Re: [PATCH net] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()

Next message: Tariq Toukan: "Re: [PATCH net-next] net: ethtool: add COALESCE_RX_CQE_FRAMES/NSECS parameters"
Previous message: Andy Shevchenko: "[PATCH v1 1/1] memory: bt1-l2-ctl: Remove not-going-to-be-supported code for Baikal SoC"
In reply to: Hillf Danton: "Re: [PATCH net] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()"
Next in thread: Christian A. Ehrhardt: "Re: [PATCH net] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Tue Feb 24 2026 - 07:00:23 EST

On Tue, Feb 24, 2026 at 12:41 PM Hillf Danton <hdanton@xxxxxxxx> wrote:
>
> On Mon, 12 Jan 2026 10:38:25 +0000 Eric Dumazet wrote:
> > syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
> > in an interesting way [1]
> >
> > Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
> > list->prev, while the prior write on list->next went well.
> >
> > static inline void INIT_LIST_HEAD(struct list_head *list)
> > {
> > WRITE_ONCE(list->next, list); // This went well
> > WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
> > }
> >
> > Issue here is that rt6_uncached_list_del() did not attempt to lock
> > ul->lock, as list_empty(&rt->dst.rt_uncached) returned
> > true because the WRITE_ONCE(list->next, list) happened on the other CPU.
> >
> > We might use list_del_init_careful() and list_empty_careful(),
> > or make sure rt6_uncached_list_del() always grabs the spinlock
> > whenever rt->dst.rt_uncached_list has been set.
> >
> > A similar fix is neeed for IPv4.
> >
> FYI list corruption in dst_destroy() [1] happened after this fix.
>
>
> [1] Subject: Re: [syzbot] [kernel?] INFO: task hung in restrict_one_thread_callback
> https://lore.kernel.org/lkml/699d155f.050a0220.247d23.0377.GAE@xxxxxxxxxx/

Seems unrelated.

Are you seeing anything wrong with my patch ?