[PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr

[PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr

[Tao Cui]

mptcp_userspace_pm_delete_local_addr() calls list_del_rcu() followed
immediately by sock_kfree_s(), which frees the entry synchronously
without waiting for an RCU grace period.  A concurrent RCU read-side
lookup (e.g. via mptcp_userspace_pm_get_local_id) could still be
accessing the freed entry.

Fix it by replacing sock_kfree_s() with kfree_rcu_mightsleep() and
adjusting sk_omem_alloc manually, matching the pattern already used
in mptcp_pm_nl_remove_doit() in the same file.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/pm_userspace.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
index 8cbc1920afb4..586e19e9b913 100644
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -109,7 +109,11 @@ static int mptcp_userspace_pm_delete_local_addr(struct mptcp_sock *msk,
 	 * be used multiple times (e.g. fullmesh mode).
 	 */
 	list_del_rcu(&entry->list);
-	sock_kfree_s(sk, entry, sizeof(*entry));
+	kfree_rcu_mightsleep(entry);
+	/* Adjust sk_omem_alloc like sock_kfree_s() does, to match
+	 * with allocation of this memory by sock_kmemdup()
+	 */
+	atomic_sub(sizeof(*entry), &sk->sk_omem_alloc);
 	msk->pm.local_addr_used--;
 	return 0;
 }
-- 
2.43.0

[PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM

[Tao Cui]

extra_subflows is a u8 field in struct mptcp_pm_data.  Two paths in the
userspace PM can cause it to underflow from 0 to 255, after which the
counter is permanently corrupted and future subflow creation is blocked.

1) __mptcp_subflow_connect() calls mptcp_pm_close_subflow() on failure
   to roll back the pre-increment done by kernel PM's fill_*() helpers.
   The userspace PM does not pre-increment — it only increments after
   __mptcp_subflow_connect() succeeds — so this decrement is spurious.

2) mptcp_pm_subflow_check_next() decrements unconditionally for the
   userspace PM without checking that the counter is non-zero.

Fix (1) by gating mptcp_pm_close_subflow() on the PM type and fix (2)
by adding an underflow guard.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
---
 net/mptcp/pm.c      | 3 ++-
 net/mptcp/subflow.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
index 3c152bf66cd5..a83a56b467f9 100644
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -655,7 +655,8 @@ void mptcp_pm_subflow_check_next(struct mptcp_sock *msk,
 	if (mptcp_pm_is_userspace(msk)) {
 		if (update_subflows) {
 			spin_lock_bh(&pm->lock);
-			pm->extra_subflows--;
+			if (pm->extra_subflows)
+				pm->extra_subflows--;
 			spin_unlock_bh(&pm->lock);
 		}
 		return;
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index d562e149606f..c45ad67cb650 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1716,7 +1716,8 @@ int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_pm_local *local,
 	/* we account subflows before the creation, and this failures will not
 	 * be caught by sk_state_change()
 	 */
-	mptcp_pm_close_subflow(msk);
+	if (!mptcp_pm_is_userspace(msk))
+		mptcp_pm_close_subflow(msk);
 	return err;
 }
 
-- 
2.43.0

Re: [PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM

[MPTCP CI]

Hi Tao,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Unstable: 1 failed test(s): packetdrill_fastopen - Critical: 7 Call Trace(s) ❌
- KVM Validation: debug (only selftest_mptcp_join): Critical: 2 Call Trace(s) ❌
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/25599734872

Initiator: Matthieu Baerts (NGI0)
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/7b80cfe32ce0
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1091955


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)

Re: [PATCH mptcp-next 2/2] mptcp: pm: fix extra_subflows u8 underflow in userspace PM

[Geliang Tang]

On Sat, 2026-05-09 at 15:56 +0800, Tao Cui wrote:
> extra_subflows is a u8 field in struct mptcp_pm_data.  Two paths in
> the
> userspace PM can cause it to underflow from 0 to 255, after which the
> counter is permanently corrupted and future subflow creation is
> blocked.
> 
> 1) __mptcp_subflow_connect() calls mptcp_pm_close_subflow() on
> failure
>    to roll back the pre-increment done by kernel PM's fill_*()
> helpers.
>    The userspace PM does not pre-increment — it only increments after
>    __mptcp_subflow_connect() succeeds — so this decrement is
> spurious.
> 
> 2) mptcp_pm_subflow_check_next() decrements unconditionally for the
>    userspace PM without checking that the counter is non-zero.
> 
> Fix (1) by gating mptcp_pm_close_subflow() on the PM type and fix (2)
> by adding an underflow guard.

Please split this patch into two patches, one for (1), the other for
(2).

Thanks,
-Geliang

> 
> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
> ---
>  net/mptcp/pm.c      | 3 ++-
>  net/mptcp/subflow.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
> index 3c152bf66cd5..a83a56b467f9 100644
> --- a/net/mptcp/pm.c
> +++ b/net/mptcp/pm.c
> @@ -655,7 +655,8 @@ void mptcp_pm_subflow_check_next(struct
> mptcp_sock *msk,
>  	if (mptcp_pm_is_userspace(msk)) {
>  		if (update_subflows) {
>  			spin_lock_bh(&pm->lock);
> -			pm->extra_subflows--;
> +			if (pm->extra_subflows)
> +				pm->extra_subflows--;
>  			spin_unlock_bh(&pm->lock);
>  		}
>  		return;
> diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
> index d562e149606f..c45ad67cb650 100644
> --- a/net/mptcp/subflow.c
> +++ b/net/mptcp/subflow.c
> @@ -1716,7 +1716,8 @@ int __mptcp_subflow_connect(struct sock *sk,
> const struct mptcp_pm_local *local,
>  	/* we account subflows before the creation, and this
> failures will not
>  	 * be caught by sk_state_change()
>  	 */
> -	mptcp_pm_close_subflow(msk);
> +	if (!mptcp_pm_is_userspace(msk))
> +		mptcp_pm_close_subflow(msk);
>  	return err;
>  }
>  

Re: [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr

[Geliang Tang]

Hi Tao,

Thanks for this set. It looks like the cover letter of this set is
missing. You can use "--cover-letter" to create it:

	git format-patch -2 --cover-letter

sashiko adds some comments here, please address them in v2:

https://sashiko.dev/#/patchset/20260509075629.217791-2-cuitao@kylinos.cn

On Sat, 2026-05-09 at 15:56 +0800, Tao Cui wrote:
> mptcp_userspace_pm_delete_local_addr() calls list_del_rcu() followed
> immediately by sock_kfree_s(), which frees the entry synchronously
> without waiting for an RCU grace period.  A concurrent RCU read-side
> lookup (e.g. via mptcp_userspace_pm_get_local_id) could still be
> accessing the freed entry.
> 
> Fix it by replacing sock_kfree_s() with kfree_rcu_mightsleep() and
> adjusting sk_omem_alloc manually, matching the pattern already used
> in mptcp_pm_nl_remove_doit() in the same file.
> 
> Signed-off-by: Tao Cui <cuitao@kylinos.cn>
> ---
>  net/mptcp/pm_userspace.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
> index 8cbc1920afb4..586e19e9b913 100644
> --- a/net/mptcp/pm_userspace.c
> +++ b/net/mptcp/pm_userspace.c
> @@ -109,7 +109,11 @@ static int
> mptcp_userspace_pm_delete_local_addr(struct mptcp_sock *msk,
>  	 * be used multiple times (e.g. fullmesh mode).
>  	 */
>  	list_del_rcu(&entry->list);
> -	sock_kfree_s(sk, entry, sizeof(*entry));
> +	kfree_rcu_mightsleep(entry);

mptcp_userspace_pm_delete_local_addr is invoked under the pm lock, so
using kfree_rcu_mightsleep is not a good idea.

Also, this mptcp_userspace_pm_delete_local_addr helper is removed in
the set [1] under review, so it's better to keep this sock_kfree_s
unchanged.

[1]
https://patchwork.kernel.org/project/mptcp/patch/e2c1bd781cdd4a7a0233305c0cc5cd12e36ec31c.1776466833.git.tanggeliang@kylinos.cn/

> +	/* Adjust sk_omem_alloc like sock_kfree_s() does, to match
> +	 * with allocation of this memory by sock_kmemdup()
> +	 */
> +	atomic_sub(sizeof(*entry), &sk->sk_omem_alloc);
>  	msk->pm.local_addr_used--;
>  	return 0;
>  }

Re: [PATCH mptcp-next 1/2] mptcp: pm: fix use-after-free in mptcp_userspace_pm_delete_local_addr

[Matthieu Baerts]

Hi Tao,

(- netdev maintainers)

On 14/05/2026 05:07, Geliang Tang wrote:
> Thanks for this set. It looks like the cover letter of this set is
> missing. You can use "--cover-letter" to create it:
> 
> 	git format-patch -2 --cover-letter

Feel free to use 'b4' to send patches, it is easy to use, and would
avoid "common" mistakes:

  https://b4.docs.kernel.org/en/latest/contributor/overview.html

You can use it from the export/export-net and for-review/for-review-net
branches, and, in this case, no need to run 'b4 prep --auto-to-cc'.

> sashiko adds some comments here, please address them in v2:
> 
> https://sashiko.dev/#/patchset/20260509075629.217791-2-cuitao@kylinos.cn

I didn't check here, but please keep in mind that AI reviews can be wrong.

Also, if your patches are fixes, please use the 'mptcp-net' prefix, and
add a Fixes tag:

  https://www.mptcp.dev/contributing.html#code-style
  https://docs.kernel.org/process/maintainer-netdev.html

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.