From: Matthieu Baerts <matttbe@kernel.org>
To: Li Xiasong <xiasonglee@gmail.com>, mptcp@lists.linux.dev
Cc: lixiasong1@huawei.com
Subject: Re: [PATCH mptcp-net 2/2] mptcp: use sk_shutdown_timer_sync() for add_addr timer teardown
Date: Wed, 27 May 2026 14:44:52 +1000 [thread overview]
Message-ID: <d5c58002-fbef-451f-aedc-1bdda5ebc9bd@kernel.org> (raw)
In-Reply-To: <20260526103647.732350-3-xiasong.lee@gmail.com>
Hi Li,
On 26/05/2026 20:36, Li Xiasong wrote:
> From: Li Xiasong <lixiasong1@huawei.com>
>
> Sashiko reported a possible use-after-free in add_addr timer teardown.
>
> The add_addr timer callback can re-arm itself on the sock_owned_by_user()
> path. In final teardown paths, sk_stop_timer_sync() only waits for a
> running callback to finish, but does not prevent a concurrent callback
> from re-arming the timer.
>
> Use sk_shutdown_timer_sync() for add_addr timer teardown so the timer
> cannot be re-armed after teardown starts, preventing a possible
> use-after-free on a freed add entry.
Sashiko is saying that if sk_reset_timer() is called after
sk_shutdown_timer_sync(), it will not re-arm the timer, but in this
case, mod_timer() will also return 0, and the socket refcount will be
incremented.
https://sashiko.dev/#/patchset/20260526103647.732350-1-xiasong.lee%40gmail.com
It is not clear to me how to solve that without checking whether
timer->function is set or not after having called mod_timer(), because
that seems quite hackish...
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
next prev parent reply other threads:[~2026-05-27 4:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 10:36 [PATCH mptcp-net 0/2] mptcp: prevent add_addr timer rearm during teardown Li Xiasong
2026-05-26 10:36 ` [PATCH mptcp-net 1/2] net: add sk_shutdown_timer_sync() helper Li Xiasong
2026-05-26 10:36 ` [PATCH mptcp-net 2/2] mptcp: use sk_shutdown_timer_sync() for add_addr timer teardown Li Xiasong
2026-05-27 4:44 ` Matthieu Baerts [this message]
2026-05-28 12:33 ` Li Xiasong
2026-05-27 5:16 ` [PATCH mptcp-net 0/2] mptcp: prevent add_addr timer rearm during teardown MPTCP CI
2026-06-04 7:19 ` [PATCH mptcp-net] " Kalpan Jani
2026-06-05 7:31 ` Li Xiasong
2026-06-11 6:59 ` Kalpan Jani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5c58002-fbef-451f-aedc-1bdda5ebc9bd@kernel.org \
--to=matttbe@kernel.org \
--cc=lixiasong1@huawei.com \
--cc=mptcp@lists.linux.dev \
--cc=xiasonglee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.