From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Eric Dumazet <edumazet@google.com>,
syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com,
Eulgyu Kim <eulgyukim@snu.ac.kr>,
Mat Martineau <martineau@kernel.org>,
"Matthieu Baerts (NGI0)" <matttbe@kernel.org>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.1 55/64] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
Date: Tue, 17 Feb 2026 21:31:51 +0100 [thread overview]
Message-ID: <20260217200009.570553755@linuxfoundation.org> (raw)
In-Reply-To: <20260217200007.505931165@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d upstream.
syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
and/or mptcp_pm_nl_is_backup()
Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
which is not RCU ready.
list_splice_init_rcu() can not be called here while holding pernet->lock
spinlock.
Many thanks to Eulgyu Kim for providing a repro and testing our patches.
Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/
Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/611
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts because the code has been moved from pm_netlink.c to
pm_kernel.c later on in commit 8617e85e04bd ("mptcp: pm: split
in-kernel PM specific code"). The same modifications can be applied
in pm_netlink.c with one exception, because 'pernet->local_addr_list'
has been renamed to 'pernet->endp_list' in commit 35e71e43a56d
("mptcp: pm: in-kernel: rename 'local_addr_list' to 'endp_list'"). The
previous name is then still being used in this version.
Also, another conflict is caused by commit 7bcf4d8022f9 ("mptcp: pm:
rename helpers linked to 'flush'") which is not in this version:
mptcp_nl_remove_addrs_list() has been renamed to
mptcp_nl_flush_addrs_list(). The previous name has then been kept. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1855,16 +1855,26 @@ static void __reset_counters(struct pm_n
static int mptcp_nl_cmd_flush_addrs(struct sk_buff *skb, struct genl_info *info)
{
struct pm_nl_pernet *pernet = genl_info_pm_nl(info);
- LIST_HEAD(free_list);
+ struct list_head free_list;
spin_lock_bh(&pernet->lock);
- list_splice_init(&pernet->local_addr_list, &free_list);
+ free_list = pernet->local_addr_list;
+ INIT_LIST_HEAD_RCU(&pernet->local_addr_list);
__reset_counters(pernet);
pernet->next_id = 1;
bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
spin_unlock_bh(&pernet->lock);
- mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list);
+
+ if (free_list.next == &pernet->local_addr_list)
+ return 0;
+
synchronize_rcu();
+
+ /* Adjust the pointers to free_list instead of pernet->local_addr_list */
+ free_list.prev->next = &free_list;
+ free_list.next->prev = &free_list;
+
+ mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list);
__flush_addrs(&free_list);
return 0;
}
next prev parent reply other threads:[~2026-02-17 20:48 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:30 [PATCH 6.1 00/64] 6.1.164-rc1 review Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 01/64] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 02/64] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 03/64] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 04/64] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 05/64] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 06/64] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 07/64] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 08/64] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 09/64] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 10/64] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 11/64] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 12/64] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 13/64] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 14/64] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 15/64] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 16/64] smb: client: set correct id, uid and cruid for multiuser automounts Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 17/64] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 18/64] PCI: endpoint: Automatically create a function specific attributes group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 19/64] PCI: endpoint: Remove unused field in struct pci_epf_group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 20/64] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 21/64] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 22/64] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 23/64] scsi: qla2xxx: Remove dead code (GNN ID) Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 24/64] scsi: qla2xxx: Reduce fabric scan duplicate code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 25/64] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 26/64] cacheinfo: Decrement refcount in cache_setup_of_node() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 27/64] cacheinfo: Remove of_node_put() for fw_token Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 28/64] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 29/64] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 30/64] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 31/64] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 32/64] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 33/64] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 34/64] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 35/64] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 36/64] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 37/64] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 38/64] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 39/64] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 40/64] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 41/64] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 42/64] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 43/64] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 44/64] selftests: mptcp: check no dup close events after error Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 45/64] selftests: mptcp: check subflow errors in close events Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 46/64] selftests: mptcp: join: fix local endp not being tracked Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 47/64] xsk: Fix race condition in AF_XDP generic RX path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 48/64] devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 49/64] clk: mediatek: fix of_iomap memory leak Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 50/64] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 51/64] ksmbd: set ATTR_CTIME flags when setting mtime Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 52/64] ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 53/64] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 54/64] net: dsa: free routing table on probe failure Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 6.1 56/64] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 57/64] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 58/64] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 59/64] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 60/64] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 61/64] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 62/64] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 63/64] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.1 64/64] net: tunnel: make skb_vlan_inet_prepare() return drop reasons Greg Kroah-Hartman
2026-02-17 22:31 ` [PATCH 6.1 00/64] 6.1.164-rc1 review Florian Fainelli
2026-02-18 5:27 ` Peter Schneider
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 9:12 ` Pavel Machek
2026-02-18 12:00 ` Mark Brown
2026-02-18 12:44 ` Francesco Dolcini
2026-02-19 6:44 ` Ron Economos
2026-02-19 12:25 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200009.570553755@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=eulgyukim@snu.ac.kr \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=matttbe@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox