Re: [PATCH net] ipv6: ioam: fix type confusion of dst_entry

Next message: Alan Stern: "Re: [PATCH] usbcore: Add quirk for 255-bytes initial config read"
Previous message: Erni Sri Satya Vennela: "Re: [PATCH rdma-next v3] RDMA/mana_ib: Clamp adapter capabilities at the ib_device_attr boundary"
In reply to: Jiayuan Chen: "[PATCH net] ipv6: ioam: fix type confusion of dst_entry"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net] ipv6: ioam: fix type confusion of dst_entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Justin Iurman

Date: Fri Jun 19 2026 - 15:43:00 EST

On 6/18/26 12:43, Jiayuan Chen wrote:

IOAM uses a dummy dst_entry(null_dst) to mark that the destination should
not be changed after the transformation. This dst is stored in the IOAM lwt
state and may be passed to dst_cache_set_ip6().

However, the IPv6 dst cache path eventually calls rt6_get_cookie(), which
treats the dst_entry as part of a struct rt6_info. Since the null_dst was
embedded directly as a struct dst_entry in struct ioam6_lwt, this resulted
in an invalid cast and rt6_get_cookie() reading fields from the wrong
object.

In practice, the wrong cookie is not used while dst->obsolete is zero, but
rt6_get_cookie() may also access per-cpu value when rt->sernum is
zero. In this case, rt->sernum aliases ioam6_lwt::cache::reset_ts, which
can become zero, making this a potential invalid pointer access.

Fix this by embedding a full struct rt6_info for the dummy IPv6 route and
passing its dst member to the dst APIs.

Good catch, thanks!

Fixes: 47ce7c854563 ("net: ipv6: ioam6: fix double reallocation")
Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>

Reviewed-by: Justin Iurman <justin.iurman@xxxxxxxxx>