From: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> commit db3eab8110bc0520416101b6a5b52f44a43fb4cf upstream. In mptcp_pm_create_subflow_or_signal_addr(), rcu_read_(un)lock() are used as expected to iterate over the list of local addresses, but list_for_each_entry() was used instead of list_for_each_entry_rcu() in __lookup_addr(). It is important to use this variant which adds the required READ_ONCE() (and diagnostic checks if enabled). Because __lookup_addr() is also used in mptcp_pm_nl_set_flags() where it is called under the pernet->lock and not rcu_read_lock(), an extra condition is then passed to help the diagnostic checks making sure either the associated spin lock or the RCU lock is held. Fixes: 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk") Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Geliang Tang <geliang@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Link: https://patch.msgid.link/20241112-net-mptcp-misc-6-12-pm-v1-3-b835580cefa8@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mptcp/pm_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -520,7 +520,8 @@ __lookup_addr(struct pm_nl_pernet *perne { struct mptcp_pm_addr_entry *entry; - list_for_each_entry(entry, &pernet->local_addr_list, list) { + list_for_each_entry_rcu(entry, &pernet->local_addr_list, list, + lockdep_is_held(&pernet->lock)) { if (mptcp_addresses_equal(&entry->addr, info, entry->addr.port)) return entry; } Patches currently in stable-queue which might be from matttbe@xxxxxxxxxx are queue-6.11/mptcp-pm-use-_rcu-variant-under-rcu_read_lock.patch queue-6.11/mptcp-error-out-earlier-on-disconnect.patch queue-6.11/mptcp-hold-pm-lock-when-deleting-entry.patch queue-6.11/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_spac.patch queue-6.11/mptcp-update-local-address-flags-when-setting-it.patch