From: Geliang Tang <tanggeliang@xxxxxxxxxx> commit f642c5c4d528d11bd78b6c6f84f541cd3c0bea86 upstream. When traversing userspace_pm_local_addr_list and deleting an entry from it in mptcp_pm_nl_remove_doit(), msk->pm.lock should be held. This patch holds this lock before mptcp_userspace_pm_lookup_addr_by_id() and releases it after list_move() in mptcp_pm_nl_remove_doit(). Fixes: d9a4594edabf ("mptcp: netlink: Add MPTCP_PM_CMD_REMOVE") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Geliang Tang <tanggeliang@xxxxxxxxxx> Reviewed-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Link: https://patch.msgid.link/20241112-net-mptcp-misc-6-12-pm-v1-2-b835580cefa8@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mptcp/pm_userspace.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/mptcp/pm_userspace.c +++ b/net/mptcp/pm_userspace.c @@ -326,14 +326,17 @@ int mptcp_nl_cmd_remove(struct sk_buff * lock_sock(sk); + spin_lock_bh(&msk->pm.lock); match = mptcp_userspace_pm_lookup_addr_by_id(msk, id_val); if (!match) { GENL_SET_ERR_MSG(info, "address with specified id not found"); + spin_unlock_bh(&msk->pm.lock); release_sock(sk); goto remove_err; } list_move(&match->list, &free_list); + spin_unlock_bh(&msk->pm.lock); mptcp_pm_remove_addrs(msk, &free_list); Patches currently in stable-queue which might be from matttbe@xxxxxxxxxx are queue-6.1/mptcp-pm-use-_rcu-variant-under-rcu_read_lock.patch queue-6.1/mptcp-error-out-earlier-on-disconnect.patch queue-6.1/mptcp-hold-pm-lock-when-deleting-entry.patch queue-6.1/mptcp-cope-racing-subflow-creation-in-mptcp_rcv_space_adjust.patch queue-6.1/mptcp-drop-lookup_by_id-in-lookup_addr.patch queue-6.1/mptcp-add-userspace_pm_lookup_addr_by_id-helper.patch queue-6.1/mptcp-define-more-local-variables-sk.patch queue-6.1/mptcp-update-local-address-flags-when-setting-it.patch