Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction

Next message: Chen-Yu Tsai: "[PATCH v2 02/16] device property: Add fwnode_graph_get_next_port_endpoint()"
Previous message: Johan Alvarado: "[PATCH net-next v2 0/2] net: dsa: realtek: rtl8365mb: add SGMII/HSGMII support for RTL8367S"
In reply to: Nicolas Dichtel: "Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction"
Next in thread: Nicolas Dichtel: "Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yuyang Huang

Date: Wed Jun 10 2026 - 04:45:41 EST

On Wed, Jun 10, 2026 at 4:50 PM Nicolas Dichtel
<nicolas.dichtel@xxxxxxxxx> wrote:
>
> Le 09/06/2026 à 14:26, Yuyang Huang a écrit :
> > When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
> > the multicast list and calls ip_ma_put() on each membership, scheduling
> > them for RCU reclamation. However, they are not unlinked from the device's
> > multicast hash table (mc_hash).
> >
> > Since the device remains published in dev->ip_ptr until after
> > ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
> > can still locate and access the multicast group after its refcount is
> > decremented. If the RCU callback runs and frees the group while a reader is
> > accessing it, a use-after-free occurs.
> >
> > Fix this by unlinking the multicast group from mc_hash using
> > ip_mc_hash_remove() before scheduling it for reclamation.
> >
> > Signed-off-by: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
> A 'Fixes' tag may be useful for backports.

Thanks for the suggestion. Per discussion in the following thread, we
don't need to add the Fixes tag for a trivial fix.

https://lore.kernel.org/netdev/20260604101728.GA771160@shredder/