In __team_queue_override_port_del(), repeated deletion of the same port
using list_del_rcu() could corrupt the RCU-protected qom_list. This
happens if the function is called multiple times on the same port, for
example during port removal or team reconfiguration.

This patch replaces list_del_rcu() with list_del_init_rcu() to:

  - Ensure safe repeated deletion of the same port
  - Keep the RCU list consistent
  - Avoid potential use-after-free and list corruption issues

Testing:
  - Syzbot-reported crash is eliminated in testing.
  - Kernel builds and runs cleanly

Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
---
 drivers/net/team/team_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 4d5c9ae8f221..d6d724b52dbf 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -823,7 +823,8 @@ static void __team_queue_override_port_del(struct team *team,
 {
 	if (!port->queue_id)
 		return;
-	list_del_rcu(&port->qom_list);
+	/* Ensure safe repeated deletion */
+	list_del_init_rcu(&port->qom_list);
 }
 
 static bool team_queue_override_port_has_gt_prio_than(struct team_port *port,
-- 
2.43.0

Wed, Dec 10, 2025 at 06:31:05AM +0100, dharanitharan725@gmail.com wrote:
>In __team_queue_override_port_del(), repeated deletion of the same port
>using list_del_rcu() could corrupt the RCU-protected qom_list. This
>happens if the function is called multiple times on the same port, for
>example during port removal or team reconfiguration.
>
>This patch replaces list_del_rcu() with list_del_init_rcu() to:
>
>  - Ensure safe repeated deletion of the same port
>  - Keep the RCU list consistent
>  - Avoid potential use-after-free and list corruption issues
>
>Testing:
>  - Syzbot-reported crash is eliminated in testing.
>  - Kernel builds and runs cleanly
>
>Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")

Awesome, this commit is AI hallucinated. Can you do some basic checking
before you send this ****?

On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
> In __team_queue_override_port_del(), repeated deletion of the same port
> using list_del_rcu() could corrupt the RCU-protected qom_list. This
> happens if the function is called multiple times on the same port, for
> example during port removal or team reconfiguration.
> 
> This patch replaces list_del_rcu() with list_del_init_rcu() to:
> 
>   - Ensure safe repeated deletion of the same port
>   - Keep the RCU list consistent
>   - Avoid potential use-after-free and list corruption issues
> 
> Testing:
>   - Syzbot-reported crash is eliminated in testing.
>   - Kernel builds and runs cleanly
> 
> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
> Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>

Thanks for addressing my review of v1.
The commit message looks much better to me.

However, I am unable to find the cited commit in net.

And I am still curious about the cause: are you sure it is repeated deletion?

> ---
>  drivers/net/team/team_core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
> index 4d5c9ae8f221..d6d724b52dbf 100644
> --- a/drivers/net/team/team_core.c
> +++ b/drivers/net/team/team_core.c
> @@ -823,7 +823,8 @@ static void __team_queue_override_port_del(struct team *team,
>  {
>  	if (!port->queue_id)
>  		return;
> -	list_del_rcu(&port->qom_list);
> +	/* Ensure safe repeated deletion */
> +	list_del_init_rcu(&port->qom_list);

When applied against net this does not compile
as list_del_init_rcu (as opposed to hlist_del_init_rcu) does
not seem to exist in that tree. Am I missing something?

>  }
>  
>  static bool team_queue_override_port_has_gt_prio_than(struct team_port *port,
> -- 
> 2.43.0

-- 
pw-bot: changes-requested

Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@kernel.org wrote:
>On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
>> In __team_queue_override_port_del(), repeated deletion of the same port
>> using list_del_rcu() could corrupt the RCU-protected qom_list. This
>> happens if the function is called multiple times on the same port, for
>> example during port removal or team reconfiguration.
>> 
>> This patch replaces list_del_rcu() with list_del_init_rcu() to:
>> 
>>   - Ensure safe repeated deletion of the same port
>>   - Keep the RCU list consistent
>>   - Avoid potential use-after-free and list corruption issues
>> 
>> Testing:
>>   - Syzbot-reported crash is eliminated in testing.
>>   - Kernel builds and runs cleanly
>> 
>> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
>> Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
>> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
>
>Thanks for addressing my review of v1.
>The commit message looks much better to me.
>
>However, I am unable to find the cited commit in net.
>
>And I am still curious about the cause: are you sure it is repeated deletion?

It looks like it is. But I believe we need to fix the root cause, why
the list_del is called twice and don't blindly take AI made fix with AI
made patch description :O

I actually think that following path might the be problematic one:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
	-> team_port_disable()
        -> team_queue_override_port_del()
        -> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
        -> team_queue_override_port_prio_changed()
	-> checks: port disabled && queue_id != 0
        -> calls del - hits the BUG as it is removed already

Will test the fix and submit shortly.

#syz test

diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 4d5c9ae8f221..c08a5c1bd6e4 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
 static void team_queue_override_port_prio_changed(struct team *team,
 						  struct team_port *port)
 {
-	if (!port->queue_id || team_port_enabled(port))
+	if (!port->queue_id || !team_port_enabled(port))
 		return;
 	__team_queue_override_port_del(team, port);
 	__team_queue_override_port_add(team, port);

On Thu, Dec 11, 2025 at 10:38:43AM +0100, Jiri Pirko wrote:
> Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@kernel.org wrote:
> >On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
> >> In __team_queue_override_port_del(), repeated deletion of the same port
> >> using list_del_rcu() could corrupt the RCU-protected qom_list. This
> >> happens if the function is called multiple times on the same port, for
> >> example during port removal or team reconfiguration.
> >> 
> >> This patch replaces list_del_rcu() with list_del_init_rcu() to:
> >> 
> >>   - Ensure safe repeated deletion of the same port
> >>   - Keep the RCU list consistent
> >>   - Avoid potential use-after-free and list corruption issues
> >> 
> >> Testing:
> >>   - Syzbot-reported crash is eliminated in testing.
> >>   - Kernel builds and runs cleanly
> >> 
> >> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
> >> Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
> >> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
> >> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
> >
> >Thanks for addressing my review of v1.
> >The commit message looks much better to me.
> >
> >However, I am unable to find the cited commit in net.
> >
> >And I am still curious about the cause: are you sure it is repeated deletion?
> 
> It looks like it is. But I believe we need to fix the root cause, why
> the list_del is called twice and don't blindly take AI made fix with AI
> made patch description :O
> 
> I actually think that following path might the be problematic one:
> 1) Port is enabled, queue_id != 0, in qom_list
> 2) Port gets disabled
> 	-> team_port_disable()
>         -> team_queue_override_port_del()
>         -> del (removed from list)
> 3) Port is disabled, queue_id != 0, not in any list
> 4) Priority changes
>         -> team_queue_override_port_prio_changed()
> 	-> checks: port disabled && queue_id != 0
>         -> calls del - hits the BUG as it is removed already
> 
> Will test the fix and submit shortly.

Thanks, much appreciated.

...

> Wed, Dec 10, 2025 at 01:51:39PM +0100, horms@kernel.org wrote:
>>On Wed, Dec 10, 2025 at 05:31:05AM +0000, Dharanitharan R wrote:
>>> In __team_queue_override_port_del(), repeated deletion of the same port
>>> using list_del_rcu() could corrupt the RCU-protected qom_list. This
>>> happens if the function is called multiple times on the same port, for
>>> example during port removal or team reconfiguration.
>>> 
>>> This patch replaces list_del_rcu() with list_del_init_rcu() to:
>>> 
>>>   - Ensure safe repeated deletion of the same port
>>>   - Keep the RCU list consistent
>>>   - Avoid potential use-after-free and list corruption issues
>>> 
>>> Testing:
>>>   - Syzbot-reported crash is eliminated in testing.
>>>   - Kernel builds and runs cleanly
>>> 
>>> Fixes: 108f9405ce81 ("team: add queue override configuration mechanism")
>>> Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
>>> Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
>>
>>Thanks for addressing my review of v1.
>>The commit message looks much better to me.
>>
>>However, I am unable to find the cited commit in net.
>>
>>And I am still curious about the cause: are you sure it is repeated deletion?
>
> It looks like it is. But I believe we need to fix the root cause, why
> the list_del is called twice and don't blindly take AI made fix with AI
> made patch description :O
>
> I actually think that following path might the be problematic one:
> 1) Port is enabled, queue_id != 0, in qom_list
> 2) Port gets disabled
> 	-> team_port_disable()
>         -> team_queue_override_port_del()
>         -> del (removed from list)
> 3) Port is disabled, queue_id != 0, not in any list
> 4) Priority changes
>         -> team_queue_override_port_prio_changed()
> 	-> checks: port disabled && queue_id != 0
>         -> calls del - hits the BUG as it is removed already
>
> Will test the fix and submit shortly.
>
> #syz test

This crash does not have a reproducer. I cannot test it.

>
> diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
> index 4d5c9ae8f221..c08a5c1bd6e4 100644
> --- a/drivers/net/team/team_core.c
> +++ b/drivers/net/team/team_core.c
> @@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
>  static void team_queue_override_port_prio_changed(struct team *team,
>  						  struct team_port *port)
>  {
> -	if (!port->queue_id || team_port_enabled(port))
> +	if (!port->queue_id || !team_port_enabled(port))
>  		return;
>  	__team_queue_override_port_del(team, port);
>  	__team_queue_override_port_add(team, port);