Re: [PATCH net] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()

Next message: Stanislav Zaikin: "[PATCH v3 1/2] dt-bindings: arm: qcom: Add SM7325 Xiaomi 12 Lite 5G (taoyao)"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v2 0/3] Add basic device tree support for the Axis ARTPEC-9 SoC"
Next in thread: Eric Dumazet: "Re: [PATCH net] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Tue Feb 24 2026 - 06:47:17 EST

On Mon, 12 Jan 2026 10:38:25 +0000 Eric Dumazet wrote:
> syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
> in an interesting way [1]
>
> Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
> list->prev, while the prior write on list->next went well.
>
> static inline void INIT_LIST_HEAD(struct list_head *list)
> {
> WRITE_ONCE(list->next, list); // This went well
> WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
> }
>
> Issue here is that rt6_uncached_list_del() did not attempt to lock
> ul->lock, as list_empty(&rt->dst.rt_uncached) returned
> true because the WRITE_ONCE(list->next, list) happened on the other CPU.
>
> We might use list_del_init_careful() and list_empty_careful(),
> or make sure rt6_uncached_list_del() always grabs the spinlock
> whenever rt->dst.rt_uncached_list has been set.
>
> A similar fix is neeed for IPv4.
>
FYI list corruption in dst_destroy() [1] happened after this fix.

[1] Subject: Re: [syzbot] [kernel?] INFO: task hung in restrict_one_thread_callback
https://lore.kernel.org/lkml/699d155f.050a0220.247d23.0377.GAE@xxxxxxxxxx/