From: Geliang Tang <tanggeliang@xxxxxxxxxx> commit 99635c91fb8b860a6404b9bc8b769df7bdaa2ae3 upstream. The local address entries on userspace_pm_local_addr_list are allocated by sock_kmalloc(). It's then required to use sock_kfree_s() instead of kfree() to free these entries in order to adjust the allocated size on the sk side. Fixes: 24430f8bf516 ("mptcp: add address into userspace pm list") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Geliang Tang <tanggeliang@xxxxxxxxxx> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Link: https://patch.msgid.link/20241104-net-mptcp-misc-6-12-v1-2-c13f2ff1656f@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mptcp/pm_userspace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/mptcp/pm_userspace.c +++ b/net/mptcp/pm_userspace.c @@ -89,6 +89,7 @@ static int mptcp_userspace_pm_delete_loc struct mptcp_pm_addr_entry *addr) { struct mptcp_pm_addr_entry *entry, *tmp; + struct sock *sk = (struct sock *)msk; list_for_each_entry_safe(entry, tmp, &msk->pm.userspace_pm_local_addr_list, list) { if (mptcp_addresses_equal(&entry->addr, &addr->addr, false)) { @@ -96,7 +97,7 @@ static int mptcp_userspace_pm_delete_loc * be used multiple times (e.g. fullmesh mode). */ list_del_rcu(&entry->list); - kfree(entry); + sock_kfree_s(sk, entry, sizeof(*entry)); msk->pm.local_addr_used--; return 0; } Patches currently in stable-queue which might be from tanggeliang@xxxxxxxxxx are queue-6.1/mptcp-use-sock_kfree_s-instead-of-kfree.patch