net/mptcp/pm_userspace.c | 18 +++++++++++++----- net/mptcp/protocol.h | 2 ++ 2 files changed, 15 insertions(+), 5 deletions(-)
From: Geliang Tang <tanggeliang@kylinos.cn>
In mptcp_pm_nl_remove_doit(), sk_omem_alloc is decremented immediately
but the memory is freed later via kfree_rcu(). This allows a CAP_NET_ADMIN
user to bypass the socket memory quota and exhaust kernel memory by
accumulating RCU callbacks.
Fix by using call_rcu() with a custom callback that uses sock_kfree_s()
to free the entry and decrement sk_omem_alloc atomically. To ensure the
socket remains valid until the callback runs, take a reference with
sock_hold() when storing the socket pointer in the entry, and release it
with sock_put() in the callback.
Fixes: 13b4ece33cf9 ("mptcp: pm: Defer freeing of MPTCP userspace path manager entries")
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
This patch addresses the pre-existing issue Sashiko mentioned in
https://sashiko.dev/#/patchset/cover.1782457962.git.tanggeliang@kylinos.cn.
---
net/mptcp/pm_userspace.c | 18 +++++++++++++-----
net/mptcp/protocol.h | 2 ++
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
index ad6ba658e5a5..7bd20e833d02 100644
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -73,6 +73,8 @@ static int mptcp_userspace_pm_append_new_local_addr(struct mptcp_sock *msk,
ret = -ENOMEM;
goto append_err;
}
+ sock_hold(sk);
+ e->sk = sk;
if (!e->addr.id && needs_id)
e->addr.id = find_next_zero_bit(id_bitmap,
@@ -294,6 +296,16 @@ void mptcp_pm_remove_addr_entry(struct mptcp_sock *msk,
spin_unlock_bh(&msk->pm.lock);
}
+static void mptcp_userspace_pm_free_entry(struct rcu_head *head)
+{
+ struct mptcp_pm_addr_entry *entry =
+ container_of(head, struct mptcp_pm_addr_entry, rcu);
+ struct sock *sk = entry->sk;
+
+ sock_kfree_s(sk, entry, sizeof(*entry));
+ sock_put(sk);
+}
+
int mptcp_pm_nl_remove_doit(struct sk_buff *skb, struct genl_info *info)
{
struct mptcp_pm_addr_entry *match;
@@ -337,11 +349,7 @@ int mptcp_pm_nl_remove_doit(struct sk_buff *skb, struct genl_info *info)
release_sock(sk);
- kfree_rcu_mightsleep(match);
- /* Adjust sk_omem_alloc like sock_kfree_s() does, to match
- * with allocation of this memory by sock_kmemdup()
- */
- atomic_sub(sizeof(*match), &sk->sk_omem_alloc);
+ call_rcu(&match->rcu, mptcp_userspace_pm_free_entry);
err = 0;
out:
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index da40c6f3705f..250736eae0be 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -257,6 +257,8 @@ struct mptcp_pm_addr_entry {
u32 flags;
int ifindex;
struct socket *lsk;
+ struct sock *sk;
+ struct rcu_head rcu;
};
struct mptcp_data_frag {
--
2.53.0
Hi Geliang,
Thank you for your modifications, that's great!
Our CI did some validations and here is its report:
- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Critical: KMemLeak ❌
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/28276882965
Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/efda26b4660e
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1117332
If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:
$ cd [kernel source code]
$ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
--pull always mptcp/mptcp-upstream-virtme-docker:latest \
auto-normal
For more details:
https://github.com/multipath-tcp/mptcp-upstream-virtme-docker
Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)
Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)
© 2016 - 2026 Red Hat, Inc.