From: Mat Martineau <martineau@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Matthieu Baerts <matttbe@kernel.org>,
Geliang Tang <geliang.tang@linux.dev>,
Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, mptcp@lists.linux.dev,
eric.dumazet@gmail.com,
syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com,
Eulgyu Kim <eulgyukim@snu.ac.kr>,
Geliang Tang <geliang@kernel.org>
Subject: Re: [PATCH v2 net] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
Date: Fri, 23 Jan 2026 13:43:05 -0800 (PST) [thread overview]
Message-ID: <36367d05-e05f-c86b-7125-e98b529f9d0c@kernel.org> (raw)
In-Reply-To: <20260123030327.3041148-1-edumazet@google.com>
On Fri, 23 Jan 2026, Eric Dumazet wrote:
> syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
> and/or mptcp_pm_nl_is_backup()
>
> Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
> which is not RCU ready.
>
> list_splice_init_rcu() can not be called here while holding pernet->lock
> spinlock.
>
> Many thanks to Eulgyu Kim for providing a repro and testing our patches.
>
> Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/
> Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
> Cc: Geliang Tang <geliang@kernel.org>
> ---
> v2: Make sure the list was not empty, return early otherwise.
Thanks Eric, the v2 code changes LGTM. The netdev tooling wasn't able to
apply the patch
(https://patchwork.kernel.org/project/netdevbpf/patch/20260123030327.3041148-1-edumazet@google.com/),
so Matthieu is planning to send a basically-identical v3 that 'git am' and
the netdev CI will be happy with.
Reviewed-by: Mat Martineau <martineau@kernel.org>
> v1: https://lore.kernel.org/netdev/20260122131306.2119853-1-edumazet@google.com/
>
> net/mptcp/pm_kernel.c | 18 +++++++++++++++---
> 1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c
> index 57570a44e4185370f531047fe97ce9f9fbd1480b..af23be6658ded4860133bb9495c7738014815d28 100644
> --- a/net/mptcp/pm_kernel.c
> +++ b/net/mptcp/pm_kernel.c
> @@ -1294,16 +1294,28 @@ static void __reset_counters(struct pm_nl_pernet *pernet)
> int mptcp_pm_nl_flush_addrs_doit(struct sk_buff *skb, struct genl_info *info)
> {
> struct pm_nl_pernet *pernet = genl_info_pm_nl(info);
> - LIST_HEAD(free_list);
> + struct list_head free_list;
>
> spin_lock_bh(&pernet->lock);
> - list_splice_init(&pernet->endp_list, &free_list);
> +
> + free_list = pernet->endp_list;
> + INIT_LIST_HEAD_RCU(&pernet->endp_list);
> +
> __reset_counters(pernet);
> pernet->next_id = 1;
> bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
> spin_unlock_bh(&pernet->lock);
> - mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list);
> +
> + if (free_list.next == &pernet->endp_list)
> + return 0;
> +
> synchronize_rcu();
> +
> + /* Adjust the pointers to free_list instead of pernet->endp_list */
> + free_list.prev->next = &free_list;
> + free_list.next->prev = &free_list;
> +
> + mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list);
> __flush_addrs(&free_list);
> return 0;
> }
> --
> 2.52.0.457.g6b5491de43-goog
>
>
next prev parent reply other threads:[~2026-01-23 21:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-23 3:03 [PATCH v2 net] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Eric Dumazet
2026-01-23 11:03 ` MPTCP CI
2026-01-23 11:36 ` Eric Dumazet
2026-01-23 13:33 ` Matthieu Baerts
2026-01-23 21:43 ` Mat Martineau [this message]
2026-01-24 11:17 ` Matthieu Baerts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=36367d05-e05f-c86b-7125-e98b529f9d0c@kernel.org \
--to=martineau@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=eulgyukim@snu.ac.kr \
--cc=fw@strlen.de \
--cc=geliang.tang@linux.dev \
--cc=geliang@kernel.org \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=matttbe@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.