[PATCH mptcp-next v3 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[PATCH mptcp-next v3 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Tao Cui]

This is v3 of the series that fixes extra_subflows u8 underflow bugs
in the MPTCP userspace path manager.

extra_subflows is a u8 field in struct mptcp_pm_data. Two code paths
in the userspace PM can cause it to underflow from 0 to 255, after
which the counter is permanently corrupted and future subflow
creation is blocked.

Patch 1 skips the spurious mptcp_pm_close_subflow() call in
__mptcp_subflow_connect() when the userspace PM is in use, since it
does not pre-increment extra_subflows before attempting subflow
creation.

Patch 2 moves extra_subflows++ into the lock_sock(sk) section, before
release_sock(sk), so that mptcp_worker always sees a non-zero counter
when closing a subflow.  This eliminates a race where the worker
decrements the counter before the user thread increments it, causing
an underflow.  An underflow guard is also added in
mptcp_pm_subflow_check_next() as a safety net.

Tao Cui (2):
  mptcp: pm: fix extra_subflows underflow on userspace PM connect
    failure
  mptcp: pm: fix extra_subflows leak on userspace PM subflow close race

 net/mptcp/pm.c           | 3 ++-
 net/mptcp/pm_userspace.c | 7 +++++--
 net/mptcp/subflow.c      | 3 ++-
 3 files changed, 9 insertions(+), 4 deletions(-)

---
Changes in v3:
  - Patch 2: move extra_subflows++ before release_sock(sk) to close
    the race window, instead of relying solely on the underflow guard.

Changes in v2:
  - Dropped the use-after-free fix.
  - Split the underflow fix into two patches, one per code path.

v1:
  https://lore.kernel.org/all/20260509075629.217791-2-cuitao@kylinos.cn/
-- 
2.43.0

[PATCH mptcp-next v3 1/2] mptcp: pm: fix extra_subflows underflow on userspace PM connect failure

[Tao Cui]

__mptcp_subflow_connect() calls mptcp_pm_close_subflow() on failure
to roll back the pre-increment done by kernel PM's fill_*() helpers.
The userspace PM does not pre-increment — it only increments after
__mptcp_subflow_connect() succeeds — so this decrement is spurious.

Fix it by gating mptcp_pm_close_subflow() on the PM type.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/subflow.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index d562e149606f..c45ad67cb650 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1716,7 +1716,8 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_pm_local *local,
 	/* we account subflows before the creation, and this failures will not
 	 * be caught by sk_state_change()
 	 */
-	mptcp_pm_close_subflow(msk);
+	if (!mptcp_pm_is_userspace(msk))
+		mptcp_pm_close_subflow(msk);
 	return err;
 }
 
-- 
2.43.0

[PATCH mptcp-next v3 2/2] mptcp: pm: fix extra_subflows leak on userspace PM subflow close race

[Tao Cui]

In the userspace PM subflow creation path, extra_subflows is incremented
after release_sock(sk). If a TCP RST arrives for the newly created
subflow, mptcp_worker can acquire the socket lock during the gap between
release_sock(sk) and the subsequent spin_lock_bh(&msk->pm.lock), close
the subflow via mptcp_pm_subflow_check_next(), and decrement the counter
before it was incremented -- causing a u8 underflow from 0 to 255.

Move extra_subflows++ into the lock_sock(sk) section, before
release_sock(sk), so that the worker always sees a non-zero counter and
decrements correctly. This also eliminates the transient underflow window
visible to lockless readers (e.g. sosockopt READ_ONCE).

Additionally, add an underflow guard in mptcp_pm_subflow_check_next() as
a safety net for other edge cases.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/pm.c           | 3 ++-
 net/mptcp/pm_userspace.c | 7 +++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 3c152bf66cd5..a83a56b467f9 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -655,7 +655,8 @@ void mptcp_pm_subflow_check_next(struct mptcp_sock *msk,
 	if (mptcp_pm_is_userspace(msk)) {
 		if (update_subflows) {
 			spin_lock_bh(&pm->lock);
-			pm->extra_subflows--;
+			if (pm->extra_subflows)
+				pm->extra_subflows--;
 			spin_unlock_bh(&pm->lock);
 		}
 		return;
diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
index 8cbc1920afb4..61c10ec00be0 100644
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -410,6 +410,11 @@ int mptcp_pm_nl_subflow_create_doit(struct sk_buff *skb, struct genl_info *info)
 
 	lock_sock(sk);
 	err = __mptcp_subflow_connect(sk, &local, &addr_r);
+	if (!err) {
+		spin_lock_bh(&msk->pm.lock);
+		msk->pm.extra_subflows++;
+		spin_unlock_bh(&msk->pm.lock);
+	}
 	release_sock(sk);
 
 	if (err)
@@ -418,8 +423,6 @@ int mptcp_pm_nl_subflow_create_doit(struct sk_buff *skb, struct genl_info *info)
 	spin_lock_bh(&msk->pm.lock);
 	if (err)
 		mptcp_userspace_pm_delete_local_addr(msk, &entry);
-	else
-		msk->pm.extra_subflows++;
 	spin_unlock_bh(&msk->pm.lock);
 
  create_err:
-- 
2.43.0

Re: [PATCH mptcp-next v3 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Jakub Kicinski]

On Thu, 14 May 2026 21:29:23 +0800 Tao Cui wrote:
> To: matttbe@kernel.org, martineau@kernel.org, geliang@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com

Please don't CC maintainers without CCing the mailing list associated
with their area. If you're CCing core networking maintainers you should
also CC netdev@

Re: [PATCH mptcp-next v3 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[Matthieu Baerts]

Hi Tao,

14 May 2026 17:02:20 Jakub Kicinski <kuba@kernel.org>:

> On Thu, 14 May 2026 21:29:23 +0800 Tao Cui wrote:
>> To: matttbe@kernel.org, martineau@kernel.org, geliang@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
>
> Please don't CC maintainers without CCing the mailing list associated
> with their area. If you're CCing core networking maintainers you should
> also CC netdev@

Indeed, thank you. And if you are using the mptcp-next prefix, please
don't cc the netdev mailing list.

Cheers,
Matt

Re: [PATCH mptcp-next v3 0/2] mptcp: pm: fix extra_subflows underflow for userspace PM

[MPTCP CI]

Hi Tao,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Unstable: 2 failed test(s): packetdrill_dss packetdrill_sockopts ⚠️ 
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25863948276

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/dec78c185606
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1094801


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)