lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <pyaaf6vhfvkab4rpsgkojguixnp5vdxgzle6i6p3shuxgzwwaw@rdwgw47rgvzb>
Date: Thu, 11 Dec 2025 10:38:43 +0100
From: Jiri Pirko <jiri@...nulli.us>
To: Simon Horman <horms@...nel.org>
Cc: Dharanitharan R <dharanitharan725@...il.com>, 
	syzbot+422806e5f4cce722a71f@...kaller.appspotmail.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v2] team: fix qom_list corruption by using
 list_del_init_rcu()

Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@...nel.org wrote:
>On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
>> In __team_queue_override_port_del(), repeated deletion of the same port
>> using list_del_rcu() could corrupt the RCU-protected qom_list. This
>> happens if the function is called multiple times on the same port, for
>> example during port removal or team reconfiguration.
>> 
>> This patch replaces list_del_rcu() with list_del_init_rcu() to:
>> 
>>   - Ensure safe repeated deletion of the same port
>>   - Keep the RCU list consistent
>>   - Avoid potential use-after-free and list corruption issues
>> 
>> Testing:
>>   - Syzbot-reported crash is eliminated in testing.
>>   - Kernel builds and runs cleanly
>> 
>> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
>> Reported-by: syzbot+422806e5f4cce722a71f@...kaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
>> Signed-off-by: Dharanitharan R <dharanitharan725@...il.com>
>
>Thanks for addressing my review of v1.
>The commit message looks much better to me.
>
>However, I am unable to find the cited commit in net.
>
>And I am still curious about the cause: are you sure it is repeated deletion?

It looks like it is. But I believe we need to fix the root cause, why
the list_del is called twice and don't blindly take AI made fix with AI
made patch description :O

I actually think that following path might the be problematic one:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
	-> team_port_disable()
        -> team_queue_override_port_del()
        -> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
        -> team_queue_override_port_prio_changed()
	-> checks: port disabled && queue_id != 0
        -> calls del - hits the BUG as it is removed already

Will test the fix and submit shortly.

#syz test

diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 4d5c9ae8f221..c08a5c1bd6e4 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
 static void team_queue_override_port_prio_changed(struct team *team,
 						  struct team_port *port)
 {
-	if (!port->queue_id || team_port_enabled(port))
+	if (!port->queue_id || !team_port_enabled(port))
 		return;
 	__team_queue_override_port_del(team, port);
 	__team_queue_override_port_add(team, port);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ