fib6_metric_set() with the same
> fib6_info pointer whose fib6_metrics still points to dst_default_metrics.
>
> if (f6i->fib6_metrics == &dst_default_metrics) { /* both CPUs: true */
> struct dst_metrics *p = kzalloc_obj(*p, GFP_ATOMIC);
> refcount_set(&p->refcnt, 1);
> f6i->fib6_metrics = p; /* CPU1 overwrites CPU0's p -> p0 leaked */
> }

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>