From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7526244CF40; Tue, 16 Jun 2026 16:02:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781625739; cv=none; b=efMh7OGqcrO9lXG0RLRHuKAlvCA5qfRK/0cGfRkDBneRAPSiZWZRGt7feF9s6jScKbuQMA7P+F2bIF3sAs6gvgRn+/pueYOi9wd5/KbPyQ/1sNmJwAB4qcxgjwHjqDx6xuc0xRi2gma+eApdKvOM2eSRfDLihi4QZs2HZE+lowU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781625739; c=relaxed/simple; bh=A4NBWH9rg3yTd4xeCrpnmVhSRHJQZjOB5W4rOqgZVZw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WhXcGnA/EokPYjkiNf/pastTGd8zPzLgNjF27bSvAhycI9sCVWnYi9r7hA+lf4XX7M9FCeAFgtanCS6Xuivix8SQPV8Vt1mpvYh0P1TrIRSjOzt2AmZhP8f/PWMzOamINUCfxPWiQKJ57WCl3IKWA1gtSzrSSGNvkLLtkVyp7W0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=TjKkEWU2; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="TjKkEWU2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5425A1F000E9; Tue, 16 Jun 2026 16:02:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781625738; bh=nlTP1OQQ1OgSptd6tPx/Yr1PoZ/UqhZH2y4PMQDMfUA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=TjKkEWU2I2kdJIUgKL2+U1HU57O1Zu45mEWES0mSGWI6KXoi6T2M+zSpmoe+60kA+ +8Tvr22aw4v2i7EsYEmsDmpRUfo6gZan5wpttQaUWLz4R915bbllj9B/kVne0VD7sK vUMYJkEtH9oYQqjNOF/NkLstr/9Aik2fa5694wWU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Tao Cui , "Matthieu Baerts (NGI0)" , Jakub Kicinski Subject: [PATCH 6.18 198/325] mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation Date: Tue, 16 Jun 2026 20:29:54 +0530 Message-ID: <20260616145107.850566399@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145057.827196531@linuxfoundation.org> References: <20260616145057.827196531@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tao Cui commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a upstream. The userspace PM increments extra_subflows after __mptcp_subflow_connect() succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow() on failure to roll back the pre-increment done by the kernel PM's fill_*() helpers. Because the userspace PM hasn't incremented yet at that point, this decrement is spurious and causes extra_subflows to underflow. Fix it by aligning the userspace PM with the kernel PM: increment extra_subflows before calling __mptcp_subflow_connect(), so the existing error path in subflow.c correctly rolls it back on failure. Also simplify the error handling by taking pm.lock only when needed for cleanup. Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos") Cc: stable@vger.kernel.org Signed-off-by: Tao Cui Reviewed-by: Matthieu Baerts (NGI0) Signed-off-by: Matthieu Baerts (NGI0) Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/mptcp/pm_userspace.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/net/mptcp/pm_userspace.c +++ b/net/mptcp/pm_userspace.c @@ -408,19 +408,21 @@ int mptcp_pm_nl_subflow_create_doit(stru local.flags = entry.flags; local.ifindex = entry.ifindex; + spin_lock_bh(&msk->pm.lock); + msk->pm.extra_subflows++; + spin_unlock_bh(&msk->pm.lock); + lock_sock(sk); err = __mptcp_subflow_connect(sk, &local, &addr_r); release_sock(sk); - if (err) + if (err) { GENL_SET_ERR_MSG_FMT(info, "connect error: %d", err); - spin_lock_bh(&msk->pm.lock); - if (err) + spin_lock_bh(&msk->pm.lock); mptcp_userspace_pm_delete_local_addr(msk, &entry); - else - msk->pm.extra_subflows++; - spin_unlock_bh(&msk->pm.lock); + spin_unlock_bh(&msk->pm.lock); + } create_err: sock_put(sk);