Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 1/3] dt-bindings: soc: imx: fsl,imx93-media-blk-ctrl: Allow LVDS Display Bridge child node"
Previous message: Christian Brauner: "Re: [PATCH 0/2] proc: protect ptrace_may_access() with exec_update_lock"
In reply to: Yuyang Huang: "[PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction"
Next in thread: Yuyang Huang: "Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolas Dichtel

Date: Wed Jun 10 2026 - 03:50:34 EST

Le 09/06/2026 à 14:26, Yuyang Huang a écrit :
> When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
> the multicast list and calls ip_ma_put() on each membership, scheduling
> them for RCU reclamation. However, they are not unlinked from the device's
> multicast hash table (mc_hash).
>
> Since the device remains published in dev->ip_ptr until after
> ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
> can still locate and access the multicast group after its refcount is
> decremented. If the RCU callback runs and frees the group while a reader is
> accessing it, a use-after-free occurs.
>
> Fix this by unlinking the multicast group from mc_hash using
> ip_mc_hash_remove() before scheduling it for reclamation.
>
> Signed-off-by: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
A 'Fixes' tag may be useful for backports.

Regards,
Nicolas