CVE-2025-40257

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix a race in mptcppmdeladdtimer()

mptcppmdeladdtimer() can call skstoptimersync(sk, &entry->addtimer) while another might have free entry already, as reported by syzbot.

Add RCU protection to fix this issue.

Also change confusing addtimer variable with stoptimer boolean.

syzbot report:

BUG: KASAN: slab-use-after-free in __timerdeletesync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44

CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcpworker Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x240 mm/kasan/report.c:482 kasanreport+0x118/0x150 mm/kasan/report.c:595 __timerdeletesync+0x372/0x3f0 kernel/time/timer.c:1616 skstoptimersync+0x1b/0x90 net/core/sock.c:3631 mptcppmdeladdtimer+0x283/0x310 net/mptcp/pm.c:362 mptcpincomingoptions+0x1357/0x1f60 net/mptcp/options.c:1174 tcpdataqueue+0xca/0x6450 net/ipv4/tcpinput.c:5361 tcprcvestablished+0x1335/0x2670 net/ipv4/tcpinput.c:6441 tcpv4dorcv+0x98b/0xbf0 net/ipv4/tcpipv4.c:1931 tcpv4rcv+0x252a/0x2dc0 net/ipv4/tcpipv4.c:2374 ipprotocoldeliverrcu+0x221/0x440 net/ipv4/ipinput.c:205 iplocaldeliverfinish+0x3bb/0x6f0 net/ipv4/ipinput.c:239 NFHOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NFHOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netifreceiveskbonecore net/core/dev.c:6079 [inline] __netifreceiveskb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napipoll+0xb6/0x540 net/core/dev.c:7594 napipoll net/core/dev.c:7657 [inline] net_rxaction+0x5f7/0xda0 net/core/dev.c:7784 handlesoftirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __localbhenableip+0x1a0/0x2e0 kernel/softirq.c:302 mptcppmsendack net/mptcp/pm.c:210 [inline] mptcppmaddrsendack+0x41f/0x500 net/mptcp/pm.c:-1 mptcppmworker+0x174/0x320 net/mptcp/pm.c:1002 mptcpworker+0xd5/0x1170 net/mptcp/protocol.c:2762 processonework kernel/workqueue.c:3263 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3346 workerthread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 retfromfork+0x4bc/0x870 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:245 </TASK>

Allocated by task 44: kasansavestack mm/kasan/common.c:56 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:77 poisonkmallocredzone mm/kasan/common.c:400 [inline] __kasankmalloc+0x93/0xb0 mm/kasan/common.c:417 kasankmalloc include/linux/kasan.h:262 [inline] __kmalloccachenoprof+0x1ef/0x6c0 mm/slub.c:5748 kmallocnoprof include/linux/slab.h:957 [inline] mptcppmallocannolist+0x104/0x460 net/mptcp/pm.c:385 mptcppmcreatesubfloworsignaladdr+0xf9d/0x1360 net/mptcp/pmkernel.c:355 mptcppmnlfullyestablished net/mptcp/pm_kernel.c:409 [inline] __mptcppmkernelworker+0x417/0x1ef0 net/mptcp/pmkernel.c:1529 mptcppmworker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcpworker+0xd5/0x1170 net/mptcp/protocol.c:2762 processonework kernel/workqueue.c:3263 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3346 workerthread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 retfromfork+0x4bc/0x870 arch/x86/kernel/process.c:158 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:245

Freed by task 6630: kasansavestack mm/kasan/common.c:56 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:77 __kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:587 kasansavefreeinfo mm/kasan/kasan.h:406 [inline] poisonslabobject m ---truncated---