From: Matthieu Baerts <matttbe@kernel.org>
To: Eric Dumazet <edumazet@google.com>
Cc: Mat Martineau <martineau@kernel.org>,
Geliang Tang <geliang.tang@linux.dev>,
Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com,
Geliang Tang <geliang@kernel.org>,
MPTCP Linux <mptcp@lists.linux.dev>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Subject: Re: [PATCH v2 net] mptcp: fix a race in mptcp_pm_del_add_timer()
Date: Mon, 17 Nov 2025 11:15:06 +0100 [thread overview]
Message-ID: <c378da30-4916-4fd6-8981-4ab2ffa17482@kernel.org> (raw)
In-Reply-To: <20251117100745.1913963-1-edumazet@google.com>
Hi Eric,
(+cc MPTCP ML)
On 17/11/2025 11:07, Eric Dumazet wrote:
> mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
> while another might have free entry already, as reported by syzbot.
>
> Add RCU protection to fix this issue.
Thank you for the report and even more for the fix!
> Also change confusing add_timer variable with stop_timer boolean.
Indeed, this name was confusing: 'add_timer' is in fact a (too) short
version of "additional address signalling retransmission timer". This
new 'stop_timer' boolean makes sense!
> syzbot report:
(...)
> Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
> Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/691ad3c3.a70a0220.f6df1.0004.GAE@google.com/
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Geliang Tang <geliang@kernel.org>
The modification looks good to me:
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
While at it, just to help me to manage the backports:
Cc: stable@vger.kernel.org
> v2: Updated/Added Reported-by:/Closes: tags now syzbot report finally reached netdev@ mailing list.
Out of curiosity, is it not OK to reply to the patch with the new
Reported-by & Closes tags to have them automatically added when applying
the patch? (I was going to do that on the v1, then I saw the v2 just
when I was going to press 'Send' :) )
I don't mind having a v2, it is just to save you time later, but maybe
there is another reason.
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
next prev parent reply other threads:[~2025-11-17 10:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-17 10:07 [PATCH v2 net] mptcp: fix a race in mptcp_pm_del_add_timer() Eric Dumazet
2025-11-17 10:15 ` Matthieu Baerts [this message]
2025-11-17 10:21 ` Eric Dumazet
2025-11-17 10:42 ` Matthieu Baerts
2025-11-18 1:05 ` Jakub Kicinski
2025-11-18 2:35 ` Matthieu Baerts
2025-11-19 3:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c378da30-4916-4fd6-8981-4ab2ffa17482@kernel.org \
--to=matttbe@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=geliang.tang@linux.dev \
--cc=geliang@kernel.org \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.