From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
To: mptcp@lists.linux.dev, stable@vger.kernel.org,
gregkh@linuxfoundation.org
Cc: Paolo Abeni <pabeni@redhat.com>,
sashal@kernel.org, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
Subject: [PATCH 6.1.y 3/6] mptcp: ensure context reset on disconnect()
Date: Wed, 11 Feb 2026 20:06:21 +0100 [thread overview]
Message-ID: <20260211190617.77192-11-matttbe@kernel.org> (raw)
In-Reply-To: <20260211190617.77192-8-matttbe@kernel.org>
From: Paolo Abeni <pabeni@redhat.com>
commit 86730ac255b0497a272704de9a1df559f5d6602e upstream.
After the blamed commit below, if the MPC subflow is already in TCP_CLOSE
status or has fallback to TCP at mptcp_disconnect() time,
mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later
__mptcp_close_ssk() does not reset anymore the related subflow context.
Any later connection will be created with both the `request_mptcp` flag
and the msk-level fallback status off (it is unconditionally cleared at
MPTCP disconnect time), leading to a warning in subflow_data_ready():
WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Modules linked in:
CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_data_ready (net/ipv4/tcp_input.c:5356)
tcp_data_queue (net/ipv4/tcp_input.c:5445)
tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
__release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
release_sock (net/core/sock.c:3737)
mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
__sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
__x64_sys_sendto (net/socket.c:2247)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f883326702d
Address the issue setting an explicit `fastclosing` flag at fastclose
time, and checking such flag after mptcp_do_fastclose().
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251212-net-mptcp-subflow_data_ready-warn-v1-2-d1f9fd1c36c8@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in protocol.[ch] because the context has changed. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
net/mptcp/protocol.c | 9 ++++++---
net/mptcp/protocol.h | 3 ++-
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index ad0bfdd308be..5274b19a5dbd 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2456,10 +2456,10 @@ bool __mptcp_retransmit_pending_data(struct sock *sk)
*/
static void __mptcp_subflow_disconnect(struct sock *ssk,
struct mptcp_subflow_context *subflow,
- unsigned int flags)
+ bool fastclosing)
{
if (((1 << ssk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
- subflow->send_fastclose) {
+ fastclosing) {
/* The MPTCP code never wait on the subflow sockets, TCP-level
* disconnect should never fail
*/
@@ -2511,7 +2511,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk);
if (!dispose_it) {
- __mptcp_subflow_disconnect(ssk, subflow, flags);
+ __mptcp_subflow_disconnect(ssk, subflow, msk->fastclosing);
if (msk->subflow && ssk == msk->subflow->sk)
msk->subflow->state = SS_UNCONNECTED;
release_sock(ssk);
@@ -2802,6 +2802,8 @@ static void mptcp_do_fastclose(struct sock *sk)
struct mptcp_subflow_context *subflow, *tmp;
struct mptcp_sock *msk = mptcp_sk(sk);
+ msk->fastclosing = 1;
+
/* Explicitly send the fastclose reset as need */
if (__mptcp_check_fallback(msk))
return;
@@ -3290,6 +3292,7 @@ static int mptcp_disconnect(struct sock *sk, int flags)
WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk)));
mptcp_pm_data_reset(msk);
mptcp_ca_reset(sk);
+ msk->fastclosing = 0;
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 6575712c789e..dd5070d57d74 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -289,7 +289,8 @@ struct mptcp_sock {
nodelay:1,
fastopening:1,
in_accept_queue:1,
- free_first:1;
+ free_first:1,
+ fastclosing:1;
int keepalive_cnt;
int keepalive_idle;
int keepalive_intvl;
--
2.51.0
next prev parent reply other threads:[~2026-02-11 19:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 19:06 [PATCH 6.1.y 0/6] mptcp: fix recent failed backports (20260211) Matthieu Baerts (NGI0)
2026-02-11 19:06 ` [PATCH 6.1.y 1/6] selftests: mptcp: pm: ensure unknown flags are ignored Matthieu Baerts (NGI0)
2026-02-17 12:28 ` Patch "selftests: mptcp: pm: ensure unknown flags are ignored" has been added to the 6.1-stable tree gregkh
2026-02-11 19:06 ` [PATCH 6.1.y 2/6] mptcp: schedule rtx timer only after pushing data Matthieu Baerts (NGI0)
2026-02-17 12:28 ` Patch "mptcp: schedule rtx timer only after pushing data" has been added to the 6.1-stable tree gregkh
2026-02-11 19:06 ` Matthieu Baerts (NGI0) [this message]
2026-02-17 12:28 ` Patch "mptcp: ensure context reset on disconnect()" " gregkh
2026-02-11 19:06 ` [PATCH 6.1.y 4/6] selftests: mptcp: check no dup close events after error Matthieu Baerts (NGI0)
2026-02-17 12:28 ` Patch "selftests: mptcp: check no dup close events after error" has been added to the 6.1-stable tree gregkh
2026-02-11 19:06 ` [PATCH 6.1.y 5/6] selftests: mptcp: check subflow errors in close events Matthieu Baerts (NGI0)
2026-02-17 12:28 ` Patch "selftests: mptcp: check subflow errors in close events" has been added to the 6.1-stable tree gregkh
2026-02-11 19:06 ` [PATCH 6.1.y 6/6] selftests: mptcp: join: fix local endp not being tracked Matthieu Baerts (NGI0)
2026-02-17 12:28 ` Patch "selftests: mptcp: join: fix local endp not being tracked" has been added to the 6.1-stable tree gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260211190617.77192-11-matttbe@kernel.org \
--to=matttbe@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=mptcp@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.