Re: [PATCH net-next 2/2] ipv6: mcast: annotate igmp6 timer expiry race
From: Ido Schimmel
Date: Tue Jun 09 2026 - 03:46:12 EST
On Fri, Jun 05, 2026 at 11:57:59PM +0900, Yuyang Huang wrote:
> /proc/net/igmp6 walks IPv6 multicast memberships under RCU and reads
> mca_work.timer.expires to print the remaining multicast timer. The
> delayed-work timer can be updated concurrently.
>
> Annotate the intentional lockless procfs snapshot with READ_ONCE().
>
> Signed-off-by: Yuyang Huang <sigefriedhyy@xxxxxxxxx>
> ---
> net/ipv6/mcast.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
> index bd3972730aa0..184e57469086 100644
> --- a/net/ipv6/mcast.c
> +++ b/net/ipv6/mcast.c
> @@ -2983,6 +2983,7 @@ static int igmp6_mc_seq_show(struct seq_file *seq, void *v)
> {
> struct ifmcaddr6 *im = (struct ifmcaddr6 *)v;
> struct igmp6_mc_iter_state *state = igmp6_mc_seq_private(seq);
> + unsigned long expires = READ_ONCE(im->mca_work.timer.expires);
> unsigned int mca_flags = READ_ONCE(im->mca_flags);
The comment from Sashiko about inverting the order looks valid. In the write
path, the MAF_TIMER_RUNNING flag is always set after modifying the timer:
"
Does unconditionally hoisting the read of timer.expires before mca_flags
create a time-of-check to time-of-use race?
If a newly allocated multicast group has expires initialized to 0, this
sequence could happen in igmp6_mc_seq_show():
CPU1 reads expires as 0:
expires = READ_ONCE(im->mca_work.timer.expires);
CPU2 concurrently arms the timer and sets the flag:
mod_delayed_work(...)
im->mca_flags |= MAF_TIMER_RUNNING;
CPU1 then reads mca_flags:
mca_flags = READ_ONCE(im->mca_flags);
Because the MAF_TIMER_RUNNING flag is now set, CPU1 evaluates the timer
output as (expires - jiffies), which is (0 - jiffies). Does this
underflow and cause /proc/net/igmp6 to print a massive garbage timer value?
"
>
> seq_printf(seq,
> @@ -2991,7 +2992,7 @@ static int igmp6_mc_seq_show(struct seq_file *seq, void *v)
> &im->mca_addr,
> READ_ONCE(im->mca_users), mca_flags,
> (mca_flags & MAF_TIMER_RUNNING) ?
> - jiffies_to_clock_t(im->mca_work.timer.expires - jiffies) : 0);
> + jiffies_to_clock_t(expires - jiffies) : 0);
> return 0;
> }
>
> --
> 2.43.0
>