From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Paolo Abeni <pabeni@redhat.com>,
"Matthieu Baerts (NGI0)" <matttbe@kernel.org>
Subject: [PATCH 6.1 43/64] mptcp: ensure context reset on disconnect()
Date: Tue, 17 Feb 2026 21:31:39 +0100 [thread overview]
Message-ID: <20260217200009.118664686@linuxfoundation.org> (raw)
In-Reply-To: <20260217200007.505931165@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 86730ac255b0497a272704de9a1df559f5d6602e upstream.
After the blamed commit below, if the MPC subflow is already in TCP_CLOSE
status or has fallback to TCP at mptcp_disconnect() time,
mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later
__mptcp_close_ssk() does not reset anymore the related subflow context.
Any later connection will be created with both the `request_mptcp` flag
and the msk-level fallback status off (it is unconditionally cleared at
MPTCP disconnect time), leading to a warning in subflow_data_ready():
WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Modules linked in:
CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_data_ready (net/ipv4/tcp_input.c:5356)
tcp_data_queue (net/ipv4/tcp_input.c:5445)
tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
__release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
release_sock (net/core/sock.c:3737)
mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
__sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
__x64_sys_sendto (net/socket.c:2247)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f883326702d
Address the issue setting an explicit `fastclosing` flag at fastclose
time, and checking such flag after mptcp_do_fastclose().
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251212-net-mptcp-subflow_data_ready-warn-v1-2-d1f9fd1c36c8@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Conflicts in protocol.[ch] because the context has changed. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 9 ++++++---
net/mptcp/protocol.h | 3 ++-
2 files changed, 8 insertions(+), 4 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2456,10 +2456,10 @@ bool __mptcp_retransmit_pending_data(str
*/
static void __mptcp_subflow_disconnect(struct sock *ssk,
struct mptcp_subflow_context *subflow,
- unsigned int flags)
+ bool fastclosing)
{
if (((1 << ssk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
- subflow->send_fastclose) {
+ fastclosing) {
/* The MPTCP code never wait on the subflow sockets, TCP-level
* disconnect should never fail
*/
@@ -2511,7 +2511,7 @@ static void __mptcp_close_ssk(struct soc
need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk);
if (!dispose_it) {
- __mptcp_subflow_disconnect(ssk, subflow, flags);
+ __mptcp_subflow_disconnect(ssk, subflow, msk->fastclosing);
if (msk->subflow && ssk == msk->subflow->sk)
msk->subflow->state = SS_UNCONNECTED;
release_sock(ssk);
@@ -2802,6 +2802,8 @@ static void mptcp_do_fastclose(struct so
struct mptcp_subflow_context *subflow, *tmp;
struct mptcp_sock *msk = mptcp_sk(sk);
+ msk->fastclosing = 1;
+
/* Explicitly send the fastclose reset as need */
if (__mptcp_check_fallback(msk))
return;
@@ -3290,6 +3292,7 @@ static int mptcp_disconnect(struct sock
WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk)));
mptcp_pm_data_reset(msk);
mptcp_ca_reset(sk);
+ msk->fastclosing = 0;
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -289,7 +289,8 @@ struct mptcp_sock {
nodelay:1,
fastopening:1,
in_accept_queue:1,
- free_first:1;
+ free_first:1,
+ fastclosing:1;
int keepalive_cnt;
int keepalive_idle;
int keepalive_intvl;
next prev parent reply other threads:[~2026-02-17 20:47 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:30 [PATCH 6.1 00/64] 6.1.164-rc1 review Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 01/64] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 02/64] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-17 20:30 ` [PATCH 6.1 03/64] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 04/64] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 05/64] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 06/64] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 07/64] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 08/64] nilfs2: Fix potential block overflow that cause system hang Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 09/64] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 10/64] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 11/64] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 12/64] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 13/64] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 14/64] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 15/64] net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 16/64] smb: client: set correct id, uid and cruid for multiuser automounts Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 17/64] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 18/64] PCI: endpoint: Automatically create a function specific attributes group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 19/64] PCI: endpoint: Remove unused field in struct pci_epf_group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 20/64] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 21/64] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 22/64] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 23/64] scsi: qla2xxx: Remove dead code (GNN ID) Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 24/64] scsi: qla2xxx: Reduce fabric scan duplicate code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 25/64] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 26/64] cacheinfo: Decrement refcount in cache_setup_of_node() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 27/64] cacheinfo: Remove of_node_put() for fw_token Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 28/64] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 29/64] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 30/64] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 31/64] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 32/64] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 33/64] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 34/64] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 35/64] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 36/64] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 37/64] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 38/64] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 39/64] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 40/64] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 41/64] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 42/64] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 6.1 44/64] selftests: mptcp: check no dup close events after error Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 45/64] selftests: mptcp: check subflow errors in close events Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 46/64] selftests: mptcp: join: fix local endp not being tracked Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 47/64] xsk: Fix race condition in AF_XDP generic RX path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 48/64] devlink: rate: Unset parent pointer in devl_rate_nodes_destroy Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 49/64] clk: mediatek: fix of_iomap memory leak Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 50/64] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 51/64] ksmbd: set ATTR_CTIME flags when setting mtime Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 52/64] ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 53/64] net: stmmac: Fix accessing freed irq affinity_hint Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 54/64] net: dsa: free routing table on probe failure Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 55/64] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 56/64] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 57/64] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 58/64] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 59/64] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 60/64] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 61/64] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 62/64] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.1 63/64] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.1 64/64] net: tunnel: make skb_vlan_inet_prepare() return drop reasons Greg Kroah-Hartman
2026-02-17 22:31 ` [PATCH 6.1 00/64] 6.1.164-rc1 review Florian Fainelli
2026-02-18 5:27 ` Peter Schneider
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 9:12 ` Pavel Machek
2026-02-18 12:00 ` Mark Brown
2026-02-18 12:44 ` Francesco Dolcini
2026-02-19 6:44 ` Ron Economos
2026-02-19 12:25 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200009.118664686@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=matttbe@kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.