From 7a33b90b3cdcf26e4a73bee9e89a4fe670eee167 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Sun, 19 Oct 2025 23:17:55 +0200 Subject: [PATCH] BUG/MEDIUM: mt_list: Make sure not to unlock the element twice In mt_list_delete(), if the element was not in a list, then n and p will point to it, and so setting n->prev and n->next will be enough to unlock it. Don't do it twice, as once it's been done the first time, another thread may be working with it, and may have added it to a list already, and doing it a second time can lead to list inconsistencies. This should be backported up to 2.8. --- include/import/mt_list.h | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/include/import/mt_list.h b/include/import/mt_list.h index 8b27e53d9..b1eb7244f 100644 --- a/include/import/mt_list.h +++ b/include/import/mt_list.h @@ -635,8 +635,17 @@ static MT_INLINE long mt_list_delete(struct mt_list *el) p->next = n; __atomic_thread_fence(__ATOMIC_RELEASE); - el->prev = el->next = el; - __atomic_thread_fence(__ATOMIC_RELEASE); + /* + * If the element was not in the list, then n and p + * pointed to it already, and it is unlocked. + * If this is the case, we don't want to do it again, + * because at this point it has been unlocked and + * somebody may be using it already. + */ + if (el != n) { + el->prev = el->next = el; + __atomic_thread_fence(__ATOMIC_RELEASE); + } if (p != el && n != el) ret = 1;