From 024ae02cc138122660dcd3adb0498ed216ccd4c3 Mon Sep 17 00:00:00 2001
From: Ksawlii <ksawery.blaszczak@proton.me>
Date: Sun, 24 Nov 2024 00:23:32 +0100
Subject: [PATCH] Revert "mptcp: pm: Fix uaf in __timer_delete_sync"

This reverts commit a40e9b4e790f18e197a8caa6d4b32eb945692d93.
---
 net/mptcp/pm_netlink.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index bd03fb6df..f4f5cc768 100755
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -253,21 +253,15 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk,
 {
 	struct mptcp_pm_add_entry *entry;
 	struct sock *sk = (struct sock *)msk;
-	struct timer_list *add_timer = NULL;
 
 	spin_lock_bh(&msk->pm.lock);
 	entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
-	if (entry && (!check_id || entry->addr.id == addr->id)) {
+	if (entry && (!check_id || entry->addr.id == addr->id))
 		entry->retrans_times = ADD_ADDR_RETRANS_MAX;
-		add_timer = &entry->add_timer;
-	}
-	if (!check_id && entry)
-		list_del(&entry->list);
 	spin_unlock_bh(&msk->pm.lock);
 
-	/* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
-	if (add_timer)
-		sk_stop_timer_sync(sk, add_timer);
+	if (entry && (!check_id || entry->addr.id == addr->id))
+		sk_stop_timer_sync(sk, &entry->add_timer);
 
 	return entry;
 }
@@ -772,6 +766,7 @@ static bool remove_anno_list_by_saddr(struct mptcp_sock *msk,
 
 	entry = mptcp_pm_del_add_timer(msk, addr, false);
 	if (entry) {
+		list_del(&entry->list);
 		kfree(entry);
 		return true;
 	}