lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <693a9126.a70a0220.33cd7b.002d.GAE@google.com>
Date: Thu, 11 Dec 2025 01:38:46 -0800
From: syzbot <syzbot+422806e5f4cce722a71f@...kaller.appspotmail.com>
To: jiri@...nulli.us
Cc: dharanitharan725@...il.com, horms@...nel.org, jiri@...nulli.us, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH net v2] team: fix qom_list corruption by using list_del_init_rcu()

> Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@...nel.org wrote:
>>On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
>>> In __team_queue_override_port_del(), repeated deletion of the same port
>>> using list_del_rcu() could corrupt the RCU-protected qom_list. This
>>> happens if the function is called multiple times on the same port, for
>>> example during port removal or team reconfiguration.
>>> 
>>> This patch replaces list_del_rcu() with list_del_init_rcu() to:
>>> 
>>>   - Ensure safe repeated deletion of the same port
>>>   - Keep the RCU list consistent
>>>   - Avoid potential use-after-free and list corruption issues
>>> 
>>> Testing:
>>>   - Syzbot-reported crash is eliminated in testing.
>>>   - Kernel builds and runs cleanly
>>> 
>>> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
>>> Reported-by: syzbot+422806e5f4cce722a71f@...kaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
>>> Signed-off-by: Dharanitharan R <dharanitharan725@...il.com>
>>
>>Thanks for addressing my review of v1.
>>The commit message looks much better to me.
>>
>>However, I am unable to find the cited commit in net.
>>
>>And I am still curious about the cause: are you sure it is repeated deletion?
>
> It looks like it is. But I believe we need to fix the root cause, why
> the list_del is called twice and don't blindly take AI made fix with AI
> made patch description :O
>
> I actually think that following path might the be problematic one:
> 1) Port is enabled, queue_id != 0, in qom_list
> 2) Port gets disabled
> 	-> team_port_disable()
>         -> team_queue_override_port_del()
>         -> del (removed from list)
> 3) Port is disabled, queue_id != 0, not in any list
> 4) Priority changes
>         -> team_queue_override_port_prio_changed()
> 	-> checks: port disabled && queue_id != 0
>         -> calls del - hits the BUG as it is removed already
>
> Will test the fix and submit shortly.
>
> #syz test

This crash does not have a reproducer. I cannot test it.

>
> diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
> index 4d5c9ae8f221..c08a5c1bd6e4 100644
> --- a/drivers/net/team/team_core.c
> +++ b/drivers/net/team/team_core.c
> @@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
>  static void team_queue_override_port_prio_changed(struct team *team,
>  						  struct team_port *port)
>  {
> -	if (!port->queue_id || team_port_enabled(port))
> +	if (!port->queue_id || !team_port_enabled(port))
>  		return;
>  	__team_queue_override_port_del(team, port);
>  	__team_queue_override_port_add(team, port);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ