Commit f8d8ce1b authored by Eric Dumazet's avatar Eric Dumazet Committed by Jakub Kicinski
Browse files

ipv6: fix possible infinite loop in fib6_info_uses_dev() 



fib6_info_uses_dev() seems to rely on RCU without an explicit
protection.

Like the prior fix in rt6_nlmsg_size(),
we need to make sure fib6_del_route() or fib6_add_rt2node()
have not removed the anchor from the list, or we risk an infinite loop.

Fixes: d9ccb18f ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250725140725.3626540-4-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 54e6fe9d

net/ipv6/route.c

+11 −6
Original line number Diff line number Diff line
@@ -5958,16 +5958,21 @@ static bool fib6_info_uses_dev(const struct fib6_info *f6i, 
	if (f6i->fib6_nh->fib_nh_dev == dev)

		return true;



	if (f6i->fib6_nsiblings) {

		struct fib6_info *sibling, *next_sibling;

	if (READ_ONCE(f6i->fib6_nsiblings)) {

		const struct fib6_info *sibling;



		list_for_each_entry_safe(sibling, next_sibling,

					 &f6i->fib6_siblings, fib6_siblings) {

			if (sibling->fib6_nh->fib_nh_dev == dev)

		rcu_read_lock();

		list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,

					fib6_siblings) {

			if (sibling->fib6_nh->fib_nh_dev == dev) {

				rcu_read_unlock();

				return true;

			}

			if (!READ_ONCE(f6i->fib6_nsiblings))

				break;

		}

		rcu_read_unlock();

	}



	return false;

}