Commit 36d29cee authored May 26, 2026 by Jiayuan Chen Committed by Pablo Neira Ayuso Jun 01, 2026

netfilter: nft_fib_ipv6: bail out of sibling walk if rt got unlinked

This was reported by Sashiko [1].

The RCU walk over rt->fib6_siblings can spin forever if rt is unlinked
mid-iteration: rt->fib6_siblings.next still points into the old ring,
so the loop never meets &rt->fib6_siblings as its terminator.

fib6_purge_rt() always does WRITE_ONCE(rt->fib6_nsiblings, 0) before
list_del_rcu(), so readers can use rt->fib6_nsiblings == 0 as the
detach signal. The same pattern is used in fib6_info_uses_dev() and
rt6_nlmsg_size().

[1]: https://sashiko.dev/#/patchset/20260520023411.391233-1-jiayuan.chen%40linux.dev


Suggested-by: Florian Westphal <fw@strlen.de>
Fixes: 1c32b24c ("netfilter: nft_fib_ipv6: switch to fib6_lookup")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 193989cc

net/ipv6/netfilter/nft_fib_ipv6.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -191,6 +191,9 @@ static bool nft_fib6_info_nh_uses_dev(struct fib6_info *rt,

		if (nft_fib6_info_nh_dev_match(nh_dev, dev))
		return true;

		if (!READ_ONCE(rt->fib6_nsiblings))
		return false;
		}

		return false;