From: Geliang Tang <geliang@kernel.org>
To: Tao Cui <cuitao@kylinos.cn>,
matttbe@kernel.org, martineau@kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
Cc: horms@kernel.org, mptcp@lists.linux.dev
Subject: Re: [PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM
Date: Thu, 14 May 2026 11:17:23 +0800 [thread overview]
Message-ID: <e1ea8d0d953314192acea3480460116c0a52e02e.camel@kernel.org> (raw)
In-Reply-To: <20260509075629.217791-2-cuitao@kylinos.cn>
On Sat, 2026-05-09 at 15:56 +0800, Tao Cui wrote:
> extra_subflows is a u8 field in struct mptcp_pm_data. Two paths in
> the
> userspace PM can cause it to underflow from 0 to 255, after which the
> counter is permanently corrupted and future subflow creation is
> blocked.
>
> 1) __mptcp_subflow_connect() calls mptcp_pm_close_subflow() on
> failure
> to roll back the pre-increment done by kernel PM's fill_*()
> helpers.
> The userspace PM does not pre-increment — it only increments after
> __mptcp_subflow_connect() succeeds — so this decrement is
> spurious.
>
> 2) mptcp_pm_subflow_check_next() decrements unconditionally for the
> userspace PM without checking that the counter is non-zero.
>
> Fix (1) by gating mptcp_pm_close_subflow() on the PM type and fix (2)
> by adding an underflow guard.
Please split this patch into two patches, one for (1), the other for
(2).
Thanks,
-Geliang
>
> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
> ---
> net/mptcp/pm.c | 3 ++-
> net/mptcp/subflow.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
> index 3c152bf66cd5..a83a56b467f9 100644
> --- a/net/mptcp/pm.c
> +++ b/net/mptcp/pm.c
> @@ -655,7 +655,8 @@ void mptcp_pm_subflow_check_next(struct
> mptcp_sock *msk,
> if (mptcp_pm_is_userspace(msk)) {
> if (update_subflows) {
> spin_lock_bh(&pm->lock);
> - pm->extra_subflows--;
> + if (pm->extra_subflows)
> + pm->extra_subflows--;
> spin_unlock_bh(&pm->lock);
> }
> return;
> diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
> index d562e149606f..c45ad67cb650 100644
> --- a/net/mptcp/subflow.c
> +++ b/net/mptcp/subflow.c
> @@ -1716,7 +1716,8 @@ int __mptcp_subflow_connect(struct sock *sk,
> const struct mptcp_pm_local *local,
> /* we account subflows before the creation, and this
> failures will not
> * be caught by sk_state_change()
> */
> - mptcp_pm_close_subflow(msk);
> + if (!mptcp_pm_is_userspace(msk))
> + mptcp_pm_close_subflow(msk);
> return err;
> }
>
next prev parent reply other threads:[~2026-05-14 3:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 7:56 [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr Tao Cui
2026-05-09 7:56 ` [PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM Tao Cui
2026-05-09 12:04 ` MPTCP CI
2026-05-14 3:17 ` Geliang Tang [this message]
2026-05-14 3:07 ` [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr Geliang Tang
2026-05-15 2:46 ` Matthieu Baerts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1ea8d0d953314192acea3480460116c0a52e02e.camel@kernel.org \
--to=geliang@kernel.org \
--cc=cuitao@kylinos.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=martineau@kernel.org \
--cc=matttbe@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.