[syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    00a5acdbf398 bpf: Fix configuration-dependent BTF function..
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=148de730580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fee25f93665c89ac
dashboard link: https://syzkaller.appspot.com/bug?extid=ebc0b8ae5d3590b2c074
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d82344580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=179654f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fc306c95490c/disk-00a5acdb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e17d5125ee77/vmlinux-00a5acdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/65f791a7fd14/bzImage-00a5acdb.xz

The issue was bisected to:

commit 3f83d8a77eeeb47011b990fd766a421ee64f1d73
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Thu Feb 8 18:03:51 2024 +0000

    mptcp: fix more tx path fields initialization

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12d2c7e8580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=11d2c7e8580000
console output: https://syzkaller.appspot.com/x/log.txt?x=16d2c7e8580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com
Fixes: 3f83d8a77eee ("mptcp: fix more tx path fields initialization")

------------[ cut here ]------------
WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
Modules linked in:
CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07
RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293
RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928
R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000
R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000
FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074
 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493
 release_sock+0x1aa/0x1f0 net/core/sock.c:3640
 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]
 __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703
 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755
 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830
 sock_sendmsg_nosec net/socket.c:711 [inline]
 __sock_sendmsg+0x1a6/0x270 net/socket.c:726
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
 ___sys_sendmsg net/socket.c:2637 [inline]
 __sys_sendmsg+0x269/0x350 net/socket.c:2669
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e86ebfe69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69
RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc
R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)
Author: pabeni@redhat.com

On 12/16/24 5:42 PM, syzbot wrote:
> syzbot found the following issue on:
> 
> HEAD commit:    00a5acdbf398 bpf: Fix configuration-dependent BTF function..
> git tree:       bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=148de730580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fee25f93665c89ac
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebc0b8ae5d3590b2c074
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d82344580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=179654f8580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/fc306c95490c/disk-00a5acdb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e17d5125ee77/vmlinux-00a5acdb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/65f791a7fd14/bzImage-00a5acdb.xz
> 
> The issue was bisected to:
> 
> commit 3f83d8a77eeeb47011b990fd766a421ee64f1d73
> Author: Paolo Abeni <pabeni@redhat.com>
> Date:   Thu Feb 8 18:03:51 2024 +0000
> 
>     mptcp: fix more tx path fields initialization
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12d2c7e8580000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=11d2c7e8580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=16d2c7e8580000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com
> Fixes: 3f83d8a77eee ("mptcp: fix more tx path fields initialization")
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
> Modules linked in:
> CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
> RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
> Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07
> RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293
> RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928
> R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000
> R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000
> FS:  00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074
>  mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493
>  release_sock+0x1aa/0x1f0 net/core/sock.c:3640
>  inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]
>  __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703
>  mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755
>  mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830
>  sock_sendmsg_nosec net/socket.c:711 [inline]
>  __sock_sendmsg+0x1a6/0x270 net/socket.c:726
>  ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
>  ___sys_sendmsg net/socket.c:2637 [inline]
>  __sys_sendmsg+0x269/0x350 net/socket.c:2669
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f6e86ebfe69
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69
> RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003
> RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc
> R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508
>  </TASK>

I can't repro the issue locally on net, please let me double check if
the bot can reply it on such a tree and additionally add report debug
info if the splat happens

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git main

Re: [syzbot] Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)
Author: pabeni@redhat.com

On 12/16/24 5:42 PM, syzbot wrote:
> syzbot found the following issue on:
> 
> HEAD commit:    00a5acdbf398 bpf: Fix configuration-dependent BTF function..
> git tree:       bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=148de730580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fee25f93665c89ac
> dashboard link: https://syzkaller.appspot.com/bug?extid=ebc0b8ae5d3590b2c074
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d82344580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=179654f8580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/fc306c95490c/disk-00a5acdb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e17d5125ee77/vmlinux-00a5acdb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/65f791a7fd14/bzImage-00a5acdb.xz

Trying again... Mat noted I actually forgot the actual command

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git main

Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __mptcp_clean_una

MPTCP: snd_una 52e55b5d657ac4e2 snd_nxt 52e55b5d657ac4e2 write_seq 52e55b5d657ac4e2 idsn 52e55b5d657ac4e1 dfrag seq 3d10b145d4f45513 len 32728
------------[ cut here ]------------
WARNING: CPU: 0 PID: 204 at net/mptcp/protocol.c:1030 __mptcp_clean_una+0xede/0x1160 net/mptcp/protocol.c:1030
Modules linked in:
CPU: 0 UID: 0 PID: 204 Comm: kworker/u8:6 Not tainted 6.13.0-rc7-syzkaller-gce69b4019001-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: krdsd rds_tcp_accept_worker
RIP: 0010:__mptcp_clean_una+0xede/0x1160 net/mptcp/protocol.c:1030
Code: 68 0f 54 f6 4c 8b 03 48 c7 c7 80 62 30 8d 48 8b 74 24 28 4c 89 f2 4c 89 f9 4c 8b 4c 24 38 41 55 e8 57 29 55 f5 48 83 c4 08 90 <0f> 0b 90 e9 ff f3 ff ff 44 89 f1 80 e1 07 38 c1 0f 8c 3f f9 ff ff
RSP: 0000:ffffc90000006da0 EFLAGS: 00010296
RAX: 000000000000008e RBX: ffff888078274c28 RCX: e4b9e8819bb74600
RDX: 0000000000000100 RSI: 0000000000000303 RDI: 0000000000000000
RBP: ffffc90000006eb0 R08: ffffffff817f1b5c R09: 1ffff92000000d50
R10: dffffc0000000000 R11: fffff52000000d51 R12: ffff888061554648
R13: 0000000000007fd8 R14: 52e55b5d657ac4e2 R15: 52e55b5d657ac4e2
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f84b8a1d3d7 CR3: 0000000067206000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 mptcp_incoming_options+0xc49/0x2540 net/mptcp/options.c:1144
 tcp_data_queue+0xf9/0x7310 net/ipv4/tcp_input.c:5233
 tcp_rcv_established+0xed0/0x1f20 net/ipv4/tcp_input.c:6264
 tcp_v4_do_rcv+0x96d/0xc70 net/ipv4/tcp_ipv4.c:1916
 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351
 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
 __netif_receive_skb_one_core net/core/dev.c:5704 [inline]
 __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5817
 process_backlog+0x662/0x15b0 net/core/dev.c:6149
 __napi_poll+0xcb/0x490 net/core/dev.c:6902
 napi_poll net/core/dev.c:6971 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:7093
 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
 do_softirq+0x11b/0x1e0 kernel/softirq.c:462
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:389
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x1775/0x3f50 net/core/dev.c:4493
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0x12ca/0x1ef0 net/ipv4/ip_output.c:536
 __tcp_transmit_skb+0x2582/0x3ba0 net/ipv4/tcp_output.c:1468
 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline]
 tcp_write_xmit+0x17b5/0x6bf0 net/ipv4/tcp_output.c:2829
 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:3012
 __tcp_close+0xa7f/0xde0 net/ipv4/tcp.c:3130
 tcp_close+0x28/0x110 net/ipv4/tcp.c:3221
 inet_release+0x17d/0x200 net/ipv4/af_inet.c:435
 __sock_release net/socket.c:640 [inline]
 sock_release+0x82/0x150 net/socket.c:668
 rds_tcp_accept_one+0x1b3/0xbe0 net/rds/tcp_listen.c:234
 rds_tcp_accept_worker+0x3f/0xa0 net/rds/tcp.c:533
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
 worker_thread+0x870/0xd30 kernel/workqueue.c:3398
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


Tested on:

commit:         ce69b401 Merge tag 'net-6.13-rc8' of git://git.kernel...
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=175b27c4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=aadf89e2f6db86cc
dashboard link: https://syzkaller.appspot.com/bug?extid=ebc0b8ae5d3590b2c074
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17fb9a18580000

Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[Paolo Abeni]

[-- Attachment #1: Type: text/plain, Size: 433 bytes --]

On 1/17/25 2:29 AM, syzbot wrote:
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __mptcp_clean_una
> 
> MPTCP: snd_una 52e55b5d657ac4e2 snd_nxt 52e55b5d657ac4e2 write_seq 52e55b5d657ac4e2 idsn 52e55b5d657ac4e1 dfrag seq 3d10b145d4f45513 len 32728

It looks like we are not catching a disconnect().

Add the missing accounting and more debug, in case the problem is elsewhere.

/P

[-- Attachment #2: mptcp_clean_una_splat_debug_disc.patch --]
[-- Type: text/x-patch, Size: 1832 bytes --]

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 1b2e7cbb577f..fc8d9fc36942 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1022,8 +1022,18 @@ static void __mptcp_clean_una(struct sock *sk)
 
 		if (unlikely(dfrag == msk->first_pending)) {
 			/* in recovery mode can see ack after the current snd head */
-			if (WARN_ON_ONCE(!msk->recovery))
+			if (!msk->recovery) {
+				pr_err("snd_una %llx snd_nxt %llx write_seq %llx "
+				       "idsn %llx dfrag seq %llx len %d disconnects %d:%d "
+					"state %d %d\n",
+				       snd_una, msk->snd_nxt, msk->write_seq,
+				       mptcp_subflow_ctx(msk->first)->idsn,
+				       dfrag->data_seq, dfrag->data_len,
+				       sk->sk_disconnects, msk->disconnects,
+				       sk->sk_state, sk->sk_socket ? sk->sk_socket->state: -1);
+				WARN_ON(1);
 				break;
+			}
 
 			WRITE_ONCE(msk->first_pending, mptcp_send_next(sk));
 		}
@@ -1767,8 +1777,10 @@ static int mptcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
 		 * see mptcp_disconnect().
 		 * Attempt it again outside the problematic scope.
 		 */
-		if (!mptcp_disconnect(sk, 0))
+		if (!mptcp_disconnect(sk, 0)) {
+			sk->sk_disconnects++;
 			sk->sk_socket->state = SS_UNCONNECTED;
+		}
 	}
 	inet_clear_bit(DEFER_CONNECT, sk);
 
@@ -3208,6 +3220,7 @@ static int mptcp_disconnect(struct sock *sk, int flags)
 	if (msk->fastopening)
 		return -EBUSY;
 
+	msk->disconnects++;
 	mptcp_check_listen_stop(sk);
 	mptcp_set_state(sk, TCP_CLOSE);
 
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 73526f1d768f..59a6e52f02a4 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -340,6 +340,7 @@ struct mptcp_sock {
 		u64	rtt_us; /* last maximum rtt of subflows */
 	} rcvq_space;
 	u8		scaling_ratio;
+	u16		disconnects;
 
 	u32		subflow_id;
 	u32		setsockopt_seq;

Re: [syzbot] [mptcp?] WARNING in __mptcp_clean_una (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com
Tested-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com

Tested on:

commit:         5d6a361d Merge branch 'realtek-link-down'
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=151669df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=aadf89e2f6db86cc
dashboard link: https://syzkaller.appspot.com/bug?extid=ebc0b8ae5d3590b2c074
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10983a18580000

Note: testing is done by a robot and is best-effort only.