From: Matthieu Baerts <matttbe@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Mat Martineau <martineau@kernel.org>,
Geliang Tang <geliang.tang@linux.dev>,
Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
syzbot+355158e7e301548a1424@syzkaller.appspotmail.com,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
MPTCP Linux <mptcp@lists.linux.dev>
Subject: Re: [PATCH net] mptcp: fix race condition in mptcp_schedule_work()
Date: Thu, 13 Nov 2025 18:35:31 +0100 [thread overview]
Message-ID: <2a8efd6f-34d5-480f-8ca1-efef2959fffd@kernel.org> (raw)
In-Reply-To: <20251113103924.3737425-1-edumazet@google.com>
Hi Eric,
(+cc MPTCP ML)
On 13/11/2025 11:39, Eric Dumazet wrote:
> syzbot reported use-after-free in mptcp_schedule_work() [1]
>
> Issue here is that mptcp_schedule_work() schedules a work,
> then gets a refcount on sk->sk_refcnt if the work was scheduled.
> This refcount will be released by mptcp_worker().
>
> [A] if (schedule_work(...)) {
> [B] sock_hold(sk);
> return true;
> }
>
> Problem is that mptcp_worker() can run immediately and complete before [B]
>
> We need instead :
>
> sock_hold(sk);
> if (schedule_work(...))
> return true;
> sock_put(sk);
Thank you for having released the syzbot issue with the fix! That's way
easier for us when the fix is provided with the bug report! :-D
The modifications look good to me:
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
This patch can be applied to -net directly, ideally with:
Cc: stable@vger.kernel.org
(Just for me to be able to track issues with the backports. If it cannot
be added, I can also track it "manually" if preferred.)
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
next prev parent reply other threads:[~2025-11-13 17:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 10:39 [PATCH net] mptcp: fix race condition in mptcp_schedule_work() Eric Dumazet
2025-11-13 17:35 ` Matthieu Baerts [this message]
2025-11-15 2:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a8efd6f-34d5-480f-8ca1-efef2959fffd@kernel.org \
--to=matttbe@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=geliang.tang@linux.dev \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+355158e7e301548a1424@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.