Re: [PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple()

Next message: fangyu . yu: "Re: Re: [PATCH 0/2] iommu/riscv: support range and non-leaf IOTLB invalidation"
Previous message: Eugenio P&#xE9;rez: "[PATCH] vduse: Add suspend"
In reply to: Shigeru Yoshida: "[PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple()"
Next in thread: Jakub Kicinski: "Re: [PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Wed Feb 11 2026 - 07:07:05 EST

Shigeru Yoshida <syoshida@xxxxxxxxxx> wrote:
> syzbot reported a list_del corruption in flow_block_cb_setup_simple(). [0]
>
> flow_block_cb_setup_simple() accesses the driver_block_list (e.g.,
> netdevsim's nsim_block_cb_list) without any synchronization. The
> nftables offload path calls into this function via ndo_setup_tc while
> holding the per-netns commit_mutex, but this mutex does not prevent
> concurrent access from tasks in different network namespaces that
> share the same driver_block_list, leading to list corruption:
>
> - Task A (FLOW_BLOCK_BIND) calls list_add_tail() to insert a new
> flow_block_cb into driver_block_list.
>
> - Task B (FLOW_BLOCK_UNBIND) concurrently calls list_del() on another
> flow_block_cb from the same list.

Looking at the *upper layer*, I don't think it expected drivers to use
a single global list for this bit something that is scoped to the
net_device.

As drivers do use shared lists everywhere I think this fix is correct, so

Acked-by: Florian Westphal <fw@xxxxxxxxx>