[PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction

Next message: Petr Tesarik: "Re: [PATCH v6 04/20] dma-pool: track decrypted atomic pools and select them via attrs"
Previous message: Konrad Dybcio: "Re: [PATCH v3 05/10] ARM: dts: qcom: msm8960: add RPM clock controller and fix USB clocks"
Next in thread: Nicolas Dichtel: "Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yuyang Huang

Date: Tue Jun 09 2026 - 08:28:30 EST

When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
the multicast list and calls ip_ma_put() on each membership, scheduling
them for RCU reclamation. However, they are not unlinked from the device's
multicast hash table (mc_hash).

Since the device remains published in dev->ip_ptr until after
ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
can still locate and access the multicast group after its refcount is
decremented. If the RCU callback runs and frees the group while a reader is
accessing it, a use-after-free occurs.

Fix this by unlinking the multicast group from mc_hash using
ip_mc_hash_remove() before scheduling it for reclamation.

Signed-off-by: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
---
net/ipv4/igmp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index b6337a47c141..af38073a822d 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1923,6 +1923,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)

while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
+ ip_mc_hash_remove(in_dev, i);
WRITE_ONCE(in_dev->mc_count, in_dev->mc_count - 1);
ip_mc_clear_src(i);
ip_ma_put(i);
--
2.54.0.1099.g489fc7bff1-goog