From: Simon Horman <horms@kernel.org>
To: Jiri Pirko <jiri@resnulli.us>
Cc: Dharanitharan R <dharanitharan725@gmail.com>,
syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v2] team: fix qom_list corruption by using list_del_init_rcu()
Date: Thu, 11 Dec 2025 16:14:42 +0000 [thread overview]
Message-ID: <aTrt8mig9TwBC3kp@horms.kernel.org> (raw)
In-Reply-To: <pyaaf6vhfvkab4rpsgkojguixnp5vdxgzle6i6p3shuxgzwwaw@rdwgw47rgvzb>
On Thu, Dec 11, 2025 at 10:38:43AM +0100, Jiri Pirko wrote:
> Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@kernel.org wrote:
> >On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
> >> In __team_queue_override_port_del(), repeated deletion of the same port
> >> using list_del_rcu() could corrupt the RCU-protected qom_list. This
> >> happens if the function is called multiple times on the same port, for
> >> example during port removal or team reconfiguration.
> >>
> >> This patch replaces list_del_rcu() with list_del_init_rcu() to:
> >>
> >> - Ensure safe repeated deletion of the same port
> >> - Keep the RCU list consistent
> >> - Avoid potential use-after-free and list corruption issues
> >>
> >> Testing:
> >> - Syzbot-reported crash is eliminated in testing.
> >> - Kernel builds and runs cleanly
> >>
> >> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
> >> Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
> >> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
> >
> >Thanks for addressing my review of v1.
> >The commit message looks much better to me.
> >
> >However, I am unable to find the cited commit in net.
> >
> >And I am still curious about the cause: are you sure it is repeated deletion?
>
> It looks like it is. But I believe we need to fix the root cause, why
> the list_del is called twice and don't blindly take AI made fix with AI
> made patch description :O
>
> I actually think that following path might the be problematic one:
> 1) Port is enabled, queue_id != 0, in qom_list
> 2) Port gets disabled
> -> team_port_disable()
> -> team_queue_override_port_del()
> -> del (removed from list)
> 3) Port is disabled, queue_id != 0, not in any list
> 4) Priority changes
> -> team_queue_override_port_prio_changed()
> -> checks: port disabled && queue_id != 0
> -> calls del - hits the BUG as it is removed already
>
> Will test the fix and submit shortly.
Thanks, much appreciated.
...
next prev parent reply other threads:[~2025-12-11 16:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 5:31 [PATCH net v2] team: fix qom_list corruption by using list_del_init_rcu() Dharanitharan R
2025-12-10 12:51 ` Simon Horman
2025-12-11 9:38 ` Jiri Pirko
2025-12-11 9:38 ` syzbot
2025-12-11 16:14 ` Simon Horman [this message]
2025-12-12 10:11 ` Jiri Pirko
2025-12-16 5:20 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTrt8mig9TwBC3kp@horms.kernel.org \
--to=horms@kernel.org \
--cc=dharanitharan725@gmail.com \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.