Re: [PATCH net-next] ipv4: igmp: remove multicast group from hash table on device destruction
From: Nicolas Dichtel
Date: Wed Jun 10 2026 - 05:03:22 EST
Le 10/06/2026 à 10:37, Yuyang Huang a écrit :
> On Wed, Jun 10, 2026 at 4:50 PM Nicolas Dichtel
> <nicolas.dichtel@xxxxxxxxx> wrote:
>>
>> Le 09/06/2026 à 14:26, Yuyang Huang a écrit :
>>> When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
>>> the multicast list and calls ip_ma_put() on each membership, scheduling
>>> them for RCU reclamation. However, they are not unlinked from the device's
>>> multicast hash table (mc_hash).
>>>
>>> Since the device remains published in dev->ip_ptr until after
>>> ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
>>> can still locate and access the multicast group after its refcount is
>>> decremented. If the RCU callback runs and frees the group while a reader is
>>> accessing it, a use-after-free occurs.
>>>
>>> Fix this by unlinking the multicast group from mc_hash using
>>> ip_mc_hash_remove() before scheduling it for reclamation.
>>>
>>> Signed-off-by: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
>> A 'Fixes' tag may be useful for backports.
>
> Thanks for the suggestion. Per discussion in the following thread, we
> don't need to add the Fixes tag for a trivial fix.
>
> https://lore.kernel.org/netdev/20260604101728.GA771160@shredder/
I probably misunderstood the commit, but you are talking about a
'use-after-free', which doesn't seem trivial for me.