Re: [PATCH net 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink().

Next message: fangyu . yu: "[RFC PATCH 06/11] iommu/riscv: Add domain_alloc_paging_flags for second-stage domain"
Previous message: Danilo Krummrich: "Re: [PATCH 03/24] rust: devres: add ForLt support to Devres"
In reply to: Maoyi Xie: "[PATCH net 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink()."
Next in thread: Jakub Kicinski: "Re: [PATCH net 1/2] ip6: vti: Use ip6_tnl.net in vti6_changelink()."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Tue Apr 28 2026 - 09:27:11 EST

On Tue, Apr 28, 2026 at 4:07 AM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
>
> From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
>
> ip netns add ns1
> ip netns add ns2
> ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
> ip -n ns1 link set vti6_test netns ns2
> ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
> ip netns del ns2
> ip netns del ns1
> [ 132.495484] ------------[ cut here ]------------
> [ 132.497609] kernel BUG at net/core/dev.c:12376!
>
> After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of
> rtnl_link_ops"), vti6_newlink() correctly resolves the per-netns vti6
> hash via link_net. vti6_changelink() and vti6_update() were not
> converted in that series and still read dev_net(dev) /
> dev_net(t->dev), which diverge from the device's creation netns
> after IFLA_NET_NS_FD migration. The result is a stale per-netns hash
> entry; cleanup_net() of the original netns then walks freed memory.
>
> Reachable from an unprivileged user namespace ("unshare --user
> --map-root-user --net"); cross-tenant scope on container hosts.
>
> Fixes: 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops")
> Reported-by: Maoyi Xie <maoyi.xie@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # v5.15+
> Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>