From nobody Mon Jun 8 13:24:57 2026 Received: from out-180.mta0.migadu.com (out-180.mta0.migadu.com [91.218.175.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB7E335F5E5 for ; Fri, 29 May 2026 03:20:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024854; cv=none; b=FwN/aDF+wDDb7vMFF0zd4Z587DmzIIJ42nsZlJnxJ88rb9ci/RITLGpoFbypS8GR6zedILXbpfXme6tcut2KKC+dmdRw8tFD8u2kVFjubhWbuiwBZmIHwnrxDp1x912YJFbxV7ZSBEnoAZtEtLlaUD6Fq6fCAF7s8dxQJiaaMgE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780024854; c=relaxed/simple; bh=RB3qOs2Ohx6Lg4He1Ag2kH5Y/QXyI/UlS5MiaZD55JI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=HKoBICjbCmI4MO+OH5C5JLov851IB5vdm/GIH8rILqzdW89RGPT0AhR63u8RQowjnoe+Ym7bZc0MmCRiT2dViy+lUvGNRlxGi+5a0DOaOw4OhfYI1aMZR/qL24+CV4rh9b63cSe0W6V9aEI28IaMEL9sgRFaJt3piuJ+WCAJ0jA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ZmWvFfw1; arc=none smtp.client-ip=91.218.175.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ZmWvFfw1" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1780024840; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Jx7dJ3LrSYHkDmTM3C5e8iRNjYq89+NASBYIOXgzJoU=; b=ZmWvFfw1S5HaZrtgg4Q6iNLHX/ASXIzovM5ogMfXVEwEFIzkvg2vd30VMFbeGb/HWn9wb3 foJFayJAzLRjC+TX0EhDaAE1dVjdStrcLhzH8heSNrZzdGLnK1gnEwBnhIqARTBBa03+Kz ZSwHj/KilAjlDhrzgRH3d4xid4C1XgY= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , David Ahern , Ido Schimmel , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Kuniyuki Iwashima , linux-kernel@vger.kernel.org Subject: [PATCH net] ipv6: anycast: insert aca into global hash under idev->lock Date: Fri, 29 May 2026 11:20:25 +0800 Message-ID: <20260529032026.363856-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" syzbot reported a splat [1]: a slab-use-after-free in ipv6_chk_acast_addr(), which walks the global inet6_acaddr_lst[] hash under RCU and dereferences a struct ifacaddr6 that has already been freed while still linked in the hash, so a later reader walks into a dangling node. In __ipv6_dev_ac_inc() the aca is allocated with refcount 1, then aca_get() bumps it to 2 to keep it alive across the unlocked region. It is published to idev->ac_list under idev->lock, but ipv6_add_acaddr_hash() runs after write_unlock_bh(). A concurrent teardown (ipv6_ac_destroy_dev() from addrconf_ifdown(), under RTNL) can slip into that window: CPU0 __ipv6_dev_ac_inc CPU1 ipv6_ac_destroy_dev (RTNL) ------------------------------ ------------------------------------ aca_alloc() refcnt 1 aca_get() refcnt 2 write_lock_bh(idev->lock) add aca to ac_list write_unlock_bh(idev->lock) write_lock_bh(idev->lock) pull aca off ac_list write_unlock_bh(idev->lock) ipv6_del_acaddr_hash(aca) hlist_del_init_rcu() is a no-op, aca is not in the hash yet aca_put() refcnt 2->1 ipv6_add_acaddr_hash(aca) aca now inserted into the hash aca_put() refcnt 1->0 call_rcu(aca_free_rcu) -> kfree(aca) The hash removal becomes a no-op because the insertion has not happened yet, so once CPU0 inserts and drops the last reference, the aca is freed while still linked in inet6_acaddr_lst[], and readers dereference freed memory after the slab slot is reused. This window opened once RTNL stopped serializing the join path against device teardown. Move ipv6_add_acaddr_hash() inside the idev->lock section so the ac_list and hash insertions are atomic with respect to teardown: a racing remover now either misses the aca entirely or finds it in both lists. [1] https://syzkaller.appspot.com/bug?extid=3Da01df04303c131efbf3a Fixes: eb1ac9ff6c4a ("ipv6: anycast: Don't hold RTNL for IPV6_JOIN_ANYCAST.= ") Signed-off-by: Jiayuan Chen Reviewed-by: Kuniyuki Iwashima --- net/ipv6/anycast.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c index 67a42e01dfc3..cd8c02a1ad4c 100644 --- a/net/ipv6/anycast.c +++ b/net/ipv6/anycast.c @@ -371,10 +371,10 @@ int __ipv6_dev_ac_inc(struct inet6_dev *idev, const s= truct in6_addr *addr) aca->aca_next =3D idev->ac_list; rcu_assign_pointer(idev->ac_list, aca); =20 - write_unlock_bh(&idev->lock); - ipv6_add_acaddr_hash(net, aca); =20 + write_unlock_bh(&idev->lock); + ip6_ins_rt(net, f6i); =20 addrconf_join_solict(idev->dev, &aca->aca_addr); --=20 2.43.0