Commit 8e6405f8 authored Apr 08, 2026 by Paolo Abeni Committed by Jakub Kicinski Apr 09, 2026

ipv6: move IFA_F_PERMANENT percpu allocation in process scope



Observed at boot time:

 CPU: 43 UID: 0 PID: 3595 Comm: (t-daemon) Not tainted 6.12.0 #1
 Call Trace:
  <TASK>
  dump_stack_lvl+0x4e/0x70
  pcpu_alloc_noprof.cold+0x1f/0x4b
  fib_nh_common_init+0x4c/0x110
  fib6_nh_init+0x387/0x740
  ip6_route_info_create+0x46d/0x640
  addrconf_f6i_alloc+0x13b/0x180
  addrconf_permanent_addr+0xd0/0x220
  addrconf_notify+0x93/0x540
  notifier_call_chain+0x5a/0xd0
  __dev_notify_flags+0x5c/0xf0
  dev_change_flags+0x54/0x70
  do_setlink+0x36c/0xce0
  rtnl_setlink+0x11f/0x1d0
  rtnetlink_rcv_msg+0x142/0x3f0
  netlink_rcv_skb+0x50/0x100
  netlink_unicast+0x242/0x390
  netlink_sendmsg+0x21b/0x470
  __sys_sendto+0x1dc/0x1f0
  __x64_sys_sendto+0x24/0x30
  do_syscall_64+0x7d/0x160
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
 RIP: 0033:0x7f5c3852f127
 Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 85 ef 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44
 RSP: 002b:00007ffe86caf4c8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 0000556c5cd93210 RCX: 00007f5c3852f127
 RDX: 0000000000000020 RSI: 0000556c5cd938b0 RDI: 0000000000000003
 RBP: 00007ffe86caf5a0 R08: 00007ffe86caf4e0 R09: 0000000000000080
 R10: 0000000000000000 R11: 0000000000000202 R12: 0000556c5cd932d0
 R13: 00000000021d05d1 R14: 00000000021d05d1 R15: 0000000000000001

IFA_F_PERMANENT addresses require the allocation of a bunch of percpu
pointers, currently in atomic scope.

Similar to commit 51454ea4 ("ipv6: fix locking issues with loops
over idev->addr_list"), move fixup_permanent_addr() outside the
&idev->lock scope, and do the allocations with GFP_KERNEL. With such
change fixup_permanent_addr() is invoked with the BH enabled, and the
ifp lock acquired there needs the BH variant.

Note that we don't need to acquire a reference to the permanent
addresses before releasing the mentioned write lock, because
addrconf_permanent_addr() runs under RTNL and ifa removal always happens
under RTNL, too.

Also the PERMANENT flag is constant in the relevant scope, as it can be
cleared only by inet6_addr_modify() under the RTNL lock.

Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://patch.msgid.link/46a7a030727e236af2dc7752994cd4f04f4a91d2.1775658924.git.pabeni@redhat.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 9addea5d

net/ipv6/addrconf.c

+19 −12

Original line number	Diff line number	Diff line
		@@ -3585,15 +3585,15 @@ static int fixup_permanent_addr(struct net *net,
		struct fib6_info f6i, prev;

		f6i = addrconf_f6i_alloc(net, idev, &ifp->addr, false,
		GFP_ATOMIC, NULL);
		GFP_KERNEL, NULL);
		if (IS_ERR(f6i))
		return PTR_ERR(f6i);

		/* ifp->rt can be accessed outside of rtnl */
		spin_lock(&ifp->lock);
		spin_lock_bh(&ifp->lock);
		prev = ifp->rt;
		ifp->rt = f6i;
		spin_unlock(&ifp->lock);
		spin_unlock_bh(&ifp->lock);

		fib6_info_release(prev);
		}
		@@ -3601,7 +3601,7 @@ static int fixup_permanent_addr(struct net *net,
		if (!(ifp->flags & IFA_F_NOPREFIXROUTE)) {
		addrconf_prefix_route(&ifp->addr, ifp->prefix_len,
		ifp->rt_priority, idev->dev, 0, 0,
		GFP_ATOMIC);
		GFP_KERNEL);
		}

		if (ifp->state == INET6_IFADDR_STATE_PREDAD)
		@@ -3612,29 +3612,36 @@ static int fixup_permanent_addr(struct net *net,

		static void addrconf_permanent_addr(struct net net, struct net_device dev)
		{
		struct inet6_ifaddr ifp, tmp;
		struct inet6_ifaddr *ifp;
		LIST_HEAD(tmp_addr_list);
		struct inet6_dev *idev;

		/* Mutual exclusion with other if_list_aux users. */
		ASSERT_RTNL();

		idev = __in6_dev_get(dev);
		if (!idev)
		return;

		write_lock_bh(&idev->lock);

		list_for_each_entry_safe(ifp, tmp, &idev->addr_list, if_list) {
		if ((ifp->flags & IFA_F_PERMANENT) &&
		fixup_permanent_addr(net, idev, ifp) < 0) {
		list_for_each_entry(ifp, &idev->addr_list, if_list) {
		if (ifp->flags & IFA_F_PERMANENT)
		list_add_tail(&ifp->if_list_aux, &tmp_addr_list);
		}
		write_unlock_bh(&idev->lock);

		while (!list_empty(&tmp_addr_list)) {
		ifp = list_first_entry(&tmp_addr_list,
		struct inet6_ifaddr, if_list_aux);
		list_del(&ifp->if_list_aux);

		if (fixup_permanent_addr(net, idev, ifp) < 0) {
		net_info_ratelimited("%s: Failed to add prefix route for address %pI6c; dropping\n",
		idev->dev->name, &ifp->addr);
		in6_ifa_hold(ifp);
		ipv6_del_addr(ifp);
		write_lock_bh(&idev->lock);
		}
		}

		write_unlock_bh(&idev->lock);
		}

		static int addrconf_notify(struct notifier_block *this, unsigned long event,