Re: [PATCH net 2/2] ipv6: fix possible infinite loop in fib6_select_path()

Next message: Ido Schimmel: "Re: [PATCH net 1/2] ipv6: fix possible infinite loop in rt6_fill_node()"
Previous message: Claudiu Beznea: "Re: [PATCH v2 2/7] pinctrl: renesas: rzg2l: Drop defines present in struct rzg2l_hwcfg"
In reply to: Jiayuan Chen: "[PATCH net 2/2] ipv6: fix possible infinite loop in fib6_select_path()"
Next in thread: Ido Schimmel: "Re: [PATCH net 1/2] ipv6: fix possible infinite loop in rt6_fill_node()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ido Schimmel

Date: Thu May 28 2026 - 04:51:53 EST

On Wed, May 27, 2026 at 01:31:31PM +0800, Jiayuan Chen wrote:
> Found while auditing the same pattern Sashiko reported in
> rt6_fill_node() [1]. Apply the same fix as
> commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
>
> Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
> without waiting for RCU readers; first->fib6_siblings.next then
> still points into the old ring and this softirq-side walker never
> reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
> always WRITE_ONCE()s first->fib6_nsiblings to 0 before
> list_del_rcu(), so an inside-loop check is a reliable detach signal.
>
> [1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
>
> Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
> Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>

Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>