Re: [PATCH net 1/2] ipv6: fix possible infinite loop in rt6_fill_node()

[Jiayuan Chen]

On 5/28/26 4:45 PM, Ido Schimmel wrote:
> On Wed, May 27, 2026 at 01:31:30PM +0800, Jiayuan Chen wrote:
> > Sashiko reported this issue [1]. Apply the same fix as
> > commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
> >
> > Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings)
> > without waiting for RCU readers; rt->fib6_siblings.next then still
> > points into the old ring and this softirq-side walker never reaches
> > &rt->fib6_siblings, causing a CPU stall. fib6_purge_rt() always
> s/fib6_purge_rt/fib6_del_route/ ?

You're right, that's fib6_del_route().


> > WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an
> > inside-loop check is a reliable detach signal.
> >
> > [1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
> >
> > Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
> > Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>
>
> Sashiko points out two pre-existing issues:
>
> 1. Same issue in nft_fib6_info_nh_uses_dev(). Fixed by:
> https://lore.kernel.org/all/20260526020227.4857-1-jiayuan.chen@xxxxxxxxx/
>
> 2. Missing nlmsg_{end, cancel}() following ip6mr_get_route(). Seems
> valid, but completely unrelated.