RE: [PATCH net-next v2] ipv4: igmp: remove multicast group from hash table on device destruction
From: Jagielski, Jedrzej
Date: Tue Jun 30 2026 - 03:47:15 EST
From: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
Sent: Tuesday, June 30, 2026 4:23 AM
>When a device is destroyed under RTNL, ip_mc_destroy_dev() iterates through
>the multicast list and calls ip_ma_put() on each membership, scheduling
>them for RCU reclamation. However, they are not unlinked from the device's
>multicast hash table (mc_hash).
>
>Since the device remains published in dev->ip_ptr until after
>ip_mc_destroy_dev() completes, concurrent RCU readers traversing mc_hash
>can still locate and access the multicast group after its refcount is
>decremented. If the RCU callback runs and frees the group while a reader is
>accessing it, a use-after-free occurs.
>
>Fix this by unlinking the multicast group from mc_hash using
>ip_mc_hash_remove() before scheduling it for reclamation.
>
>Fixes: e9897071350b ("igmp: hash a hash table to speedup ip_check_mc_rcu()")
>Signed-off-by: Yuyang Huang <yuyanghuang@xxxxxxxxxx>
Hi,
why sending this to net-next not to net if that's a bug fix?
In the v1 thread it was said
>This is a long-standing bug, not a recent regression.
so why do not cc stable kernel to get rid of this bug from
stable kernels in such case?